Usage of remove_timeout_user in the wineserver

Mike Hearn mike at theoretic.com
Sat Aug 23 12:48:20 CDT 2003


Hi Alexandre,

There is sometimes a double free in the wineserver, in fd.c

Basically the callback for the timeout is called, and the callback (for
instance in set_next_timer:queue.c) calls remove_timeout_user() which
does a free( user ), but at the end of handle_timeout() it also performs
a free, so I think the same timeout struct is freed twice.

I don't know how to fix this bug - I commented out the free in
remove_timeout_user and that stopped the wineserver from segfaulting or
dieing inside malloc, but it might cause a memory leak in the case where
a timeout is added and then removed before being handled.

It's too bad there is no way to check if a pointer has already been
freed. Maybe a flag (inside_callback) in the timeout_user struct, so we
know not to free it in remove_timeout_user()? What do you think?

thanks -mike




More information about the wine-devel mailing list