Apache OpenOffice (AOO) Bugzilla – Issue 67740
double-free in xmlhelp.
Last modified: 2007-09-01 14:49:09 UTC
Attached is valgrind log pointing to the two frees of the same memory in xmlhelp. This (for me, your milage may vary) will cause a crash later on in writer, e.g. Help->OpenOffice.org Help->Find, search for "scan", and double click on "General Glossay" crashes OOo 2.0.3. Attached is a patch which removes the first of the free's, but someone familiar with the code will have to see what the correct course of action is. cmc->mhu: As an aside, this crashes in writer, because the new allocator is especially sensitive to double-frees as it quickly re-uses free'd cache pointers. And if something is double free'd then the pointer is pushed twice onto the free list, and is easily re-used twice concurrently. Perhaps a little non-product build crude double free detector like the final attachment might be a good idea ?
Created attachment 38006 [details] valgrind log
Created attachment 38007 [details] workaround patch
Created attachment 38008 [details] crude double free detection in sal
set a target
cmc->mmeeks: you might be interested in this one. That might not be the right fix, and I believe the ooo-build default is to use the system allocator ?, but nevertheless in internal allocator mode double-freeing is a real serious problem.
Hi Caolan, Of course your right in that debug support in the new (rtl_cache based) allocator is very limited. Unfortunately, your "crude" patch will not generally work (besides its performance impact) as the previously free'd object may not be in the current magazine ("curr"). Please allow for a couple of days to work out a more general solution; the pieces are already there (FLAG_NOMAGAZINE can force the cache to use the slab layer only, and the slab layer can be made to keep track of all buffers in a hash table) but I need to find some time to actually make these changes. Of course, my proposed changes also have a negative performance impact, and will also (possibly significantly) increase the amount of memory used (additional hash table space). So, this can only be enabled in non-pro builds which are probably not in wide spread use. Probably, the only reliable way to detect such issues is through use of valgrind (and friends). Hope that helps, Matthias
.
->hro: Why me? Reassigned to abi, who has the most entries in the cvs log ;-)
accepted
ABI->AB: As discussed ...
STARTED
*** Issue 77015 has been marked as a duplicate of this issue. ***
*** Issue 72381 has been marked as a duplicate of this issue. ***
The patch here was integrated into OOG680_m3 under issue 80952, so we can close this now. *** This issue has been marked as a duplicate of 80952 ***
closing, (yippee!)