kv: MergeOperator name() returns string, and caller calls c_str() on the temporary
On Tue, 7 Aug 2018, Réka Nikolett Kovács wrote:
I am working on a bug finding tool that looks for a special kind of a
use-after-free problem in C++ code (a "checker" module in the Clang
Static Analyzer ), and I've been running it on a few projects to
see if it finds anything interesting.
I've found the following on line 131 in ceph/src/kv/RocksDBStore.cc
, where I suspect we are returning a pointer to a deallocated
Here, mop is a std::shared_ptr<KeyValueDB::MergeOperator>, and name()
seems to return a string by value , a temporary object, on which
c_str() is called to obtain a const char * pointing to its inner
buffer. But the temporary string object is destroyed at the end of the
return statement, and the caller receives a pointer that references a
I hope you find this report useful.