Menu
▾
▴
iaxclient-devel
|
From: Dennis C. <dch...@pi...> - 2008-06-24 13:15:02
|
Peter, I have set an environment variable to detect re-use of freed pointers and I can see a case in iax_get_event (near " Decrement remaining retries ") that goes wrong because it references an event returned from iax_get_sched() whose event ptr is null. In the code generally this seems possible because freed ptrs are not set to null after they are freed. This is reproducible. I'm not familiar enough with the event loop yet to suggest a correction. How should we proceed? Dennis Christopher Pixion On 10-Jun-08, at 5:23 PM, iaxclient-devel- re...@li... wrote: > On Fri, May 30, 2008 at 12:45 PM, Dennis Christopher > <dch...@pi...> wrote: >> I have a build of 2.0.2 running on mac OS X 10.4. I'm getting a >> somewhat >> reproducible >> crash in iax_event_free, which doesnt seem associated with any >> particular >> audio event. Can anyone suggest what I might look for here? >> The offending symbol is the free call, which typically would be a >> non-allocated ptr being freed, or one that has already been freed. > > A stack trace would help. How reproducible is this problem? Does the > problem happen with 2.1beta3 or the trunk? > > Pete |
|
From: Peter G. <jpg...@gm...> - 2008-06-25 14:26:03
|
Hi Dennis, On Tue, Jun 24, 2008 at 9:14 AM, Dennis Christopher <dch...@pi...> wrote: > Peter, > I have set an environment variable to detect re-use of freed pointers and I > can see a case in iax_get_event (near " Decrement remaining retries ") that > goes wrong because it references an event returned from iax_get_sched() > whose event ptr is null. In the code generally this seems possible because > freed ptrs are not > set to null after they are freed. This is reproducible. I'm not familiar > enough with the event loop yet to suggest a correction. How should we > proceed? I do not see the case you are talking about. In iax.c, in the block with the comment "Decrement remaining retries", starting at line 3357, the event variable is not used. The event variable is reused at line 3342 where it is assigned to point at newly malloc()ed memory. Stylistically, this reuse of event may not be awesome, but functionally in this particular case we have already guaranteed event to be null prior to reassigning it. I'm going to need more details about exactly which variables are employed in a sketchy manner and where it is happening. Note that I am referencing the head of iaxclient trunk. Note also that I have some other iaxclient and libiax2 cleanups that I will be committing to trunk soon (possibly today) that are unrelated to this issue. Thanks, Pete |
|
From: Dennis C. <DCh...@pi...> - 2008-06-25 15:12:06
|
HI Peter, I am working with 2.1beta3. Sorry I got two variables mixed together. The iax_get_event() code is using an already freed ptr in the clause I mentioned thru the fh variable. fh is assigned frame->data, which is the already freed ptr. the data member in turn comes from cur->frame with cur coming from iax_get_sched(). I noticed that when this happens that cur- >event is null. Dennis On 25-Jun-08, at 10:26 AM, Peter Grayson wrote: > Hi Dennis, > > On Tue, Jun 24, 2008 at 9:14 AM, Dennis Christopher > <dch...@pi...> wrote: >> Peter, >> I have set an environment variable to detect re-use of freed >> pointers and I >> can see a case in iax_get_event (near " Decrement remaining >> retries ") that >> goes wrong because it references an event returned from >> iax_get_sched() >> whose event ptr is null. In the code generally this seems possible >> because >> freed ptrs are not >> set to null after they are freed. This is reproducible. I'm not >> familiar >> enough with the event loop yet to suggest a correction. How should we >> proceed? > > I do not see the case you are talking about. In iax.c, in the block > with the comment "Decrement remaining retries", starting at line 3357, > the event variable is not used. The event variable is reused at line > 3342 where it is assigned to point at newly malloc()ed memory. > Stylistically, this reuse of event may not be awesome, but > functionally in this particular case we have already guaranteed event > to be null prior to reassigning it. > > I'm going to need more details about exactly which variables are > employed in a sketchy manner and where it is happening. > > Note that I am referencing the head of iaxclient trunk. Note also that > I have some other iaxclient and libiax2 cleanups that I will be > committing to trunk soon (possibly today) that are unrelated to this > issue. > > Thanks, > Pete |
|
From: Peter G. <jpg...@gm...> - 2008-06-25 16:29:09
|
On Wed, Jun 25, 2008 at 11:12 AM, Dennis Christopher <DCh...@pi...> wrote: > HI Peter, > I am working with 2.1beta3. > > Sorry I got two variables mixed together. The iax_get_event() code is using > an already freed ptr in the clause I mentioned thru the fh variable. > fh is assigned frame->data, which is the already freed ptr. the data member > in turn comes from cur->frame with cur coming > from iax_get_sched(). I noticed that when this happens that cur->event is > null. One thing to note is that the iax_sched object acts as a sort of union holding either an event, a frame, or a function. These are all schedulable objects. It is expected that only one of event, frame, or func will be non-null. That said, I think I may see the problem you are alluding to. What I see is that there are two ways that iax_frame objects are allocated. In iax_frame_new(), there is a single allocation for both the struct iax_frame and it's data; in iax_reliable_xmit() there are separate allocations for the struct iax_frame and the data. This leads to the problem where the frame->data is sometimes free()ed separately from the frame data itself. I suspect that this may be what is triggering whatever diagnostic you are looking at. Another issue that I see is that there are several places where iax_sched objects are free()ed without freeing the event and/or frame objects they point to. I see this in iax_sched_del(), iax_sched_vnak(), and destroy_session(). I will be taking a closer look at these issues. Do these issues seem like they might be related to the problem you are attempting to point out? What tools are you using to get the diagnostic about already freed pointers? Thanks, Pete |
|
From: Dennis C. <DCh...@pi...> - 2008-06-25 19:37:52
|
Hi Peter, Yes these could be the culprits. What you say seems to imply that the iax_get_event clause under discussion ought to be checking if frame or event is null before using it. But the specific issue I am seeing is that the frame->data is not null but has already been freed. On OS X, the MallocScribble debug utility marks freed pointers so you can see them in your symbolic debugger--that is what I am using. This is pretty reproducible so if you want me to investigate anything specific let me know. Dennis On Jun 25, 2008, at 12:29 PM, Peter Grayson wrote: > On Wed, Jun 25, 2008 at 11:12 AM, Dennis Christopher > <DCh...@pi...> wrote: >> HI Peter, >> I am working with 2.1beta3. >> >> Sorry I got two variables mixed together. The iax_get_event() code >> is using >> an already freed ptr in the clause I mentioned thru the fh variable. >> fh is assigned frame->data, which is the already freed ptr. the >> data member >> in turn comes from cur->frame with cur coming >> from iax_get_sched(). I noticed that when this happens that cur- >> >event is >> null. > > One thing to note is that the iax_sched object acts as a sort of union > holding either an event, a frame, or a function. These are all > schedulable objects. It is expected that only one of event, frame, or > func will be non-null. > > That said, I think I may see the problem you are alluding to. What I > see is that there are two ways that iax_frame objects are allocated. > In iax_frame_new(), there is a single allocation for both the struct > iax_frame and it's data; in iax_reliable_xmit() there are separate > allocations for the struct iax_frame and the data. > > This leads to the problem where the frame->data is sometimes free()ed > separately from the frame data itself. I suspect that this may be what > is triggering whatever diagnostic you are looking at. > > Another issue that I see is that there are several places where > iax_sched objects are free()ed without freeing the event and/or frame > objects they point to. I see this in iax_sched_del(), > iax_sched_vnak(), and destroy_session(). > > I will be taking a closer look at these issues. > > Do these issues seem like they might be related to the problem you are > attempting to point out? What tools are you using to get the > diagnostic about already freed pointers? > > Thanks, > Pete |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X