Project

General

Profile

Bug #4775

ui: comet invalid free write on shutdown

Added by Em Smith about 4 years ago. Updated almost 4 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
User Interface
Target version:
-
Start date:
2017-12-07
Due date:
% Done:

100%

Estimated time:
Found in version:
4.3
Affected Versions:

Description

When running under valgrind, occasionally I get this on shutdown:

==685== Thread 82 tvh:tcp-start:
==685== Invalid write of size 8
==685==    at 0x37326D: comet_mailbox_ws (comet.c:459)
==685==    by 0x2E9419: http_exec (http.c:1182)
==685==    by 0x2EA4A9: http_cmd_get (http.c:1257)
==685==    by 0x2EA6DC: http_process_request (http.c:1339)
==685==    by 0x2E992B: process_request (http.c:1463)
==685==    by 0x2EAABA: http_serve_requests (http.c:1916)
==685==    by 0x2EAD02: http_serve (http.c:1965)
==685==    by 0x2E2051: tcp_server_start (tcp.c:713)
==685==    by 0x2DD697: thread_wrapper (wrappers.c:161)
==685==    by 0x6C577FB: start_thread (pthread_create.c:465)
==685==    by 0x83BDB0E: clone (clone.S:95)
==685==  Address 0x1750c030 is 32 bytes inside a block of size 64 free'd
==685==    at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==685==    by 0x3725E4: comet_done (comet.c:494)
==685==    by 0x2D0179: main (main.c:1290)
==685==  Block was alloc'd at
==685==    at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==685==    by 0x372957: comet_mailbox_create (comet.c:123)
==685==    by 0x372957: comet_find_mailbox (comet.c:290)
==685==    by 0x3731EF: comet_mailbox_ws (comet.c:435)
==685==    by 0x2E9419: http_exec (http.c:1182)
==685==    by 0x2EA4A9: http_cmd_get (http.c:1257)
==685==    by 0x2EA6DC: http_process_request (http.c:1339)
==685==    by 0x2E992B: process_request (http.c:1463)
==685==    by 0x2EAABA: http_serve_requests (http.c:1916)
==685==    by 0x2EAD02: http_serve (http.c:1965)
==685==    by 0x2E2051: tcp_server_start (tcp.c:713)
==685==    by 0x2DD697: thread_wrapper (wrappers.c:161)
==685==    by 0x6C577FB: start_thread (pthread_create.c:465)
==685==
 [   INFO] epgdb: snapshot start

I'm guessing the comet_done cmb_destroy should be moved, perhaps to the end of the function?
(I don't have a patch).

Associated revisions

Revision cbf15d8f (diff)
Added by Jaroslav Kysela about 4 years ago

comet: fix refcounting, fixes #4775

Revision d0a79495 (diff)
Added by Jaroslav Kysela about 4 years ago

comet: free queue later in comet_done(), fixes #4775

History

#1

Updated by Jaroslav Kysela almost 4 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Also available in: Atom PDF