id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
460	Clang reports use-after-free in core/ngx_resolver.c	Jeffrey Walton		"Clang 3.3 flagged two use-after-free's in core/ngx_resolver.c.

I'm not sure its a valid finding, but I'm reporting it just in case. I logged it as a task rather than a defect.

{{{
src/core/ngx_resolver.c:854:20: warning: Use of memory after it is freed
    if (now <= rn->expire) {
                   ^~~~~~~~~~
src/core/ngx_resolver.c:972:19: warning: Use of memory after it is freed
    if (now < rn->expire) {
}}}

Both issues appear to be centered on the calls to the following (and the subsequent jump to the top of the loop):

{{{
ngx_rbtree_delete(tree, &rn->node);
ngx_resolver_free_node(r, rn);
}}}

The attached is a copy of the results from scan-build. Its a graphical call graph to show how Clang determined the use-after-free path. In the attached, navigate to index.html. The click the link for issue.

Finally, for those who use Clang 3.3 and scan-build, the command to duplicate is:

{{{
$ export CC=""/usr/local/bin/clang""
$ export CXX=""/usr/local/bin/clang++""
$ /usr/local/bin/scan-build/scan-build --use-analyzer=/usr/local/bin/clang ./configure
$ /usr/local/bin/scan-build/scan-build --use-analyzer=/usr/local/bin/clang make
}}}
"	task	closed	minor		nginx-core		invalid	Clang use-after-free		"$ uname -a
Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64"	"$ ./objs/nginx -V
nginx version: nginx/1.4.4
configure arguments:"