On Thu, Apr 28, 2016 at 01:07:30PM -0400, Ted Unangst wrote:
> Otto Moerbeek wrote:
> > static void
> > -ofree(struct dir_info *pool, void *p)
> > +ofree(struct dir_info *argpool, void *p)
> > {
> > + struct dir_info *pool;
> > struct region_info *r;
> > size_t sz;
> > + int i;
> >
> > + pool = argpool;
> > r = find(pool, p);
> > if (r == NULL) {
> > - wrterror(pool, "bogus pointer (double free?)", p);
> > - return;
> > + for (i = 0; i < _MALLOC_MUTEXES; i++) {
> > + if (i == pool->mutex)
> > + continue;
> > + pool->active--;
> > + _MALLOC_UNLOCK(pool->mutex);
> > + pool = mopts.malloc_pool[i];
> > + _MALLOC_LOCK(pool->mutex);
> > + pool->active++;
> > + r = find(pool, p);
> > + if (r != NULL)
> > + break;
> > + }
> > + if (r == NULL) {
> > + wrterror(pool, "bogus pointer (double free?)", p);
> > + goto done;
> > + }
>
> I'm having trouble understanding this loop. I think you are trying to avoid
> locking the initial pool again. but this only works if argpool is 0. if it's
> something else, then pool will change, and pool->mutex will never equal i.
Indeed. That isn't right. Have to compare to argpool->mutex probably.
Thanks for spoting that, same error applies to realloc,
-Otto
