bug in array_list_del_idx when array_list_length()==1

[smdjeff]

calling array_list_del_idx( arr, i, 1 ) several times.
once array_list_length()==0, from then on array_list_del_idx,free_fn keeps getting called over and over on that same pointer.

[smdjeff]

note that your unit test only tests json_object_array_del_idx where i = 0

[hawicz]

Deleting a non-existent array element is not a valid operation, don't do that. However, let's say you do anyway, the code at https://github.com/json-c/json-c/blob/master/arraylist.c#L139 will prevent the free_fn from being called:

if ( idx >= arr->length || stop > arr->length ) return -1;

How are you actually causing a problem to occur?

[smdjeff]

Sorry. It's when you delete the last element. So len = 1 before and 0 after. Free is called incorrectly.

[hawicz]

how is it called incorrectly? As far as I can tell, it works perfectly fine. e.g.:

#include <stdio.h>
#include "arraylist.h"

void free_func(void *foo)
{
        printf("free called on %p\n", foo);
}
int main()
{
        struct array_list *al;
        al = array_list_new(free_func);
        array_list_add(al, "somedata");
        printf("first call\n");
        array_list_del_idx(al, 0, 1);
        printf("second call\n");
        array_list_del_idx(al, 0, 1);
        printf("third call\n");
        array_list_del_idx(al, 0, 1);
        printf("freeing\n");
        array_list_free(al);
}

Produces:

first call
free called on 0x400957
second call
third call
freeing

Note the lack of calls to free for the second and third call.

[smdjeff]

Try it where those zeros arent always zeros. And you have more adds mixed in.

…

On Wed, Mar 28, 2018, 9:26 PM Eric Haszlakiewicz ***@***.***> wrote: *how* is it called incorrectly? As far as I can tell, it works perfectly fine. e.g.: #include <stdio.h> #include "arraylist.h" void free_func(void *foo) { printf("free called on %p\n", foo); } int main() { struct array_list *al; al = array_list_new(free_func); array_list_add(al, "somedata"); printf("first call\n"); array_list_del_idx(al, 0, 1); printf("second call\n"); array_list_del_idx(al, 0, 1); printf("third call\n"); array_list_del_idx(al, 0, 1); printf("freeing\n"); array_list_free(al); } Produces: first call free called on 0x400957 second call third call freeing Note the lack of calls to free for the second and third call. — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#408 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABN2T-8ezkovsjpBl-dc1PTKWO04d8jSks5tjFRlgaJpZM4S9-Xy> .

[hawicz]

Closing, since it works fine as far as I can tell. If you have an actual test case that demonstrates the problem, feel free to provide it and reopen.

[smdjeff]

Was using an old revision, I believe this was corrected in #332