[Dillo-dev] image memory leak

Jorge Arellano Cid jcid at dillo.org
Thu May 7 17:43:36 CEST 2009


On Sat, Apr 25, 2009 at 01:18:19PM +0100, Jeremy Henty wrote:
> On Fri, Apr 24, 2009 at 06:20:20PM +0200, Hofmann Johannes wrote:
> > On Thu, Apr 23, 2009 at 09:36:23PM +0100, Jeremy Henty wrote:
> > > 
> > > On Thu, Apr 23, 2009 at 06:01:56PM +0200, Hofmann Johannes wrote:
> > > 
> > > > It turns out that memory related to aborted images is not released.
> > > 
> > > What about  the other  way round, ie.   memory being  released and
> > > then  accessed?  If  you  check  the invalid  read  errors at  the
> > > valgrind logs page[1] for the past  few days you will see they are
> > > all due to reading freed  image memory.  Is this another aspect of
> > > the same thing, or something else?
> > 
> > I'd  say it's something  different. It's  always a  read of  size 4,
> > isn't it?  I guess that's just one uninitialized pointer.
> 
> I don't think  that it's uninitialized pointers.  If  it were then you
> would  expect valgrind  to complain  that the  address had  never been
> malloced or  freed.  That's not  what we see.   Eg. look at  the first
> instance of 'Jpeg_write: Invalid read of size 4'[1].  The freed memory
> is a  DilloImage structure.   The line that  does the invalid  read is
> reading ...  a member of a DilloImage structure!  The same is true for
> the  errors from dw::core::Widget::getLayout()  , Png_datarow_callback
> and Png_datainfo_callback  .  In  every case the  pointer refers  to a
> malloced  structure  of the  right  type.   The  problem is  that  the
> structure has  since been freed.  I  think it's pretty  clear that the
> problem is  not uninitialised  pointers, it's that  the code  is using
> pointers after freeing them.
> 
> It's probably significant that these errors all come from within image
> callbacks (a_Jpeg_callback and a_Png_callback).   It looks like a race
> condition to me: callbacks are running after the image has been freed.
> Does that make sense?

  Yes, it makes sense to me.

  Have you found a simplified test-case to reproduce it?

  Finally now I have some time to investigate this bug. I'll
start with the problem Johannes described (large jpeg) because
of the test-case.

  Let's start...

-- 
  Cheers
  Jorge.-



More information about the Dillo-dev mailing list