httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cliff Woolley <>
Subject Re: debugging heap corruption on FreeBSD
Date Thu, 01 Feb 2001 23:19:09 GMT

--- wrote:
> It should actually cause the corruption.  Think of this.  You split a file
> bucket, that is two one malloc, but whenever we destroy the file, we call
> free.

Not quite, I think.

after create file:
   apr_bucket -> apr_bucket_shared -> apr_bucket_file(refcount=1)

after split file:
   apr_bucket -> apr_bucket_shared -> apr_bucket_file(refcount=2)
   apr_bucket -> apr_bucket_shared ---^

after destroy file:  [free(apr_bucket_shared*),free(apr_bucket*) leaves:]
   apr_bucket -> apr_bucket_shared -> apr_bucket_file(refcount=2)  [wrong refcount!]

after destroy file:  [free(apr_bucket_shared*),free(apr_bucket*) leaves:]
   apr_bucket_file(refcount=2)  [lost pointer to file bucket, refcount even more wrong]

The bucket destruction macro automatically frees the apr_bucket, and the b->data of that
bucket is freed by the type-specific destruction function.  Using free() for the
type-specific destruction function for file buckets frees b->data, sure, but b->data
points to an apr_bucket_shared, not the apr_bucket_file.  So after the two destructs are
called, the apr_bucket's and the apr_bucket_shared's are gone, but the apr_bucket_file

No corruption, just a memory leak.

Speaking of which--should file_destroy() close the file, or should we just leave that to
the pool cleanup like we do with my patch?


Get personalized email addresses from Yahoo! Mail - only $35 
a year!

View raw message