Closed
Bug 3678
Opened 26 years ago
Closed 26 years ago
Free memory read, double-freed memory.
Categories
(Core Graveyard :: Tracking, defect, P3)
Tracking
(Not tracked)
VERIFIED
INVALID
M5
People
(Reporter: bruce, Assigned: mcafee)
Details
(Whiteboard: vendor)
Been getting this all week (March 8-12, 1999) under Purify. Solaris 2.6, gcc
2.7.2.3, GTK 1.2
**** Purify instrumented ./apprunner.pure (pid 29126) ****
FMR: Free memory read:
* This is occurring while in:
XDestroyIC [ICWrap.c]
gdk_ic_destroy [gdkim.c:686]
gdk_ic_cleanup [gdkim.c:1388]
gdk_exit_func [gdk.c:996]
_exithandle [libc.so.1]
exit [rtlib.o]
gdk_exit [gdk.c:475]
gtk_exit [gtkmain.c:437]
nsAppShell::Exit() [nsAppShell.cpp:166]
nsAppShellService::Shutdown() [nsAppShellService.cpp:174]
nsBrowserAppCore::Exit() [nsBrowserAppCore.cpp:441]
BrowserAppCoreExit(JSContext*,JSObject*,unsigned int,long*,long*)
[nsJSBrowserAppCore.cpp:478]
js_Invoke [jsinterp.c:650]
js_Interpret [jsinterp.c:2183]
js_Invoke [jsinterp.c:666]
js_Interpret [jsinterp.c:2183]
js_Execute [jsinterp.c:815]
JS_EvaluateUCScriptForPrincipals [jsapi.c:2324]
nsJSContext::EvaluateString(const nsString&,const char*,unsigned
int,nsString&,int*) [nsJSEnvironment.cpp:89]
nsXULCommand::ExecuteJavaScriptString(nsIWebShell*,nsString&)
[nsXULCommand.cpp:178]
nsXULCommand::DoCommand() [nsXULCommand.cpp:140]
nsXULCommand::MenuSelected(const nsMenuEvent&) [nsXULCommand.cpp:192]
nsMenuItem::MenuSelected(const nsMenuEvent&) [nsMenuItem.cpp:327]
menu_item_activate_handler(_GtkWidget*,void*)
[nsGtkEventHandler.cpp:691]
gtk_marshal_NONE__NONE [gtkmarshal.c:363]
gtk_handlers_run [gtksignal.c:1909]
gtk_signal_real_emit [gtksignal.c:1469]
gtk_signal_emit [gtksignal.c:552]
gtk_widget_activate [gtkwidget.c:2810]
gtk_menu_shell_activate_item [gtkmenushell.c:834]
* Reading 4 bytes from 0x590b10 in the heap.
* Address 0x590b10 is 8 bytes into a freed block at 0x590b08 of 256 bytes.
* This block was allocated from:
malloc [rtlib.o]
_CreateIC [XSunIMIF.c]
XCreateIC [ICWrap.c]
gdk_ic_real_new [gdkim.c:551]
gdk_ic_new [gdkim.c:665]
gtk_entry_realize [gtkentry.c:655]
gtk_marshal_NONE__NONE [gtkmarshal.c:363]
gtk_signal_real_emit [gtksignal.c:1432]
gtk_signal_emit [gtksignal.c:552]
gtk_widget_realize [gtkwidget.c:1656]
gtk_layout_put [gtklayout.c:255]
nsWidget::CreateWidget(nsIWidget*,const
nsRect&,nsEventStatus(*)(nsGUIEvent*),nsIDeviceContext*,nsIAppShell*,nsIToolkit*
,nsWidgetInitData*,void*) [nsWidget.cpp:613]
nsWidget::Create(nsIWidget*,const
nsRect&,nsEventStatus(*)(nsGUIEvent*),nsIDeviceContext*,nsIAppShell*,nsIToolkit*
,nsWidgetInitData*) [nsWidget.cpp:640]
nsView::CreateWidget(const nsID&,nsWidgetInitData*,void*)
[nsView.cpp:1207]
nsFormControlFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsFormControlFrame.cpp:290]
nsInlineReflow::ReflowFrame(nsIFrame*,int,unsigned int&)
[nsInlineReflow.cpp:316]
nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&,nsLineBox*,nsIFrame*,int*)
[nsBlockFrame.cpp:2650]
nsBlockFrame::ReflowLine(nsBlockReflowState&,nsLineBox*,int*)
[nsBlockFrame.cpp:1816]
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&)
[nsBlockFrame.cpp:1564]
nsBlockFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsBlockFrame.cpp:984]
nsAreaFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsAreaFrame.cpp:509]
nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con
st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371]
nsTableCellFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsTableCellFrame.cpp:475]
nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con
st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371]
nsTableRowFrame::InitialReflow(nsIPresContext&,nsHTMLReflowMetrics&,RowReflowSta
te&,unsigned int&,nsTableCellFrame*,int) [nsTableRowFrame.cpp:808]
nsTableRowFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsTableRowFrame.cpp:1416]
nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con
st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371]
nsTableRowGroupFrame::ReflowMappedChildren(nsIPresContext&,nsHTMLReflowMetrics&,
RowGroupReflowState&,unsigned int&,nsTableRowFrame*,nsReflowReason,int)
[nsTableRowGroupFrame.cpp:420]
nsTableRowGroupFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsTableRowGroupFrame.cpp:948]
nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con
st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371]
* There have been 0 frees since this block was freed from:
free [rtlib.o]
XDestroyIC [ICWrap.c]
gdk_ic_destroy [gdkim.c:686]
gdk_ic_cleanup [gdkim.c:1388]
gdk_exit_func [gdk.c:996]
_exithandle [libc.so.1]
exit [rtlib.o]
gdk_exit [gdk.c:475]
gtk_exit [gtkmain.c:437]
nsAppShell::Exit() [nsAppShell.cpp:166]
nsAppShellService::Shutdown() [nsAppShellService.cpp:174]
nsBrowserAppCore::Exit() [nsBrowserAppCore.cpp:441]
BrowserAppCoreExit(JSContext*,JSObject*,unsigned int,long*,long*)
[nsJSBrowserAppCore.cpp:478]
js_Invoke [jsinterp.c:650]
js_Interpret [jsinterp.c:2183]
js_Invoke [jsinterp.c:666]
js_Interpret [jsinterp.c:2183]
js_Execute [jsinterp.c:815]
JS_EvaluateUCScriptForPrincipals [jsapi.c:2324]
nsJSContext::EvaluateString(const nsString&,const char*,unsigned
int,nsString&,int*) [nsJSEnvironment.cpp:89]
nsXULCommand::ExecuteJavaScriptString(nsIWebShell*,nsString&)
[nsXULCommand.cpp:178]
nsXULCommand::DoCommand() [nsXULCommand.cpp:140]
nsXULCommand::MenuSelected(const nsMenuEvent&) [nsXULCommand.cpp:192]
nsMenuItem::MenuSelected(const nsMenuEvent&) [nsMenuItem.cpp:327]
menu_item_activate_handler(_GtkWidget*,void*)
[nsGtkEventHandler.cpp:691]
gtk_marshal_NONE__NONE [gtkmarshal.c:363]
gtk_handlers_run [gtksignal.c:1909]
gtk_signal_real_emit [gtksignal.c:1469]
gtk_signal_emit [gtksignal.c:552]
gtk_widget_activate [gtkwidget.c:2810]
**** Purify instrumented ./apprunner.pure (pid 29126) ****
FUM: Freeing unallocated memory:
* This is occurring while in:
free [rtlib.o]
gdk_ic_destroy [gdkim.c:686]
gdk_ic_cleanup [gdkim.c:1388]
gdk_exit_func [gdk.c:996]
_exithandle [libc.so.1]
exit [rtlib.o]
gdk_exit [gdk.c:475]
gtk_exit [gtkmain.c:437]
nsAppShell::Exit() [nsAppShell.cpp:166]
nsAppShellService::Shutdown() [nsAppShellService.cpp:174]
nsBrowserAppCore::Exit() [nsBrowserAppCore.cpp:441]
BrowserAppCoreExit(JSContext*,JSObject*,unsigned int,long*,long*)
[nsJSBrowserAppCore.cpp:478]
js_Invoke [jsinterp.c:650]
js_Interpret [jsinterp.c:2183]
js_Invoke [jsinterp.c:666]
js_Interpret [jsinterp.c:2183]
js_Execute [jsinterp.c:815]
JS_EvaluateUCScriptForPrincipals [jsapi.c:2324]
nsJSContext::EvaluateString(const nsString&,const char*,unsigned
int,nsString&,int*) [nsJSEnvironment.cpp:89]
nsXULCommand::ExecuteJavaScriptString(nsIWebShell*,nsString&)
[nsXULCommand.cpp:178]
nsXULCommand::DoCommand() [nsXULCommand.cpp:140]
nsXULCommand::MenuSelected(const nsMenuEvent&) [nsXULCommand.cpp:192]
nsMenuItem::MenuSelected(const nsMenuEvent&) [nsMenuItem.cpp:327]
menu_item_activate_handler(_GtkWidget*,void*)
[nsGtkEventHandler.cpp:691]
gtk_marshal_NONE__NONE [gtkmarshal.c:363]
gtk_handlers_run [gtksignal.c:1909]
gtk_signal_real_emit [gtksignal.c:1469]
gtk_signal_emit [gtksignal.c:552]
gtk_widget_activate [gtkwidget.c:2810]
gtk_menu_shell_activate_item [gtkmenushell.c:834]
* Attempting to free block at 0x590b08 already freed.
* This block was allocated from:
malloc [rtlib.o]
_CreateIC [XSunIMIF.c]
XCreateIC [ICWrap.c]
gdk_ic_real_new [gdkim.c:551]
gdk_ic_new [gdkim.c:665]
gtk_entry_realize [gtkentry.c:655]
gtk_marshal_NONE__NONE [gtkmarshal.c:363]
gtk_signal_real_emit [gtksignal.c:1432]
gtk_signal_emit [gtksignal.c:552]
gtk_widget_realize [gtkwidget.c:1656]
gtk_layout_put [gtklayout.c:255]
nsWidget::CreateWidget(nsIWidget*,const
nsRect&,nsEventStatus(*)(nsGUIEvent*),nsIDeviceContext*,nsIAppShell*,nsIToolkit*
,nsWidgetInitData*,void*) [nsWidget.cpp:613]
nsWidget::Create(nsIWidget*,const
nsRect&,nsEventStatus(*)(nsGUIEvent*),nsIDeviceContext*,nsIAppShell*,nsIToolkit*
,nsWidgetInitData*) [nsWidget.cpp:640]
nsView::CreateWidget(const nsID&,nsWidgetInitData*,void*)
[nsView.cpp:1207]
nsFormControlFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsFormControlFrame.cpp:290]
nsInlineReflow::ReflowFrame(nsIFrame*,int,unsigned int&)
[nsInlineReflow.cpp:316]
nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&,nsLineBox*,nsIFrame*,int*)
[nsBlockFrame.cpp:2650]
nsBlockFrame::ReflowLine(nsBlockReflowState&,nsLineBox*,int*)
[nsBlockFrame.cpp:1816]
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&)
[nsBlockFrame.cpp:1564]
nsBlockFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsBlockFrame.cpp:984]
nsAreaFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsAreaFrame.cpp:509]
nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con
st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371]
nsTableCellFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsTableCellFrame.cpp:475]
nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con
st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371]
nsTableRowFrame::InitialReflow(nsIPresContext&,nsHTMLReflowMetrics&,RowReflowSta
te&,unsigned int&,nsTableCellFrame*,int) [nsTableRowFrame.cpp:808]
nsTableRowFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsTableRowFrame.cpp:1416]
nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con
st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371]
nsTableRowGroupFrame::ReflowMappedChildren(nsIPresContext&,nsHTMLReflowMetrics&,
RowGroupReflowState&,unsigned int&,nsTableRowFrame*,nsReflowReason,int)
[nsTableRowGroupFrame.cpp:420]
nsTableRowGroupFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsTableRowGroupFrame.cpp:948]
nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con
st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371]
* There have been 1 frees since this block was freed from:
free [rtlib.o]
XDestroyIC [ICWrap.c]
gdk_ic_destroy [gdkim.c:686]
gdk_ic_cleanup [gdkim.c:1388]
gdk_exit_func [gdk.c:996]
_exithandle [libc.so.1]
exit [rtlib.o]
gdk_exit [gdk.c:475]
gtk_exit [gtkmain.c:437]
nsAppShell::Exit() [nsAppShell.cpp:166]
nsAppShellService::Shutdown() [nsAppShellService.cpp:174]
nsBrowserAppCore::Exit() [nsBrowserAppCore.cpp:441]
BrowserAppCoreExit(JSContext*,JSObject*,unsigned int,long*,long*)
[nsJSBrowserAppCore.cpp:478]
js_Invoke [jsinterp.c:650]
js_Interpret [jsinterp.c:2183]
js_Invoke [jsinterp.c:666]
js_Interpret [jsinterp.c:2183]
js_Execute [jsinterp.c:815]
JS_EvaluateUCScriptForPrincipals [jsapi.c:2324]
nsJSContext::EvaluateString(const nsString&,const char*,unsigned
int,nsString&,int*) [nsJSEnvironment.cpp:89]
nsXULCommand::ExecuteJavaScriptString(nsIWebShell*,nsString&)
[nsXULCommand.cpp:178]
nsXULCommand::DoCommand() [nsXULCommand.cpp:140]
nsXULCommand::MenuSelected(const nsMenuEvent&) [nsXULCommand.cpp:192]
nsMenuItem::MenuSelected(const nsMenuEvent&) [nsMenuItem.cpp:327]
menu_item_activate_handler(_GtkWidget*,void*)
[nsGtkEventHandler.cpp:691]
gtk_marshal_NONE__NONE [gtkmarshal.c:363]
gtk_handlers_run [gtksignal.c:1909]
gtk_signal_real_emit [gtksignal.c:1469]
gtk_signal_emit [gtksignal.c:552]
gtk_widget_activate [gtkwidget.c:2810]
Reporter | ||
Updated•26 years ago
|
Summary: Free memory read, double-freed memory.
Re-assigned to mcafee@netscape.com and added names to Cc: list.
Chris, Peter says you're the expert on Solaris and 2.7.x. Do you think we need
to fix this for M3? Is this possibly causing the core dump on exit problem
described in bug #3568?
Comment 2•26 years ago
|
||
Please set target milestone m4 or later if this is Solaris-only.
Assignee | ||
Updated•26 years ago
|
Target Milestone: M4
Reporter | ||
Comment 3•26 years ago
|
||
This appears to be a GTK bug or a Solaris bug. Pavlov is following up with Owen
Taylor @ Redhat.
Updated•26 years ago
|
Target Milestone: M4 → M5
Comment 4•26 years ago
|
||
moving to m5
Reporter | ||
Updated•26 years ago
|
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → INVALID
Whiteboard: vendor
Reporter | ||
Comment 5•26 years ago
|
||
Solaris bug as far as I've been able to determine.
Moving all Apprunner bugs past and present to Other component temporarily whilst
don and I set correct component. Apprunner component will be deleted/retired
shortly.
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•