[Pyode-user] bug: read from free'd memory when joint in jointgroup

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

In one of my pyode progs I get an invalid memory read reported when
running under valgrind. It seems that dJointGroupDestroy is called by
pyode and destroys all of the joints in the joint group. However, if
there is another reference to the joint, then it will also call
dJointDestroy, causing a read of the already-free'd memory. From ode
src:

void dJointDestroy (dxJoint *j)
{
  dAASSERT (j);
  if (j->flags & dJOINT_INGROUP) return;
  removeJointReferencesFromAttachedBodies (j);
  removeObjectFromList (j);
  j->world->nj--;
  dFree (j,j->vtable->size);
}

j->flags & dJOINT_INGROUP returns true because the joint was in a
(already destroyed) joint group, but the read of j->flags is invalid
since the memory was already free'd.

For some reason I've only seen this with ContactJoints - I wonder if
there are extra references for these attached to an object somewhere.