[PATCH] Memprof bug



The bug my patch squashes is the use of a potentially freed structure. The
block_unref() call can free the block structure if its reference count is
1, so then the fields in that structure are invalid. My patch to process.c
is to simply place the block_unref() call after accessing the `size' field
of the structure.

I found this because I've altered the glib g_new() and g_free() functions
to fill the allocated and freed pointers with recognizable trash values.
Running memprof on the included testmemprof program I'd see in the main
window the allocated number of bytes was something like 1.5G, so something
was obviously wrong.

Without making a change to glib I suppose one could reproduce this by
stopping at the `process->bytes_used -= block->size' line and checking the
block structure's reference count. Running the testmemprof program you
should see that when the `free()' function is called in testmemprof the
reference count of the block is 0, so the block would have been freed in
block_unref().

Thanks to everyone working on gnome, and Owen Taylor for the memprof
program.

--- process.c.orig	Fri Jul  7 15:14:11 2000
+++ process.c	Wed Oct 25 06:13:43 2000
@@ -506,10 +506,9 @@
 			}
 			else {
 				g_hash_table_remove (process->block_table, info->alloc.old_ptr);
-				block_unref (block);
-				
 				process->bytes_used -= block->size;
 				process->n_allocations--;
+				block_unref (block);
 			}
 		}
 		
###############################
# Art Haas
# (713) 689-2417
###############################






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]