util: forbid freeing const pointers

Now that we've finally fixed all the violators, it's time to enforce that any pointer to a const object is never freed (it is aliasing some other memory, where the non-const original should be freed instead). Alas, the code still needs a normal vs. Coverity version, but at least we are still guaranteeing that the macro call evaluates its argument exactly once. I verified that we still get the following compiler warnings, which in turn halts the build thanks to -Werror on gcc (hmm, gcc 4.8.3's placement of the ^ for ?: type mismatch is a bit off, but that's not our problem): int oops1 = 0; VIR_FREE(oops1); const char *oops2 = NULL; VIR_FREE(oops2); struct blah { int dummy; } oops3; VIR_FREE(oops3); util/virauthconfig.c:159:35: error: pointer/integer type mismatch in conditional expression [-Werror] VIR_FREE(oops1); ^ util/virauthconfig.c:161:5: error: passing argument 1 of 'virFree' discards 'const' qualifier from pointer target type [-Werror] VIR_FREE(oops2); ^ In file included from util/virauthconfig.c:28:0: util/viralloc.h:79:6: note: expected 'void *' but argument is of type 'const void *' void virFree(void *ptrptr) ATTRIBUTE_NONNULL(1); ^ util/virauthconfig.c:163:35: error: type mismatch in conditional expression VIR_FREE(oops3); ^ * src/util/viralloc.h (VIR_FREE): No longer cast away const. * src/xenapi/xenapi_utils.c (xenSessionFree): Work around bogus header. Signed-off-by: Eric Blake <eblake@redhat.com>
2025-03-07 17:28:15 +00:00 · 2014-07-15 13:44:26 -06:00 · 2014-07-15 13:44:26 -06:00 · a0b5ace28c
commit a0b5ace28c
parent 0b0c641b66
2 changed files with 8 additions and 7 deletions
--- a/src/util/viralloc.h
+++ b/src/util/viralloc.h
@ -548,18 +548,17 @@ void virFree(void *ptrptr) ATTRIBUTE_NONNULL(1);
 * This macro is safe to use on arguments with side effects.
 */
 # if !STATIC_ANALYSIS
-/* The ternary ensures that ptr is a pointer and not an integer type,
- * while evaluating ptr only once.  This gives us extra compiler
- * safety when compiling under gcc.  For now, we intentionally cast
- * away const, since a number of callers safely pass const char *.
+/* The ternary ensures that ptr is a non-const pointer and not an
+ * integer type, all while evaluating ptr only once.  This gives us
+ * extra compiler safety when compiling under gcc.
 */
-#  define VIR_FREE(ptr) virFree((void *) (1 ? (const void *) &(ptr) : (ptr)))
+#  define VIR_FREE(ptr) virFree(1 ? (void *) &(ptr) : (ptr))
 # else
 /* The Coverity static analyzer considers the else path of the "?:" and
 * flags the VIR_FREE() of the address of the address of memory as a
 * RESOURCE_LEAK resulting in numerous false positives (eg, VIR_FREE(&ptr))
 */
-#  define VIR_FREE(ptr) virFree((void *) &(ptr))
+#  define VIR_FREE(ptr) virFree(&(ptr))
 # endif

 void virAllocTestInit(void);
--- a/src/xenapi/xenapi_utils.c
+++ b/src/xenapi/xenapi_utils.c
@ -44,13 +44,15 @@ void
 xenSessionFree(xen_session *session)
 {
    size_t i;
+    char *tmp;
    if (session->error_description != NULL) {
        for (i = 0; i < session->error_description_count; i++)
            VIR_FREE(session->error_description[i]);
        VIR_FREE(session->error_description);
    }
    /* The session_id member is type of 'const char *'. Sigh. */
-    VIR_FREE(session->session_id);
+    tmp = (char *)session->session_id;
+    VIR_FREE(tmp);
    VIR_FREE(session);
 }