Clean up lookahead-related code#34
Open
tomerqodo wants to merge 7 commits into
Open
Conversation
Co-authored-by: Ozan Tezcan <ozantezcan@gmail.com>
Review Summary by QodoRefactor cluster slot handling and unify slot extraction logic
WalkthroughsDescription• Rename GETSLOT_CROSSSLOT constant to CLUSTER_CROSSSLOT for consistency • Unify slot extraction logic by refactoring getSlotFromCommand to use extractSlotFromKeysResult • Fix cluster slot status check by replacing magic number -1 with INVALID_CLUSTER_SLOT • Improve extractSlotFromKeysResult to handle cluster disabled state and return proper error codes Diagramflowchart LR
A["getSlotFromCommand"] -->|"now uses"| B["extractSlotFromKeysResult"]
B -->|"returns"| C["CLUSTER_CROSSSLOT or INVALID_CLUSTER_SLOT"]
D["Magic number -1"] -->|"replaced with"| E["INVALID_CLUSTER_SLOT constant"]
F["GETSLOT_CROSSSLOT"] -->|"renamed to"| G["CLUSTER_CROSSSLOT"]
File Changes1. src/cluster.h
|
Code Review by Qodo
1. Direct malloc/free in extractSlotFromKeysResult
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
Comment on lines
+1110
to
+1124
| int *slot_buffer = malloc(sizeof(int) * keys_result->numkeys); | ||
|
|
||
| for (int j = 0; j <= keys_result->numkeys; j++) { | ||
| robj *this_key = argv[keys_result->keys[j].pos]; | ||
| int this_slot = (int)keyHashSlot((char*)this_key->ptr, sdslen(this_key->ptr)); | ||
| slot_buffer[j] = this_slot; | ||
|
|
||
| if (first_slot == INVALID_CLUSTER_SLOT) | ||
| first_slot = this_slot; | ||
| else if (first_slot != this_slot) { | ||
| return INVALID_CLUSTER_SLOT; | ||
| free(slot_buffer); | ||
| return CLUSTER_CROSSSLOT; | ||
| } | ||
| } | ||
| free(slot_buffer); |
There was a problem hiding this comment.
1. Direct malloc/free in extractslotfromkeysresult 📘 Rule violation ⛯ Reliability
The new code allocates and frees memory using malloc()/free() in src/, which bypasses Redis memory tracking. This violates the requirement to use the zmalloc/zfree family for all dynamic allocations in src/.
Agent Prompt
## Issue description
`src/cluster.c` introduces a new temporary buffer allocated with `malloc()` and released with `free()`, which violates the requirement to use Redis's `zmalloc`/`zfree` family in `src/` for memory tracking.
## Issue Context
Redis requires `zmalloc`-family allocators in `src/` to ensure memory accounting and consistent allocation behavior.
## Fix Focus Areas
- src/cluster.c[1110-1124]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+1109
to
1116
| /* Allocate temporary buffer for slot tracking */ | ||
| int *slot_buffer = malloc(sizeof(int) * keys_result->numkeys); | ||
|
|
||
| for (int j = 0; j <= keys_result->numkeys; j++) { | ||
| robj *this_key = argv[keys_result->keys[j].pos]; | ||
| int this_slot = (int)keyHashSlot((char*)this_key->ptr, sdslen(this_key->ptr)); | ||
| slot_buffer[j] = this_slot; | ||
|
|
There was a problem hiding this comment.
2. Slot loop buffer overflow 🐞 Bug ⛨ Security
extractSlotFromKeysResult allocates slot_buffer for numkeys elements but loops with j <= numkeys, reading keys_result->keys[numkeys] and writing slot_buffer[numkeys], causing out-of-bounds memory access and potential heap corruption/crash during command processing. It also uses plain malloc without Redis’s OOM handler, so malloc failure would lead to NULL dereference.
Agent Prompt
### Issue description
`extractSlotFromKeysResult()` currently performs out-of-bounds reads/writes due to an off-by-one loop (`j <= numkeys`) combined with a buffer sized for exactly `numkeys`. This can corrupt the heap or crash Redis on common multi-key commands in cluster mode; it also introduces an unchecked `malloc()` in a hot path.
### Issue Context
`getKeysResult->keys` is indexed by `numkeys` count, so valid indices are `[0..numkeys-1]`. The current code also allocates `slot_buffer` but never uses it for logic, so it can be removed entirely.
### Fix Focus Areas
- src/cluster.c[1103-1125]
### Expected fix
- Change the loop to `for (int j = 0; j < keys_result->numkeys; j++)`.
- Remove `slot_buffer` completely (since it is not used) to avoid per-call heap allocation and eliminate NULL/OOM handling concerns.
- If a buffer is truly needed, use `zmalloc` and check sizes/indices carefully, but prefer no allocation here.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Benchmark PR from agentic-review-benchmarks#3