Menu
▾
▴
Re: [Iaxclient-devel] crash in iax_event_free on mac
|
From: Dennis C. <DCh...@pi...> - 2008-06-25 19:37:52
|
Hi Peter, Yes these could be the culprits. What you say seems to imply that the iax_get_event clause under discussion ought to be checking if frame or event is null before using it. But the specific issue I am seeing is that the frame->data is not null but has already been freed. On OS X, the MallocScribble debug utility marks freed pointers so you can see them in your symbolic debugger--that is what I am using. This is pretty reproducible so if you want me to investigate anything specific let me know. Dennis On Jun 25, 2008, at 12:29 PM, Peter Grayson wrote: > On Wed, Jun 25, 2008 at 11:12 AM, Dennis Christopher > <DCh...@pi...> wrote: >> HI Peter, >> I am working with 2.1beta3. >> >> Sorry I got two variables mixed together. The iax_get_event() code >> is using >> an already freed ptr in the clause I mentioned thru the fh variable. >> fh is assigned frame->data, which is the already freed ptr. the >> data member >> in turn comes from cur->frame with cur coming >> from iax_get_sched(). I noticed that when this happens that cur- >> >event is >> null. > > One thing to note is that the iax_sched object acts as a sort of union > holding either an event, a frame, or a function. These are all > schedulable objects. It is expected that only one of event, frame, or > func will be non-null. > > That said, I think I may see the problem you are alluding to. What I > see is that there are two ways that iax_frame objects are allocated. > In iax_frame_new(), there is a single allocation for both the struct > iax_frame and it's data; in iax_reliable_xmit() there are separate > allocations for the struct iax_frame and the data. > > This leads to the problem where the frame->data is sometimes free()ed > separately from the frame data itself. I suspect that this may be what > is triggering whatever diagnostic you are looking at. > > Another issue that I see is that there are several places where > iax_sched objects are free()ed without freeing the event and/or frame > objects they point to. I see this in iax_sched_del(), > iax_sched_vnak(), and destroy_session(). > > I will be taking a closer look at these issues. > > Do these issues seem like they might be related to the problem you are > attempting to point out? What tools are you using to get the > diagnostic about already freed pointers? > > Thanks, > Pete |
