Skip to content

CFTree: retain children and the context info#51

Open
DTW-Thalion wants to merge 2 commits into
gnustep:masterfrom
DTW-Thalion:fix/cftree-retain-model
Open

CFTree: retain children and the context info#51
DTW-Thalion wants to merge 2 commits into
gnustep:masterfrom
DTW-Thalion:fix/cftree-retain-model

Conversation

@DTW-Thalion

@DTW-Thalion DTW-Thalion commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

CFTree never took real ownership of anything:

  • CFTreeAppendChild()/CFTreeInsertSibling() called the child's context retain callback (passing the tree node, and a no-op for the default NULL context) instead of retaining the child, and CFTreePrependChild() retained nothing at all. A parent therefore did not keep its children alive; releasing a child before its parent left the parent with a dangling pointer (use-after-free when the tree was later traversed or finalized).

  • The context retain/release callbacks are meant to apply to the info pointer, but CFTreeCreate() never retained the info and CFTreeFinalize() passed the tree (not the info) to the release callback.

  • CFTreeFinalize()/CFTreeRemoveAllChildren() called CFTreeFinalize() directly on each child rather than releasing it, bypassing the normal reference count.

This retains children with CFRetain() when they are added and releases them with CFRelease() in CFTreeRemove(), CFTreeRemoveAllChildren() and CFTreeFinalize(); retains the info in CFTreeCreate() and releases the info (not the node) in CFTreeFinalize(); and fixes CFTreePrependChild() (set _lastChild to the new child) and CFTreeGetChildAtIndex() (stop at the end of the list). Regression tests added; verified leak-free and use-after-free-free under AddressSanitizer.

Note: this is a comprehensive CFTree memory-management fix. It is stacked on the CFTreeRemove() unlink fix, so the diff currently also includes that commit, and it supersedes the two smaller CFTree PRs (the CFTreePrependChild/CFTreeGetChildAtIndex null-dereference fixes and the CFTreeRemove unlink fix) — they can be closed in favour of this one, or this can be merged after them.

CFTreeRemove() walked tree->_firstChild (the node's own children) instead
of the parent's child list, and never assigned previousSibling, so the
loop condition "child != previousSibling" simply ran to the end of the
list and nothing was ever unlinked.  It then called CFTreeFinalize() on
the node while the parent still pointed at it.  The node was therefore
left linked into its parent; once it was released the parent held a
dangling pointer (AddressSanitizer: heap-use-after-free in
CFTreeGetChildCount/CFTreeFinalize after removing a child and releasing
it), and the child count was never updated.

Rewrite it to unlink the node from its parent's list of children, fix up
the parent's _lastChild pointer when the last child is removed, and clear
the node's _parent and _nextSibling.  A node with no parent is left
untouched.  Adds regression tests covering removal of the first, middle,
last and only child.

The test also releases the tree before its children now: CFTreeAppendChild
does not retain the child, so a child freed before the tree that links it
would otherwise dangle.
CFTree never took real ownership of anything:

  * CFTreeAppendChild()/CFTreeInsertSibling() called the child's *context*
    retain callback (passing the tree node, and a no-op for the default
    NULL context) instead of retaining the child, and CFTreePrependChild()
    retained nothing at all.  A parent therefore did not keep its children
    alive; releasing a child before its parent left the parent with a
    dangling pointer (use-after-free when the tree was later traversed or
    finalized).

  * The context retain/release callbacks are meant to apply to the info
    pointer, but CFTreeCreate() never retained the info and CFTreeFinalize()
    passed the tree (not the info) to the release callback.

  * CFTreeFinalize()/CFTreeRemoveAllChildren() called CFTreeFinalize()
    directly on each child rather than releasing it, bypassing the normal
    reference count.

Retain children with CFRetain() when they are added and release them with
CFRelease() in CFTreeRemove(), CFTreeRemoveAllChildren() and
CFTreeFinalize(); retain the info in CFTreeCreate() and release it (the
info, not the node) in CFTreeFinalize(); and fix CFTreePrependChild() to
set _lastChild to the new child and CFTreeGetChildAtIndex() to stop at the
end of the child list.  Adds regression tests (verified leak- and
use-after-free-free under AddressSanitizer).

Builds on the CFTreeRemove() unlink fix; supersedes the smaller CFTree
null-dereference and CFTreeRemove changes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant