Re: [gnome-db] double-free problem in postgres provider

2009/1/25 Johannes Schmid <jhs jsschmid de>

I think I found a problem in the postgres provider:

               else if (G_VALUE_TYPE (value) == GDA_TYPE_BINARY) {
                       /* directly bin binary data */
                       GdaBinary *bin = (GdaBinary *) gda_value_get_binary ((GValue *)
                       param_values [i] = (gchar*) bin->data;
                       param_lengths [i] = bin->binary_length;
                       param_formats [i] = 1; /* binary format */
(...) 2191:
       g_strfreev (param_values);
       g_free (param_lengths);
       g_free (param_formats);

The problem is that param_values[i] for GDA_TYPE_BINARY is actually
owned by the GdaBinary (and later free'd again when the binary is
destroyed). So, a solution here would be to copy the bin->data but
that's a performance killer. Probably the code has to be refactored a
bit but I first want to make sure that this really causes the problem.

Here is the backtrace from glom when trying to add an image to a
database table. The crash happens when the the last reference to the
GdaHolder holding the image (GDA_TYPE_BINARY) is droped:

#0  0x00007f242c20afd5 in raise () from /lib/
#1  0x00007f242c20cb43 in abort () from /lib/
#2  0x00007f242c24bfa8 in ?? () from /lib/
#3  0x00007f242c251938 in ?? () from /lib/
#4  0x00007f242c253f86 in free () from /lib/
#5  0x00007f2433f149b1 in gda_binary_free (boxed=0x3f69750) at
#6  0x00007f242d76c8b5 in boxed_proxy_value_free (value=<value optimized
   at /build/buildd/glib2.0-2.18.2/gobject/gboxed.c:288
#7  0x00007f242d791773 in IA__g_value_unset (value=0x4209a60)
   at /build/buildd/glib2.0-2.18.2/gobject/gvalue.c:276
#8  0x00007f2433f152ea in gda_value_free (value=0x4209a60) at
#9  0x00007f2433ef1f35 in gda_holder_dispose (object=0x3bcf620)
   at gda-holder.c:490
#10 0x00007f242d7711d2 in IA__g_object_unref (_object=<value optimized
   at /build/buildd/glib2.0-2.18.2/gobject/gobject.c:2389
#11 0x00007f2433f033c5 in gda_set_dispose (object=0x402be40) at
#12 0x00007f242d7711d2 in IA__g_object_unref (_object=<value optimized

I think you are right. I've made a correction in rev #3300, can you check it's OK?

BTW, a correction was necessary to avoid mem leaks in case some parameters were bound to the NULL value (because g_strfreev() would only have freed the param's values up to the first NULL found).


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]