Hi Alexandre,
There is sometimes a double free in the wineserver, in fd.c
Basically the callback for the timeout is called, and the callback (for instance in set_next_timer:queue.c) calls remove_timeout_user() which does a free( user ), but at the end of handle_timeout() it also performs a free, so I think the same timeout struct is freed twice.
I don't know how to fix this bug - I commented out the free in remove_timeout_user and that stopped the wineserver from segfaulting or dieing inside malloc, but it might cause a memory leak in the case where a timeout is added and then removed before being handled.
It's too bad there is no way to check if a pointer has already been freed. Maybe a flag (inside_callback) in the timeout_user struct, so we know not to free it in remove_timeout_user()? What do you think?
thanks -mike
Mike Hearn mike@theoretic.com writes:
Basically the callback for the timeout is called, and the callback (for instance in set_next_timer:queue.c) calls remove_timeout_user() which does a free( user ), but at the end of handle_timeout() it also performs a free, so I think the same timeout struct is freed twice.
That shouldn't happen, the timeout can be either handled or removed, but not both. Exactly where do you see this happen? Do we somewhere call remove_timeout_user while handling the timeout?
In queue.c: timer_callback set_next_timer remove_timeout_user
is one. remove_timeout_user() is only called when queue->timeout is set however.
On Sat, 2003-08-23 at 19:06, Alexandre Julliard wrote:
That shouldn't happen, the timeout can be either handled or removed, but not both. Exactly where do you see this happen? Do we somewhere call remove_timeout_user while handling the timeout?
-
Alexandre Julliard -
Mike Hearn