CFTree: fix CFTreeRemove so it actually unlinks the node#50
Open
DTW-Thalion wants to merge 1 commit into
Open
Conversation
CFTreeRemove() walked tree->_firstChild (the node's own children) instead of the parent's child list, and never assigned previousSibling, so the loop condition "child != previousSibling" simply ran to the end of the list and nothing was ever unlinked. It then called CFTreeFinalize() on the node while the parent still pointed at it. The node was therefore left linked into its parent; once it was released the parent held a dangling pointer (AddressSanitizer: heap-use-after-free in CFTreeGetChildCount/CFTreeFinalize after removing a child and releasing it), and the child count was never updated. Rewrite it to unlink the node from its parent's list of children, fix up the parent's _lastChild pointer when the last child is removed, and clear the node's _parent and _nextSibling. A node with no parent is left untouched. Adds regression tests covering removal of the first, middle, last and only child. The test also releases the tree before its children now: CFTreeAppendChild does not retain the child, so a child freed before the tree that links it would otherwise dangle.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CFTreeRemove() walked tree->_firstChild (the node's own children) instead
of the parent's child list, and never assigned previousSibling, so the
loop condition "child != previousSibling" simply ran to the end of the
list and nothing was ever unlinked. It then called CFTreeFinalize() on
the node while the parent still pointed at it. The node was therefore
left linked into its parent; once it was released the parent held a
dangling pointer (AddressSanitizer: heap-use-after-free in
CFTreeGetChildCount/CFTreeFinalize after removing a child and releasing
it), and the child count was never updated.
Rewrite it to unlink the node from its parent's list of children, fix up
the parent's _lastChild pointer when the last child is removed, and clear
the node's _parent and _nextSibling. A node with no parent is left
untouched. Adds regression tests covering removal of the first, middle,
last and only child.
The test also releases the tree before its children now: CFTreeAppendChild
does not retain the child, so a child freed before the tree that links it
would otherwise dangle.