You are viewing a plain text version of this content. The canonical link for it is here.

Posted to c-dev@xerces.apache.org by bu...@apache.org on 2002/07/30 23:32:26 UTC

DO NOT REPLY [Bug 11308] New: - MT bug in DOMStringHandle::operator delete

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11308>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11308

MT bug in DOMStringHandle::operator delete

           Summary: MT bug in DOMStringHandle::operator delete
           Product: Xerces-C++
           Version: 1.7.0
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: DOM
        AssignedTo: xerces-c-dev@xml.apache.org
        ReportedBy: claymayers@hotmail.com


In DOMStringHandle::operator delete(void *pMem), 
DOMString::gLiveStringHandleCount is examined and the results acted on (e.g., 
zeroing freeListPtr) w/o holding the DOMStringHandleMutex mutex.  While the 
buffers are being freed, a thread can enter DOMStringHandle::operator new() and 
allocate itself a piece of memory that's already been freed to the O/S.  Also, 
the XMLPlatformUtils::atomicIncrement(DOMString::gLiveStringHandleCount) in 
DOMStringHandle::createNewStringHandle must be before the new DOMStringHandle 
to avoid having op delete() destory the heap before it can increment 
gLiveStringHandleCount.

---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-c-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-c-dev-help@xml.apache.org