Created attachment 75438 [details] clang-analyzer output In dispatch_event(), we call free(proxy) but if proxy_destroyed is false then the function does not return but continues further by accessing proxy->object.implementation. Caught this by running clang-analyzer on wayland. See attachment.
Even though the static analyzer cought this, it can never happen in practice. This is because for a proxy object to reach reference count zero the owner must destroy it using wl_proxy_destroy(). This has the side effect of adding the WL_PROXY_FLAG_DESTROYED flag, which would hit the if (proxy_destroyed) { wl_closure_destroy(closure); return; } statement. However, I can add some extra checks to make the static analyzer more happy.
Sound good. Will look for the patch.
This patch fixes the warning when using scan-build from llvm trunk as of today: http://lists.freedesktop.org/archives/wayland-devel/2013-March/007811.html
commit e053a5625129bd11c301c9587f5f29cbda95c66d Author: Jonas Ådahl <jadahl@gmail.com> Date: Thu Mar 7 23:32:39 2013 +0100 client: Check reference count only for destroyed proxies The llvm static analyzer tool reported "Use of memory after it is freed" in dispatch_event() because the proxy is used after being freed if the reference count reaches zero without the destroyed flag being set. This would never happen in practice because the owner of the proxy object always holds a reference until calling wl_proxy_destroy() which would also set the destroyed flag. Since this is the case, it is safe to do the reference count check only if the destroyed flag is set, as it can never reach zero if not. This commit doesn't change the behavior of the function, but makes the static analyzer more happy. Fixes https://bugs.freedesktop.org/show_bug.cgi?id=61385 Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.