Potential null pointer dereferences after calling raxStackPop()

[thedrow]

This is just one example that I'm not sure I fixed correctly (and that's why it's not a PR yet).

diff --git a/rax.c b/rax.c
index 7dcf045..9a8fcda 100644
--- a/rax.c
+++ b/rax.c
@@ -1056,7 +1056,7 @@ int raxRemove(rax *rax, unsigned char *s, size_t len, void **old) {
             h = raxStackPop(&ts);
              /* If this node has more then one child, or actually holds
               * a key, stop here. */
-            if (h->iskey || (!h->iscompr && h->size != 1)) break;
+            if (h != NULL && (h->iskey || (!h->iscompr && h->size != 1))) break;
         }
         if (child) {
             debugf("Unlinking child %p from parent %p\n",

Other occurrences appear in:

10. rax.c:1468: error: NULL_DEREFERENCE
      pointer `it->node` last assigned on line 1461 could be null and is dereferenced at line 1468, column 21.

11. rax.c:1608: error: NULL_DEREFERENCE
      pointer `it->node` last assigned on line 1517 could be null and is dereferenced at line 1608, column 26.

12. rax.c:1665: error: NULL_DEREFERENCE
      pointer `it->node` last assigned on line 1517 could be null and is dereferenced at line 1665, column 17.

13. rax.c:1755: error: NULL_DEREFERENCE
      pointer `n` last assigned on line 1754 could be null and is dereferenced at line 1755, column 25.

These may well be false positives found by infer or simply a rare edge case. If it's the latter, we should address it somehow.

[thedrow]

You can ignore the rest of the errors if you run infer yourself. One of them is a false positive (see facebook/infer#1317) and the rest occur in the test suite.

[oranagra]

i see the loop in the patch you provided runs until it reaches h != rax->head
so i don't see how it's possible that raxStackPop will return NULL.
anything i'm missing?

[thedrow]

As I said, I might be missing something which is why this isn't a PR instead of an issue.