public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libobjc/11904] New: Problem in sarray_free() function.
@ 2003-08-13  9:18 sergant at orcsoftware dot spb dot ru
  2003-08-14 13:52 ` [Bug libobjc/11904] " daa at orcsoftware dot spb dot ru
                   ` (8 more replies)
  0 siblings, 9 replies; 10+ messages in thread
From: sergant at orcsoftware dot spb dot ru @ 2003-08-13  9:18 UTC (permalink / raw)
  To: gcc-bugs

PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11904

           Summary: Problem in sarray_free() function.
           Product: gcc
           Version: tree-ssa
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libobjc
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: sergant at orcsoftware dot spb dot ru
                CC: gcc-bugs at gcc dot gnu dot org
 GCC build triplet: i686-pc-mingw32
  GCC host triplet: i686-pc-mingw32
GCC target triplet: i686-pc-mingw32

sarray_lazy_copy() function creates an array with reference to the original 
array and pointers to the original array's buckets. sarray_free() function 
looks like:

void 
sarray_free(struct sarray* array) {

  ... some code ...

  if((array->is_copy_of) && ((array->is_copy_of->ref_count - 1) == 0))
    sarray_free(array->is_copy_of);

  /* Free all entries that do not point to empty_bucket */
  for(counter = 0; counter <= old_max_index; counter++ ) {
#ifdef OBJC_SPARSE3
    struct sindex* idx = old_indices[counter];
    if((idx != array->empty_index) &&
       (idx->version.version == array->version.version)) {
      int c2; 
      for(c2=0; c2<INDEX_SIZE; c2++) {
	struct sbucket* bkt = idx->buckets[c2];
	if((bkt != array->empty_bucket) &&
	   (bkt->version.version == array->version.version))
	  {
	    sarray_free_garbage(bkt);
	    nbuckets -= 1;
	  }
      }
      sarray_free_garbage(idx);
      nindices -= 1;
    }
#else /* OBJC_SPARSE2 */
    struct sbucket* bkt = array->buckets[counter];
    if ((bkt != array->empty_bucket) &&
	(bkt->version.version == array->version.version))
      {
	sarray_free_garbage(bkt);
	nbuckets -= 1;
      }
#endif
  }

  ... some code ...
}

In case, when array is a lazy copy of some other array it calls sarray_free() 
for the oroginal array, and then deallocates it's own created buckets. Array 
can have some pointers to the original array's buckets that are already 
deallocated, and thus sometimes we have access to the freed memory in block of 
code:

    struct sbucket* bkt = array->buckets[counter];
    if ((bkt != array->empty_bucket) &&
	(bkt->version.version == array->version.version))
      {
	sarray_free_garbage(bkt);
	nbuckets -= 1;
      }

at line '(bkt->version.version == array->version.version)' (memory pointed 
by 'bkt' can be already freed).

The possible solution of this problem is to move deallocation of (array-
>is_copy_of) array to the end of function sarray_free().


^ permalink raw reply	[flat|nested] 10+ messages in thread
end of thread, other threads:[~2004-01-10  5:49 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-08-13  9:18 [Bug libobjc/11904] New: Problem in sarray_free() function sergant at orcsoftware dot spb dot ru
2003-08-14 13:52 ` [Bug libobjc/11904] " daa at orcsoftware dot spb dot ru
2003-11-09  2:58 ` pinskia at gcc dot gnu dot org
2003-12-01  8:10 ` pinskia at gcc dot gnu dot org
2003-12-29 10:20 ` pinskia at gcc dot gnu dot org
2003-12-29 21:41 ` pinskia at gcc dot gnu dot org
2004-01-10  2:34 ` wilson at gcc dot gnu dot org
2004-01-10  4:44 ` pinskia at gcc dot gnu dot org
2004-01-10  5:47 ` cvs-commit at gcc dot gnu dot org
2004-01-10  5:49 ` pinskia at gcc dot gnu dot org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).