Closed Bug 3678 Opened 26 years ago Closed 26 years ago

Free memory read, double-freed memory.

Categories

(Core Graveyard :: Tracking, defect, P3)

Sun
Solaris

Tracking

(Not tracked)

VERIFIED INVALID

People

(Reporter: bruce, Assigned: mcafee)

Details

(Whiteboard: vendor)

Been getting this all week (March 8-12, 1999) under Purify. Solaris 2.6, gcc 2.7.2.3, GTK 1.2 **** Purify instrumented ./apprunner.pure (pid 29126) **** FMR: Free memory read: * This is occurring while in: XDestroyIC [ICWrap.c] gdk_ic_destroy [gdkim.c:686] gdk_ic_cleanup [gdkim.c:1388] gdk_exit_func [gdk.c:996] _exithandle [libc.so.1] exit [rtlib.o] gdk_exit [gdk.c:475] gtk_exit [gtkmain.c:437] nsAppShell::Exit() [nsAppShell.cpp:166] nsAppShellService::Shutdown() [nsAppShellService.cpp:174] nsBrowserAppCore::Exit() [nsBrowserAppCore.cpp:441] BrowserAppCoreExit(JSContext*,JSObject*,unsigned int,long*,long*) [nsJSBrowserAppCore.cpp:478] js_Invoke [jsinterp.c:650] js_Interpret [jsinterp.c:2183] js_Invoke [jsinterp.c:666] js_Interpret [jsinterp.c:2183] js_Execute [jsinterp.c:815] JS_EvaluateUCScriptForPrincipals [jsapi.c:2324] nsJSContext::EvaluateString(const nsString&,const char*,unsigned int,nsString&,int*) [nsJSEnvironment.cpp:89] nsXULCommand::ExecuteJavaScriptString(nsIWebShell*,nsString&) [nsXULCommand.cpp:178] nsXULCommand::DoCommand() [nsXULCommand.cpp:140] nsXULCommand::MenuSelected(const nsMenuEvent&) [nsXULCommand.cpp:192] nsMenuItem::MenuSelected(const nsMenuEvent&) [nsMenuItem.cpp:327] menu_item_activate_handler(_GtkWidget*,void*) [nsGtkEventHandler.cpp:691] gtk_marshal_NONE__NONE [gtkmarshal.c:363] gtk_handlers_run [gtksignal.c:1909] gtk_signal_real_emit [gtksignal.c:1469] gtk_signal_emit [gtksignal.c:552] gtk_widget_activate [gtkwidget.c:2810] gtk_menu_shell_activate_item [gtkmenushell.c:834] * Reading 4 bytes from 0x590b10 in the heap. * Address 0x590b10 is 8 bytes into a freed block at 0x590b08 of 256 bytes. * This block was allocated from: malloc [rtlib.o] _CreateIC [XSunIMIF.c] XCreateIC [ICWrap.c] gdk_ic_real_new [gdkim.c:551] gdk_ic_new [gdkim.c:665] gtk_entry_realize [gtkentry.c:655] gtk_marshal_NONE__NONE [gtkmarshal.c:363] gtk_signal_real_emit [gtksignal.c:1432] gtk_signal_emit [gtksignal.c:552] gtk_widget_realize [gtkwidget.c:1656] gtk_layout_put [gtklayout.c:255] nsWidget::CreateWidget(nsIWidget*,const nsRect&,nsEventStatus(*)(nsGUIEvent*),nsIDeviceContext*,nsIAppShell*,nsIToolkit* ,nsWidgetInitData*,void*) [nsWidget.cpp:613] nsWidget::Create(nsIWidget*,const nsRect&,nsEventStatus(*)(nsGUIEvent*),nsIDeviceContext*,nsIAppShell*,nsIToolkit* ,nsWidgetInitData*) [nsWidget.cpp:640] nsView::CreateWidget(const nsID&,nsWidgetInitData*,void*) [nsView.cpp:1207] nsFormControlFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const nsHTMLReflowState&,unsigned int&) [nsFormControlFrame.cpp:290] nsInlineReflow::ReflowFrame(nsIFrame*,int,unsigned int&) [nsInlineReflow.cpp:316] nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&,nsLineBox*,nsIFrame*,int*) [nsBlockFrame.cpp:2650] nsBlockFrame::ReflowLine(nsBlockReflowState&,nsLineBox*,int*) [nsBlockFrame.cpp:1816] nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) [nsBlockFrame.cpp:1564] nsBlockFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const nsHTMLReflowState&,unsigned int&) [nsBlockFrame.cpp:984] nsAreaFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const nsHTMLReflowState&,unsigned int&) [nsAreaFrame.cpp:509] nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371] nsTableCellFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const nsHTMLReflowState&,unsigned int&) [nsTableCellFrame.cpp:475] nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371] nsTableRowFrame::InitialReflow(nsIPresContext&,nsHTMLReflowMetrics&,RowReflowSta te&,unsigned int&,nsTableCellFrame*,int) [nsTableRowFrame.cpp:808] nsTableRowFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const nsHTMLReflowState&,unsigned int&) [nsTableRowFrame.cpp:1416] nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371] nsTableRowGroupFrame::ReflowMappedChildren(nsIPresContext&,nsHTMLReflowMetrics&, RowGroupReflowState&,unsigned int&,nsTableRowFrame*,nsReflowReason,int) [nsTableRowGroupFrame.cpp:420] nsTableRowGroupFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const nsHTMLReflowState&,unsigned int&) [nsTableRowGroupFrame.cpp:948] nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371] * There have been 0 frees since this block was freed from: free [rtlib.o] XDestroyIC [ICWrap.c] gdk_ic_destroy [gdkim.c:686] gdk_ic_cleanup [gdkim.c:1388] gdk_exit_func [gdk.c:996] _exithandle [libc.so.1] exit [rtlib.o] gdk_exit [gdk.c:475] gtk_exit [gtkmain.c:437] nsAppShell::Exit() [nsAppShell.cpp:166] nsAppShellService::Shutdown() [nsAppShellService.cpp:174] nsBrowserAppCore::Exit() [nsBrowserAppCore.cpp:441] BrowserAppCoreExit(JSContext*,JSObject*,unsigned int,long*,long*) [nsJSBrowserAppCore.cpp:478] js_Invoke [jsinterp.c:650] js_Interpret [jsinterp.c:2183] js_Invoke [jsinterp.c:666] js_Interpret [jsinterp.c:2183] js_Execute [jsinterp.c:815] JS_EvaluateUCScriptForPrincipals [jsapi.c:2324] nsJSContext::EvaluateString(const nsString&,const char*,unsigned int,nsString&,int*) [nsJSEnvironment.cpp:89] nsXULCommand::ExecuteJavaScriptString(nsIWebShell*,nsString&) [nsXULCommand.cpp:178] nsXULCommand::DoCommand() [nsXULCommand.cpp:140] nsXULCommand::MenuSelected(const nsMenuEvent&) [nsXULCommand.cpp:192] nsMenuItem::MenuSelected(const nsMenuEvent&) [nsMenuItem.cpp:327] menu_item_activate_handler(_GtkWidget*,void*) [nsGtkEventHandler.cpp:691] gtk_marshal_NONE__NONE [gtkmarshal.c:363] gtk_handlers_run [gtksignal.c:1909] gtk_signal_real_emit [gtksignal.c:1469] gtk_signal_emit [gtksignal.c:552] gtk_widget_activate [gtkwidget.c:2810] **** Purify instrumented ./apprunner.pure (pid 29126) **** FUM: Freeing unallocated memory: * This is occurring while in: free [rtlib.o] gdk_ic_destroy [gdkim.c:686] gdk_ic_cleanup [gdkim.c:1388] gdk_exit_func [gdk.c:996] _exithandle [libc.so.1] exit [rtlib.o] gdk_exit [gdk.c:475] gtk_exit [gtkmain.c:437] nsAppShell::Exit() [nsAppShell.cpp:166] nsAppShellService::Shutdown() [nsAppShellService.cpp:174] nsBrowserAppCore::Exit() [nsBrowserAppCore.cpp:441] BrowserAppCoreExit(JSContext*,JSObject*,unsigned int,long*,long*) [nsJSBrowserAppCore.cpp:478] js_Invoke [jsinterp.c:650] js_Interpret [jsinterp.c:2183] js_Invoke [jsinterp.c:666] js_Interpret [jsinterp.c:2183] js_Execute [jsinterp.c:815] JS_EvaluateUCScriptForPrincipals [jsapi.c:2324] nsJSContext::EvaluateString(const nsString&,const char*,unsigned int,nsString&,int*) [nsJSEnvironment.cpp:89] nsXULCommand::ExecuteJavaScriptString(nsIWebShell*,nsString&) [nsXULCommand.cpp:178] nsXULCommand::DoCommand() [nsXULCommand.cpp:140] nsXULCommand::MenuSelected(const nsMenuEvent&) [nsXULCommand.cpp:192] nsMenuItem::MenuSelected(const nsMenuEvent&) [nsMenuItem.cpp:327] menu_item_activate_handler(_GtkWidget*,void*) [nsGtkEventHandler.cpp:691] gtk_marshal_NONE__NONE [gtkmarshal.c:363] gtk_handlers_run [gtksignal.c:1909] gtk_signal_real_emit [gtksignal.c:1469] gtk_signal_emit [gtksignal.c:552] gtk_widget_activate [gtkwidget.c:2810] gtk_menu_shell_activate_item [gtkmenushell.c:834] * Attempting to free block at 0x590b08 already freed. * This block was allocated from: malloc [rtlib.o] _CreateIC [XSunIMIF.c] XCreateIC [ICWrap.c] gdk_ic_real_new [gdkim.c:551] gdk_ic_new [gdkim.c:665] gtk_entry_realize [gtkentry.c:655] gtk_marshal_NONE__NONE [gtkmarshal.c:363] gtk_signal_real_emit [gtksignal.c:1432] gtk_signal_emit [gtksignal.c:552] gtk_widget_realize [gtkwidget.c:1656] gtk_layout_put [gtklayout.c:255] nsWidget::CreateWidget(nsIWidget*,const nsRect&,nsEventStatus(*)(nsGUIEvent*),nsIDeviceContext*,nsIAppShell*,nsIToolkit* ,nsWidgetInitData*,void*) [nsWidget.cpp:613] nsWidget::Create(nsIWidget*,const nsRect&,nsEventStatus(*)(nsGUIEvent*),nsIDeviceContext*,nsIAppShell*,nsIToolkit* ,nsWidgetInitData*) [nsWidget.cpp:640] nsView::CreateWidget(const nsID&,nsWidgetInitData*,void*) [nsView.cpp:1207] nsFormControlFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const nsHTMLReflowState&,unsigned int&) [nsFormControlFrame.cpp:290] nsInlineReflow::ReflowFrame(nsIFrame*,int,unsigned int&) [nsInlineReflow.cpp:316] nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&,nsLineBox*,nsIFrame*,int*) [nsBlockFrame.cpp:2650] nsBlockFrame::ReflowLine(nsBlockReflowState&,nsLineBox*,int*) [nsBlockFrame.cpp:1816] nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) [nsBlockFrame.cpp:1564] nsBlockFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const nsHTMLReflowState&,unsigned int&) [nsBlockFrame.cpp:984] nsAreaFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const nsHTMLReflowState&,unsigned int&) [nsAreaFrame.cpp:509] nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371] nsTableCellFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const nsHTMLReflowState&,unsigned int&) [nsTableCellFrame.cpp:475] nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371] nsTableRowFrame::InitialReflow(nsIPresContext&,nsHTMLReflowMetrics&,RowReflowSta te&,unsigned int&,nsTableCellFrame*,int) [nsTableRowFrame.cpp:808] nsTableRowFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const nsHTMLReflowState&,unsigned int&) [nsTableRowFrame.cpp:1416] nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371] nsTableRowGroupFrame::ReflowMappedChildren(nsIPresContext&,nsHTMLReflowMetrics&, RowGroupReflowState&,unsigned int&,nsTableRowFrame*,nsReflowReason,int) [nsTableRowGroupFrame.cpp:420] nsTableRowGroupFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,const nsHTMLReflowState&,unsigned int&) [nsTableRowGroupFrame.cpp:948] nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext&,nsHTMLReflowMetrics&,con st nsHTMLReflowState&,unsigned int&) [nsContainerFrame.cpp:371] * There have been 1 frees since this block was freed from: free [rtlib.o] XDestroyIC [ICWrap.c] gdk_ic_destroy [gdkim.c:686] gdk_ic_cleanup [gdkim.c:1388] gdk_exit_func [gdk.c:996] _exithandle [libc.so.1] exit [rtlib.o] gdk_exit [gdk.c:475] gtk_exit [gtkmain.c:437] nsAppShell::Exit() [nsAppShell.cpp:166] nsAppShellService::Shutdown() [nsAppShellService.cpp:174] nsBrowserAppCore::Exit() [nsBrowserAppCore.cpp:441] BrowserAppCoreExit(JSContext*,JSObject*,unsigned int,long*,long*) [nsJSBrowserAppCore.cpp:478] js_Invoke [jsinterp.c:650] js_Interpret [jsinterp.c:2183] js_Invoke [jsinterp.c:666] js_Interpret [jsinterp.c:2183] js_Execute [jsinterp.c:815] JS_EvaluateUCScriptForPrincipals [jsapi.c:2324] nsJSContext::EvaluateString(const nsString&,const char*,unsigned int,nsString&,int*) [nsJSEnvironment.cpp:89] nsXULCommand::ExecuteJavaScriptString(nsIWebShell*,nsString&) [nsXULCommand.cpp:178] nsXULCommand::DoCommand() [nsXULCommand.cpp:140] nsXULCommand::MenuSelected(const nsMenuEvent&) [nsXULCommand.cpp:192] nsMenuItem::MenuSelected(const nsMenuEvent&) [nsMenuItem.cpp:327] menu_item_activate_handler(_GtkWidget*,void*) [nsGtkEventHandler.cpp:691] gtk_marshal_NONE__NONE [gtkmarshal.c:363] gtk_handlers_run [gtksignal.c:1909] gtk_signal_real_emit [gtksignal.c:1469] gtk_signal_emit [gtksignal.c:552] gtk_widget_activate [gtkwidget.c:2810]
Summary: Free memory read, double-freed memory.
Assignee: don → mcafee
Re-assigned to mcafee@netscape.com and added names to Cc: list. Chris, Peter says you're the expert on Solaris and 2.7.x. Do you think we need to fix this for M3? Is this possibly causing the core dump on exit problem described in bug #3568?
Please set target milestone m4 or later if this is Solaris-only.
Target Milestone: M4
This appears to be a GTK bug or a Solaris bug. Pavlov is following up with Owen Taylor @ Redhat.
Target Milestone: M4 → M5
moving to m5
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → INVALID
Whiteboard: vendor
Solaris bug as far as I've been able to determine.
Status: RESOLVED → VERIFIED
Marking as Verified/Invalid per bruce marking Invalid
Moving all Apprunner bugs past and present to Other component temporarily whilst don and I set correct component. Apprunner component will be deleted/retired shortly.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.