Error-reports cppcheck (http://sourceforge.net/apps/mediawiki/cppcheck/index.php?title=Main_Page)

Bug #1030473 reported by MC Return on 2012-07-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Compiz
Medium
MC Return
compiz (Ubuntu)
Undecided
Unassigned

Bug Description

Running "cppcheck compiz/ --report-progress --std=c++11 -v --platform=unix64 2>cppcheck-error.txt --force" shows some problems:

[compiz/compizconfig/gconf/src/gconf.c:1930]: (error) Memory pointed to by 'pathName' is freed twice.
[compiz/compizconfig/libcompizconfig/backend/src/ini.c:686]: (error) Memory pointed to by 'filePath' is freed twice.
[compiz/compizconfig/libcompizconfig/backend/src/ini.c:187]: (error) Common realloc mistake: 'privData' nulled but not freed upon failure
[compiz/compizconfig/libcompizconfig/backend/src/ini.c:221]: (error) Common realloc mistake: 'privData' nulled but not freed upon failure
[compiz/compizconfig/libcompizconfig/src/compiz.cpp:2703]: (error) Memory leak: pbFile
[compiz/compizconfig/libcompizconfig/src/compiz.cpp:2769]: (error) Memory leak: pbFile
[compiz/compizconfig/libcompizconfig/src/filewatch.c:113]: (error) Common realloc mistake: 'fwData' nulled but not freed upon failure
[compiz/compizconfig/libcompizconfig/src/filewatch.c:173]: (error) Common realloc mistake: 'fwData' nulled but not freed upon failure
[compiz/compizconfig/libcompizconfig/src/ini.c:791]: (error) Common realloc mistake: 'stringBuffer' nulled but not freed upon failure
[compiz/compizconfig/libcompizconfig/src/main.c:656]: (error) Possible null pointer dereference: subGroup - otherwise it is redundant to check if subGroup is null at line 657
[compiz/compizconfig/libcompizconfig/src/main.c:3213]: (error) Possible null pointer dereference: conflict - otherwise it is redundant to check if conflict is null at line 3214
[compiz/compizconfig/libcompizconfig/src/main.c:4305]: (error) Read and write operations without a call to a positioning function (fseek, fsetpos or rewind) or fflush inbetween result in undefined behaviour.
[compiz/compizconfig/libcompizconfig/src/main.c:259]: (error) Memory pointed to by 'val' is freed twice.
[compiz/compizconfig/libcompizconfig/src/main.c:267]: (error) Memory pointed to by 'val' is freed twice.
[compiz/compizconfig/libcompizconfig/src/main.c:275]: (error) Memory pointed to by 'val' is freed twice.
[compiz/compizconfig/libcompizconfig/src/main.c:1037]: (error) Memory pointed to by 'dlname' is freed twice.
[compiz/compizconfig/libcompizconfig/src/main.c:3485]: (error) Memory pointed to by 'backenddir' is freed twice.
[compiz/compizconfig/libcompizconfig/src/main.c:3495]: (error) Memory pointed to by 'backenddir' is freed twice.
[compiz/compizconfig/libcompizconfig/src/main.c:3626]: (error) Memory leak: sectionName
[compiz/compizconfig/libcompizconfig/src/main.c:3784]: (error) Memory leak: sectionName
[compiz/compizconfig/libcompizconfig/src/main.c:4262]: (error) Memory leak: completedUpgrades
[compiz/compizconfig/libcompizconfig/src/main.c:4266]: (error) Memory leak: completedUpgrades
[compiz/compizconfig/libcompizconfig/src/main.c:4262]: (error) Resource leak: completedUpgrades
[compiz/gtk/window-decorator/decorator.c:1016]: (error) Memory leak: opts
[compiz/gtk/window-decorator/frames.c:266]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
[compiz/gtk/window-decorator/frames.c:269]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
[compiz/gtk/window-decorator/frames.c:272]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
[compiz/gtk/window-decorator/frames.c:275]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
[compiz/gtk/window-decorator/frames.c:278]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
[compiz/gtk/window-decorator/frames.c:281]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
[compiz/gtk/window-decorator/frames.c:284]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
[compiz/gtk/window-decorator/frames.c:287]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
[compiz/gtk/window-decorator/frames.c:290]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
[compiz/gtk/window-decorator/frames.c:293]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
[compiz/plugins/colorfilter/src/colorfilter.cpp:252]: (error) Possible null pointer dereference: func - otherwise it is redundant to check if func is null at line 255
[compiz/plugins/group/src/init.cpp:140]: (error) Uninitialized variable: group
[compiz/plugins/group/src/init.cpp:141]: (error) Uninitialized variable: group
[compiz/plugins/shift/src/shift.cpp:826]: (error) Common realloc mistake: 'mWindows' nulled but not freed upon failure
[compiz/plugins/shift/src/shift.cpp:836]: (error) Common realloc mistake: 'mDrawSlots' nulled but not freed upon failure
[compiz/plugins/stackswitch/src/stackswitch.cpp:619]: (error) Common realloc mistake: 'mWindows' nulled but not freed upon failure
[compiz/plugins/stackswitch/src/stackswitch.cpp:624]: (error) Common realloc mistake: 'mDrawSlots' nulled but not freed upon failure
[compiz/src/screen.cpp:1091]: (error) BOOST_FOREACH caches the end() iterator. It's undefined behavior if you modify the container.
[compiz/src/window.cpp:2005]: (error) Analysis failed. If the code is valid then please report this failure.

Related branches

MC Return (mc-return) wrote :
Download full text (108.1 KiB)

Running "cppcheck compiz/ --enable=all --report-progress --std=c++11 -v --platform=unix64 2>cppcheck-error.txt --force" (with style and performance checks enabled also) reveals these problems:

[compiz/cmake/src/compiz/compiz_discover_gtest_tests.cpp:46]: (performance) Prefix ++/-- operators should be preferred for non-primitive types. Pre-increment/decrement can be more efficient than post-increment/decrement. Post-increment/decrement usually involves keeping a copy of the previous value around and adds a little extra code.
[compiz/cmake/src/compiz/compiz_discover_gtest_tests.cpp:49]: (performance) Prefix ++/-- operators should be preferred for non-primitive types. Pre-increment/decrement can be more efficient than post-increment/decrement. Post-increment/decrement usually involves keeping a copy of the previous value around and adds a little extra code.
[compiz/compizconfig/gconf/src/gconf.c:479]: (warning) scanf without field width limits can crash with huge input data. To fix this error message add a field width specifier:
    %s => %20s
    %i => %3i

Sample program that can crash:

#include <stdio.h>
int main()
{
    int a;
    scanf("%i", &a);
    return 0;
}

To make it crash:
perl -e 'print "5"x2100000' | ./a.out
[compiz/compizconfig/gconf/src/gconf.c:1930]: (error) Memory pointed to by 'pathName' is freed twice.
[compiz/compizconfig/gsettings/gsettings_backend_shared/gsettings_util.c:184]: (warning) scanf without field width limits can crash with huge input data. To fix this error message add a field width specifier:
    %s => %20s
    %i => %3i

Sample program that can crash:

#include <stdio.h>
int main()
{
    int a;
    scanf("%i", &a);
    return 0;
}

To make it crash:
perl -e 'print "5"x2100000' | ./a.out
[compiz/compizconfig/gsettings/src/gsettings.c:296]: (warning) Casting between double* and float* which have an incompatible binary data representation
[compiz/compizconfig/libcompizconfig/backend/src/ini.c:686]: (error) Memory pointed to by 'filePath' is freed twice.
[compiz/compizconfig/libcompizconfig/backend/src/ini.c:187]: (error) Common realloc mistake: 'privData' nulled but not freed upon failure
[compiz/compizconfig/libcompizconfig/backend/src/ini.c:221]: (error) Common realloc mistake: 'privData' nulled but not freed upon failure
[compiz/compizconfig/libcompizconfig/src/bindings.c:216]: (style) The scope of the variable 'buttonStr' can be reduced. Warning: It can be unsafe to fix this message. Be careful. Especially when there are inner loops. Here is an example where cppcheck will write that the scope for 'i' can be reduced:
void f(int x)
{
    int i = 0;
    if (x) {
        // it's safe to move 'int i = 0' here
        for (int n = 0; n < 10; ++n) {
            // it is possible but not safe to move 'int i = 0' here
            do_something(&i);
        }
    }
}
When you see this message it is always safe to reduce the variable scope 1 level.
[compiz/compizconfig/libcompizconfig/src/bindings.c:380]: (warning) scanf without field width limits can crash with huge input data. To fix this error message add a field width specifier:
    %s => %20s
    %i => %3i

Sample program that can crash:

#include <stdio.h>
int m...

MC Return (mc-return) wrote :

This static code analysis should help us to reveal and fix some hidden problems.

MC Return (mc-return) on 2012-07-29
Changed in compiz:
assignee: nobody → MC Return (mc-return)
Changed in compiz:
status: New → In Progress
importance: Undecided → Medium
milestone: none → 0.9.8.0
MC Return (mc-return) wrote :
Download full text (31.3 KiB)

Remaining problems after compiz.fix1030473-part1 and compiz.fix1030473-part2 branches have been merged with lp:compiz:

[../compiz/compizconfig/gconf/src/gconf.c:479]: (warning) scanf without field width limits can crash with huge input data. To fix this error message add a field width specifier:
    %s => %20s
    %i => %3i

Sample program that can crash:

#include <stdio.h>
int main()
{
    int a;
    scanf("%i", &a);
    return 0;
}

To make it crash:
perl -e 'print "5"x2100000' | ./a.out
[../compiz/compizconfig/gconf/src/gconf.c:1930]: (error) Memory pointed to by 'pathName' is freed twice.
[../compiz/compizconfig/gsettings/gsettings_backend_shared/gsettings_util.c:184]: (warning) scanf without field width limits can crash with huge input data. To fix this error message add a field width specifier:
    %s => %20s
    %i => %3i

Sample program that can crash:

#include <stdio.h>
int main()
{
    int a;
    scanf("%i", &a);
    return 0;
}

To make it crash:
perl -e 'print "5"x2100000' | ./a.out
[../compiz/compizconfig/gsettings/src/gsettings.c:296]: (warning) Casting between double* and float* which have an incompatible binary data representation
[../compiz/compizconfig/libcompizconfig/backend/src/ini.c:686]: (error) Memory pointed to by 'filePath' is freed twice.
[../compiz/compizconfig/libcompizconfig/backend/src/ini.c:187]: (error) Common realloc mistake: 'privData' nulled but not freed upon failure
[../compiz/compizconfig/libcompizconfig/backend/src/ini.c:221]: (error) Common realloc mistake: 'privData' nulled but not freed upon failure
[../compiz/compizconfig/libcompizconfig/src/bindings.c:380]: (warning) scanf without field width limits can crash with huge input data. To fix this error message add a field width specifier:
    %s => %20s
    %i => %3i

Sample program that can crash:

#include <stdio.h>
int main()
{
    int a;
    scanf("%i", &a);
    return 0;
}

To make it crash:
perl -e 'print "5"x2100000' | ./a.out
[../compiz/compizconfig/libcompizconfig/src/compiz.cpp:3039]: (warning) sscanf %s in format string (no. 1) does not specify a width, use %1023s to prevent overflowing destination: name[1024]
[../compiz/compizconfig/libcompizconfig/src/compiz.cpp:3039]: (warning) scanf without field width limits can crash with huge input data. To fix this error message add a field width specifier:
    %s => %20s
    %i => %3i

Sample program that can crash:

#include <stdio.h>
int main()
{
    int a;
    scanf("%i", &a);
    return 0;
}

To make it crash:
perl -e 'print "5"x2100000' | ./a.out
[../compiz/compizconfig/libcompizconfig/src/compiz.cpp:2705]: (error) Memory leak: pbFile
[../compiz/compizconfig/libcompizconfig/src/compiz.cpp:2771]: (error) Memory leak: pbFile
[../compiz/compizconfig/libcompizconfig/src/filewatch.c:113]: (error) Common realloc mistake: 'fwData' nulled but not freed upon failure
[../compiz/compizconfig/libcompizconfig/src/filewatch.c:173]: (error) Common realloc mistake: 'fwData' nulled but not freed upon failure
[../compiz/compizconfig/libcompizconfig/src/ini.c:791]: (error) Common realloc mistake: 'stringBuffer' nulled but not freed upon failure
[../compiz/compizconfig/libcompizconfig/src/main.c:656]: (error) Po...

MC Return (mc-return) wrote :

Part 3 of fixes for this bug has been merged with lp:compiz.

I am closing this bug now and filing remaining problems in separated reports to prevent chaos and have the reports more clearly defined.

Changed in compiz:
status: In Progress → Fix Committed
Changed in compiz:
status: Fix Committed → Fix Released
Daniel van Vugt (vanvugt) wrote :

This bug was fixed in the package compiz - 1:0.9.8.0-0ubuntu1

---------------
compiz (1:0.9.8.0-0ubuntu1) quantal-proposed; urgency=low

  * debian/control, debian/rules:
    - enable gles on armel and armhf
    - use dh-translations rather than custom code

  [ Sam Spilsbury ]
  * Enable OpenGL ES building
    - Refresh debian/patches/workaround_broken_drivers.patch
    - Remove non-ported plugins from compiz-plugins
    - Add FindOpenGLES2.cmake to compiz-dev

  [ Timo Jyrinki ]
  * New upstream release.
    - Code to make compiz work on GLES. This includes several changes
      to the compiz API. (LP: #201342) (LP: #901097) (LP: #1004251)
      (LP: #1037710)
    - Draft first 0.9.8.0 NEWS and bump VERSION
  * debian/patches/compiz-package-gles2.patch:
    - Remove, obsoleted by the upstream GLES work
  * Disable plugins that don't work on pure GLES on armhf/armel:
    - bench, firepaint, mblur, showmouse, splash, showrepaint, td, widget
 -- Sebastien Bacher <email address hidden> Fri, 31 Aug 2012 22:59:50 +0200

Changed in compiz (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers