Closed Bug 183980 Opened 22 years ago Closed 22 years ago

Freeing invalid memory in delete(void *)

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 184916

People

(Reporter: stephend, Assigned: mozeditor)

Details

Build ID: latest win32 trunk (pulled at noon today), running Purify under Windows 2000. Summary: Freeing invalid memory in delete(void *) Steps to Reproduce: 1. Launch the browser under Purify and load http://home.netscape.com, and you'll see the following: [E] FIM: Freeing invalid memory in delete(void *) {2 occurrences} Address 0x09014bb0 points into a HeapAlloc'd block in unallocated region of heap 0x023a0000 Location of free attempt delete(void *) [delop.cpp:6] nsSelectionState::`scalar deleting destructor'(UINT) [editor.dll] PlaceholderTxn::~PlaceholderTxn(void) [PlaceholderTxn.cpp:67] PlaceholderTxn::~PlaceholderTxn() { => delete mStartSel; } NS_IMPL_ADDREF_INHERITED(PlaceholderTxn, EditAggregateTxn) PlaceholderTxn::`scalar deleting destructor'(UINT) [editor.dll] EditTxn::Release(void) [EditTxn.cpp:49] static NS_DEFINE_IID(kITransactionIID, NS_ITRANSACTION_IID); NS_IMPL_ADDREF(EditTxn) => NS_IMPL_RELEASE(EditTxn) // note that aEditor is not refcounted EditTxn::EditTxn() EditAggregateTxn::Release(void) [EditAggregateTxn.cpp:242] //NS_IMPL_RELEASE_INHERITED(Class, Super) NS_IMETHODIMP_(nsrefcnt) EditAggregateTxn::Release(void) { => return EditTxn::Release(); } //NS_IMPL_QUERY_INTERFACE_INHERITED1(Class, Super, AdditionalInterface) PlaceholderTxn::Release(void) [PlaceholderTxn.cpp:71] } NS_IMPL_ADDREF_INHERITED(PlaceholderTxn, EditAggregateTxn) => NS_IMPL_RELEASE_INHERITED(PlaceholderTxn, EditAggregateTxn) //NS_IMPL_QUERY_INTERFACE_INHERITED1(Class, Super, AdditionalInterface) NS_IMETHODIMP PlaceholderTxn::QueryInterface(REFNSIID aIID, void** aInstancePtr) nsCOMPtr<nsIAbsorbingTransaction>::~nsCOMPtr<nsIAbsorbingTransaction>(void) [nsCOMPtr.h:490] nsEditor::Do(nsITransaction *) [nsEditor.cpp:516] // txn mgr will now own this if it's around, and if it isn't we don't care NS_IF_RELEASE(editTxn); => } if (aTxn) { nsEditor::DeleteSelectionImpl(short) [nsEditor.cpp:4379]
I meant to update this bug a couple of days ago, sorry. This doesn't seem limited to Editor, or even Editor's fault. I'm seeing these kind of memory conditions _all_ over the product, everywhere from IMAP code to single sign on, to cookies. I don't think I should file bugs for all of them, since I now believe something else is corrupting the stack. Does anybody know of any changes that went in recently that might have affected things module-wide?
I'm seeing something like this, too. Running Mozilla with MALLOC_CHECK_=2 shows a few bad frees in the icon decoder. Stack looks something like this: __libc_free+0x00000035 [./mozilla-bin +0x000749E5] __builtin_delete+0x00000022 [/usr/lib/libstdc++-libc6.2-2.so.3 +0x00033C46] __builtin_vec_delete+0x0000001B [/usr/lib/libstdc++-libc6.2-2.so.3 +0x00033C6F] nsICODecoder::Close(void)+0x0000019D [/vol0/src/mozilla_gtk2/gtk2/dist/bin/components/libimglib2.so +0x00039D81] imgRequest::OnStopRequest(nsIRequest *, nsISupports *, unsigned int)+0x0000019A [/vol0/src/mozilla_gtk2/gtk2/dist/bin/components/libimglib2.so +0x000278C6] ... If I back out the icon decoder changes in the last couple of days the crash is fixed. http://bugzilla.mozilla.org/show_bug.cgi?id=108271
Shouldn't this be marked a dup of 184916?
*** This bug has been marked as a duplicate of 184916 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
I'm not seeing this anymore, verified dup.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.