Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pybind11_getbuffer: Fix Potential Nullptr Dereference #1657

Closed
wants to merge 1 commit into from
Closed

pybind11_getbuffer: Fix Potential Nullptr Dereference #1657

wants to merge 1 commit into from

Conversation

ax3l
Copy link
Collaborator

@ax3l ax3l commented Jan 7, 2019

Fix a potential nullptr dereference of obj.

Found with coverity in a downstream project.

@ax3l ax3l changed the title Fix Potential Nullptr Dereference pybind11_getbuffer: Fix Potential Nullptr Dereference Jan 7, 2019
@bstaletic
Copy link
Collaborator

@ax3l Only your team can actually see your dashboard, are we 100% sure this isn't a false positive? I know vim's codebase has some false positives.

@wjakob
Copy link
Member

wjakob commented Jan 7, 2019

In what circumstance would obj be nullptr? Generally not a fan of adding these types of checks everywhere just to make Coverity happy. (pybind11 is a header file library, so this will have an impact on the size of bindings in all projects using it).

@zhihaoy
Copy link

zhihaoy commented Jan 7, 2019

Later in the code there is a check to tell whether view is nullptr, so I guess it's may be legitimate to check obj as well.

@ax3l
Copy link
Collaborator Author

ax3l commented Jan 7, 2019
edited
Loading

Since even obj itself is checked below it should also be checked before first accessing it at Py_TYPE(obj)->tp_mro, no?

@ax3l
Copy link
Collaborator Author

ax3l commented Jan 8, 2019

@bstaletic sure, if you like I can give you access (gitter me, I think via mail). I just did not filter my "thirdParty" dir, that's why they show up and they look useful, regarding public struct members.
Of course, the question stands as @wjakob states correctly for structs that are only used with "init-wrapper" c-style functions, but I think most of the constructor init does not hurt.

@bstaletic
Copy link
Collaborator

@ax3l is right. Currently, on line 466 obj is dereferenced, but is checked against nullptr only later on line 471. Since NULL dereference isn't allowed in valid C or C++, compiler is allowed to remove all null checks after dereferencing, assuming that they aren't true. Therefore, from a formally correct C++ stand point, the line 471 might as well have obj == nullptr removed. Either pybind needs to check if obj is NULL earlier, or assume it never will be NULL. Either way the obj == nullptr on line 471 is useless.

@ax3l
Fix Potential Nullptr Dereference
0154597 
Fix a potential nullptr dereference of `obj`.

Found with coverity in a downstream project.
ax3l added a commit to ax3l/pybind11 that referenced this pull request Jan 10, 2019
@ax3l
pybind11_getbuffer: useless safe nullptr check
70d4483 
Alternative implementation for pybind#1657: if
we know that `obj` is never a `nullptr` [1], we should
not `nullptr`-check it *after* already dereferencing it.

[1] pybind#1657 (comment)
@ax3l ax3l mentioned this pull request Jan 10, 2019
Merged
@ax3l
Copy link
Collaborator Author

ax3l commented Jan 10, 2019
edited
Loading

Alternative implementation following @wjakob's comment about obj being safe by contract in #1664 (also @bstaletic 's suggestion).

Generally not a fan of adding these types of checks everywhere just to make Coverity happy.

Coverity only complains that we do a nullptr check after already dereferencing it, because it thinks we do so for a good reason and just too late. It does not enforce checking all pointers passed to a free standing function for null, as that might be ensured by contracts already.

wjakob pushed a commit that referenced this pull request Jun 10, 2019
@ax3l @wjakob
pybind11_getbuffer: useless safe nullptr check (#1664)
1c627c9 
Alternative implementation for #1657: if
we know that `obj` is never a `nullptr` [1], we should
not `nullptr`-check it *after* already dereferencing it.

[1] #1657 (comment)
@wjakob
Copy link
Member

wjakob commented Jun 10, 2019

Closing this as #1664 was merged.

@wjakob wjakob closed this Jun 10, 2019
@ax3l ax3l deleted the fix-potNullPtrDeref branch June 10, 2019 22:03
@rwgk rwgk mentioned this pull request Feb 10, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zhihaoy zhihaoy zhihaoy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ax3l @bstaletic @wjakob @zhihaoy