Menu
▾
▴
Re: [Iaxclient-devel] crash in iax_event_free on mac
|
From: Dennis C. <DCh...@pi...> - 2008-06-25 15:12:06
|
HI Peter, I am working with 2.1beta3. Sorry I got two variables mixed together. The iax_get_event() code is using an already freed ptr in the clause I mentioned thru the fh variable. fh is assigned frame->data, which is the already freed ptr. the data member in turn comes from cur->frame with cur coming from iax_get_sched(). I noticed that when this happens that cur- >event is null. Dennis On 25-Jun-08, at 10:26 AM, Peter Grayson wrote: > Hi Dennis, > > On Tue, Jun 24, 2008 at 9:14 AM, Dennis Christopher > <dch...@pi...> wrote: >> Peter, >> I have set an environment variable to detect re-use of freed >> pointers and I >> can see a case in iax_get_event (near " Decrement remaining >> retries ") that >> goes wrong because it references an event returned from >> iax_get_sched() >> whose event ptr is null. In the code generally this seems possible >> because >> freed ptrs are not >> set to null after they are freed. This is reproducible. I'm not >> familiar >> enough with the event loop yet to suggest a correction. How should we >> proceed? > > I do not see the case you are talking about. In iax.c, in the block > with the comment "Decrement remaining retries", starting at line 3357, > the event variable is not used. The event variable is reused at line > 3342 where it is assigned to point at newly malloc()ed memory. > Stylistically, this reuse of event may not be awesome, but > functionally in this particular case we have already guaranteed event > to be null prior to reassigning it. > > I'm going to need more details about exactly which variables are > employed in a sketchy manner and where it is happening. > > Note that I am referencing the head of iaxclient trunk. Note also that > I have some other iaxclient and libiax2 cleanups that I will be > committing to trunk soon (possibly today) that are unrelated to this > issue. > > Thanks, > Pete |
