[Dillo-dev] image memory leak
Jorge Arellano Cid
jcid at dillo.org
Thu May 7 17:43:36 CEST 2009
On Sat, Apr 25, 2009 at 01:18:19PM +0100, Jeremy Henty wrote:
> On Fri, Apr 24, 2009 at 06:20:20PM +0200, Hofmann Johannes wrote:
> > On Thu, Apr 23, 2009 at 09:36:23PM +0100, Jeremy Henty wrote:
> > >
> > > On Thu, Apr 23, 2009 at 06:01:56PM +0200, Hofmann Johannes wrote:
> > >
> > > > It turns out that memory related to aborted images is not released.
> > >
> > > What about the other way round, ie. memory being released and
> > > then accessed? If you check the invalid read errors at the
> > > valgrind logs page for the past few days you will see they are
> > > all due to reading freed image memory. Is this another aspect of
> > > the same thing, or something else?
> > I'd say it's something different. It's always a read of size 4,
> > isn't it? I guess that's just one uninitialized pointer.
> I don't think that it's uninitialized pointers. If it were then you
> would expect valgrind to complain that the address had never been
> malloced or freed. That's not what we see. Eg. look at the first
> instance of 'Jpeg_write: Invalid read of size 4'. The freed memory
> is a DilloImage structure. The line that does the invalid read is
> reading ... a member of a DilloImage structure! The same is true for
> the errors from dw::core::Widget::getLayout() , Png_datarow_callback
> and Png_datainfo_callback . In every case the pointer refers to a
> malloced structure of the right type. The problem is that the
> structure has since been freed. I think it's pretty clear that the
> problem is not uninitialised pointers, it's that the code is using
> pointers after freeing them.
> It's probably significant that these errors all come from within image
> callbacks (a_Jpeg_callback and a_Png_callback). It looks like a race
> condition to me: callbacks are running after the image has been freed.
> Does that make sense?
Yes, it makes sense to me.
Have you found a simplified test-case to reproduce it?
Finally now I have some time to investigate this bug. I'll
start with the problem Johannes described (large jpeg) because
of the test-case.
More information about the Dillo-dev