On Thu, Apr 28, 2016 at 01:07:30PM -0400, Ted Unangst wrote: > Otto Moerbeek wrote: > > static void > > -ofree(struct dir_info *pool, void *p) > > +ofree(struct dir_info *argpool, void *p) > > { > > + struct dir_info *pool; > > struct region_info *r; > > size_t sz; > > + int i; > > > > + pool = argpool; > > r = find(pool, p); > > if (r == NULL) { > > - wrterror(pool, "bogus pointer (double free?)", p); > > - return; > > + for (i = 0; i < _MALLOC_MUTEXES; i++) { > > + if (i == pool->mutex) > > + continue; > > + pool->active--; > > + _MALLOC_UNLOCK(pool->mutex); > > + pool = mopts.malloc_pool[i]; > > + _MALLOC_LOCK(pool->mutex); > > + pool->active++; > > + r = find(pool, p); > > + if (r != NULL) > > + break; > > + } > > + if (r == NULL) { > > + wrterror(pool, "bogus pointer (double free?)", p); > > + goto done; > > + } > > I'm having trouble understanding this loop. I think you are trying to avoid > locking the initial pool again. but this only works if argpool is 0. if it's > something else, then pool will change, and pool->mutex will never equal i.
Indeed. That isn't right. Have to compare to argpool->mutex probably. Thanks for spoting that, same error applies to realloc, -Otto