On Sat, Apr 25, 2009 at 01:18:19PM +0100, Jeremy Henty wrote:
On Fri, Apr 24, 2009 at 06:20:20PM +0200, Hofmann Johannes wrote:
On Thu, Apr 23, 2009 at 09:36:23PM +0100, Jeremy Henty wrote:
On Thu, Apr 23, 2009 at 06:01:56PM +0200, Hofmann Johannes wrote:
It turns out that memory related to aborted images is not released.
What about the other way round, ie. memory being released and then accessed? If you check the invalid read errors at the valgrind logs page[1] for the past few days you will see they are all due to reading freed image memory. Is this another aspect of the same thing, or something else?
I'd say it's something different. It's always a read of size 4, isn't it? I guess that's just one uninitialized pointer.
I don't think that it's uninitialized pointers. If it were then you would expect valgrind to complain that the address had never been malloced or freed. That's not what we see. Eg. look at the first instance of 'Jpeg_write: Invalid read of size 4'[1]. The freed memory is a DilloImage structure. The line that does the invalid read is reading ... a member of a DilloImage structure! The same is true for the errors from dw::core::Widget::getLayout() , Png_datarow_callback and Png_datainfo_callback . In every case the pointer refers to a malloced structure of the right type. The problem is that the structure has since been freed. I think it's pretty clear that the problem is not uninitialised pointers, it's that the code is using pointers after freeing them.
It's probably significant that these errors all come from within image callbacks (a_Jpeg_callback and a_Png_callback). It looks like a race condition to me: callbacks are running after the image has been freed. Does that make sense?
Yes, it makes sense to me. Have you found a simplified test-case to reproduce it? Finally now I have some time to investigate this bug. I'll start with the problem Johannes described (large jpeg) because of the test-case. Let's start... -- Cheers Jorge.-