Examples of errors detected by the V774 diagnostic


V774. The pointer was used after the memory was released.


Augeas

V774 The 'child' pointer was used after the memory was reallocated. augtool.c 151


static char *readline_path_generator(const char *text, int state)
{
  ....
  if (ctx != NULL) {
    char *c = realloc(child, strlen(child)-strlen(ctx)+1);  // <=
    if (c == NULL)
      return NULL;
    int ctxidx = strlen(ctx);
    if (child[ctxidx] == SEP)                               // <=
      ctxidx++;
    strcpy(c, &child[ctxidx]);                              // <=
    child = c;
  }
  ....
}

Similar errors can be found in some other places:

  • V774 The 'child' pointer was used after the memory was reallocated. augtool.c 153

Bind

V774 The 'res' pointer was used after the memory was released. sample-request.c 225


int
main(int argc, char *argv[]) {
  ....
  struct addrinfo hints, *res;
  ....
  gaierror = getaddrinfo(argv[0], "53", &hints, &res);
  ....
  memmove(&sa.type, res->ai_addr, res->ai_addrlen);
  freeaddrinfo(res);                                    // <=
  sa.length = (unsigned int)res->ai_addrlen;            // <=
  ....
}

Similar errors can be found in some other places:

  • V774 The 'res' pointer was used after the memory was released. sample-update.c 193
  • V774 The 'res' pointer was used after the memory was released. sample-update.c 217

MuseScore

V774 The 'slur' pointer was used after the memory was released. importgtp-gp6.cpp 2072


void GuitarPro6::readGpif(QByteArray* data)
{
  if (c) {
    slur->setTick2(c->tick());
    score->addElement(slur);
    legatos[slur->track()] = 0;
  }
  else {
    delete slur;
    legatos[slur->track()] = 0;
  }
}

ICU

V774 CWE-416 The 'mzMappings' pointer was used after the memory was released. zonemeta.cpp 713


UVector*
ZoneMeta::createMetazoneMappings(const UnicodeString &tzid) {
  UVector *mzMappings = NULL;
  ....
  if (U_SUCCESS(status)) {
    ....
    if (U_SUCCESS(status)) {
      ....
      while (ures_hasNext(rb)) {
        ....
        if (mzMappings == NULL) {
          mzMappings = new UVector(
            deleteOlsonToMetaMappingEntry, NULL, status);
          if (U_FAILURE(status)) {
            delete mzMappings;
            uprv_free(entry);
            break;
          }
        }
        ....
      }
      ....
    }
  }
  ures_close(rb);
  return mzMappings;
}

Code is complicated and I find it difficult to say exactly, if there is a bug or not. But it seems to me, it is possible that this function will return a pointer to the memory block being freed.


Qalculate!

V774 The 'cu' pointer was used after the memory was released. Calculator.cc 3595


MathStructure Calculator::convertToBestUnit(....)
{
  ....
  CompositeUnit *cu = new CompositeUnit("", "....");
  cu->add(....);
  Unit *u = getBestUnit(cu, false, eo.local_currency_conversion);
  if(u == cu) {
    delete cu;                                   // <=
    return mstruct_new;
  }
  delete cu;                                     // <=
  if(eo.approximation == APPROXIMATION_EXACT &&
     cu->hasApproximateRelationTo(u, true)) {    // <=
    if(!u->isRegistered()) delete u;
    return mstruct_new;
  }
  ....
}

Haiku Operation System

V774 The 'device' pointer was used after the memory was released. xhci.cpp 1572


void
XHCI::FreeDevice(Device *device)
{
  uint8 slot = fPortSlots[device->HubPort()];
  TRACE("FreeDevice() port %d slot %d\n", device->HubPort(), slot);

  // Delete the device first, so it cleans up its pipes and tells us
  // what we need to destroy before we tear down our internal state.
  delete device;

  DisableSlot(slot);
  fDcba->baseAddress[slot] = 0;
  fPortSlots[device->HubPort()] = 0;
  delete_area(fDevices[slot].trb_area);
  delete_area(fDevices[slot].input_ctx_area);
  delete_area(fDevices[slot].device_ctx_area);

  memset(&fDevices[slot], 0, sizeof(xhci_device));
  fDevices[slot].state = XHCI_STATE_DISABLED;
}

Similar errors can be found in some other places:

  • V774 The 'self' pointer was used after the memory was released. TranslatorRoster.cpp 884
  • V774 The 'string' pointer was used after the memory was released. RemoteView.cpp 1269
  • V774 The 'bs' pointer was used after the memory was released. mkntfs.c 4291
  • And 2 additional diagnostic messages.


Bugs Found

Checked Projects
363
Collected Errors
13 495