CLIPS Version 6.24 - Coverity issue

[Prasad Avn]

Can you please help us with below coverity issue?

File: factmngr.c

Method: ReturnFact

Category: Use After Free

This could cause an immediate crash or incorrect values might be read subsequently resulting in incorrect computations.

In ReturnFact(void *, fact *): A pointer to freed memory is dereferenced, used as a function argument, or otherwise used (CWE-416)

Call stack:

...
     8. Condition theFact->theProposition.multifieldLength == 0, taking false branch.
   if (theFact->theProposition.multifieldLength == 0) newSize = 1;
   else newSize = theFact->theProposition.multifieldLength;
     
     9. Condition ((memoryData *)((environmentData *)theEnv)->theData[59])->TempSize2 < 500UL /* (unsigned long)500 */, taking false branch.
     10. freed_arg: rm3 frees theFact. [show details]
     
       CID XXXXX (#1 of 1): Use after free (USE_AFTER_FREE)
       11. use_after_free: Using freed pointer theFact.
   rtn_var_struct2(theEnv,fact,sizeof(struct field) * (newSize - 1),theFact);
  }

Appreciate your inputs on this.

Thanks,

Prasad

[CLIPS Support]

I don't see any issue. There's no path through the code where freed memory is referenced. Function rm3 immediately exits after freeing the memory and is the last statement in the rtn_var_struct macro which is also the last statement in ReturnFact.

[Joshua Scoggins]

If I remember correctly, CLIPS does not free memory blocks smaller than 500 (I think it was defaulted to 500) bytes immediately on rtn calls. Instead it zeros the blocks out and holds onto them in a table for reuse. 

Perhaps it is getting confused on that?