Path: utzoo!attcan!uunet!sdrc!thor!scjones
From: scjones@thor.UUCP (Larry Jones)
Newsgroups: comp.windows.x
Subject: Double free() in Xmu
Message-ID: <200@thor.UUCP>
Date: 26 Oct 90 22:09:34 GMT
Organization: SDRC, Cincinnati
Lines: 31

I'm having a problem with TWM not exiting cleanly.  The version of malloc
that I'm using has some debugging features and it is complaining that the
heap has been corrupted.  I've tracked the problem down to _DoCallbacks
in Xmu/CloseHook which, through a somewhat twisted chain of events, ends
up freeing the same block of memory twice, which is what causes the above
complaint, and also references memory after it has been freed!
Unfortunately, but my comprehension of the relevent code is not
sufficient for me to be sure of a fix.

What is happening is that XCloseDisplay calls _DoCallbacks, which calls
_DQCloseDisplay in Xmu/DisplayQue, which calls XmuDQRemoveDisplay, which
calls XmuRemoveCloseDisplayHook, which removes and frees the callback
that _DoCallbacks is in the process of calling.  When everything returns
to _DoCallbacks, it then frees the callback again.  After freeing the
callback, it then references the freed memory to get the pointer to the
next callback, a good way to cause strange and wonderful things to
happen.

Avoiding the reference to freed memory is easy enough, but preventing
the double free is much trickier.  It seems to me that, at the very
least, _DoCallbacks should remove the current callback from the list
before calling it, but it may be sufficient to just clear out the list
in the display or even unlink the display before calling the callbacks.
Suggestions?
----
Larry Jones                         UUCP: uunet!sdrc!thor!scjones
SDRC                                      scjones@thor.UUCP
2000 Eastman Dr.                    BIX:  ltl
Milford, OH  45150-2789             AT&T: (513) 576-2070
Girls are like slugs -- they probably serve some purpose, but
it's hard to imagine what. -- Calvin