Project

General

Profile

Actions
Copy link

Bug #861

closed

Reproducable crash in WMenu

Added by Anonymous almost 13 years ago. Updated almost 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
3.1.10
Start date:
06/18/2011
Due date:
% Done:

0%

Estimated time:

Description

How to reproduce:

1. Open widget gallery, go to Dialogs/Message Boxes. Test one message box (and dismiss it).

  1. Open second window to the widget gallery, go to Basics/WImage.
  2. Kill second window.

There will be some memory overruns when session is destroyed, sometimes SIGSEGV's immediately and sometimes on next request. valgrind shows accessing already freed memory multiple times in WMenu destructor.

1st valgrind access after closing the second window.

127.0.0.1 - - [2011-Jun-18 06:51:59.914097] "POST /?wtd=0kXRdxXiAZbYI864 HTTP/1.1" 200 41

3573 Thread 10:

3573 Invalid read of size 8

3573 at 0x5955A64: std::vector<Wt::WMenuItem*, std::allocator<Wt::WMenuItem*> >::size() const (stl_vector.h:534)

3573 by 0x5953126: Wt::WMenu::contentsDestroyed() (WMenu.C:59)

....

....

3573 Address 0x1051e430 is 288 bytes inside a block of size 320 free'd

3573 at 0x4C2538E: operator delete(void*) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)

3573 by 0x595344B: Wt::WMenu::~WMenu() (WMenu.C:86)

3573 by 0x5A519BE: Wt::WWebWidget::~WWebWidget() (WWebWidget.C:245)

3573 by 0x59354D0: Wt::WInteractWidget::~WInteractWidget() (WInteractWidget.C:50)

3573 by 0x58C391A: Wt::WContainerWidget::~WContainerWidget() (WContainerWidget.C:58)

3573 by 0x58C396D: Wt::WContainerWidget::~WContainerWidget() (WContainerWidget.C:67)

3573 by 0x5A519BE: Wt::WWebWidget::~WWebWidget() (WWebWidget.C:245)

3573 by 0x59354D0: Wt::WInteractWidget::~WInteractWidget() (WInteractWidget.C:50)

3573 by 0x58C391A: Wt::WContainerWidget::~WContainerWidget() (WContainerWidget.C:58)

3573 by 0x58C396D: Wt::WContainerWidget::~WContainerWidget() (WContainerWidget.C:67)

3573 by 0x58C16AE: Wt::WCompositeWidget::~WCompositeWidget() (WCompositeWidget.C:43)

3573 by 0x59E91A2: Wt::WTabWidget::~WTabWidget() (in /home/max/projects/wt/debug/src/libwtd.so.3.1.10)

3573

Looking at the sources it looks like contentDestroyed() is connected to a signal in this line

contentsStack->destroyed().connect(this, &WMenu::contentsDestroyed);

and its signalled after menu is destroyed, accessing already freed data structures.

Actions
Copy link
 #1

Updated by Koen Deforche almost 13 years ago

  • Status changed from New to Resolved

Hey,

as per an other discussion, this has been fixed (in my git copy).

Regards,

koen

Actions
Copy link
 #2

Updated by Koen Deforche almost 13 years ago

  • Target version set to 3.1.10
Actions
Copy link
 #3

Updated by Koen Deforche almost 13 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF