Potential-Infinite-Loop Pattern Detected by a New PVS-Studio Diagnostic

We are currently testing a new diagnostic, V1021, which will be available in the next version of the PVS-Studio static analyzer. We were caught by surprise when it pointed out an interesting bug in the nginx project. And, you know, you should try really hard to find a bug in this project because it’s very well written and tested.

PVS-Studio diagnostic message: V1021 The ‘cl’ variable is assigned the same value on several loop iterations. ngx_http_upstream.c 2138

The loop is used to search for the last element in the list and will become infinite if the list is longer than one element. The error is actually the “cl = out->next” expression written in place of the intended “cl = cl->next”. This will make the loop check the same element over and over.

The bug has never occurred in reality so far as the list has always had one element, as explained in the comment by the nginx developers on the bug report submitted by my colleague: https://trac.nginx.org/nginx/ticket/1618

Here’s what they say: Thanks for reporting. Looks like currently chain link is a single item in this place, so nothing bad happens in vanilla nginx.

So, yes, there’s nothing bad, but it’s still a real bug, which could manifest itself one day if nginx’ algorithms were changed.

I’m glad we have this new diagnostic and I think it’s going to be pretty helpful. Don’t hesitate to use PVS-Studio — it can help improve your projects’ quality and reliability!