You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@xerces.apache.org by bu...@apache.org on 2002/07/30 23:32:26 UTC
DO NOT REPLY [Bug 11308] New: -
MT bug in DOMStringHandle::operator delete
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11308>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11308
MT bug in DOMStringHandle::operator delete
Summary: MT bug in DOMStringHandle::operator delete
Product: Xerces-C++
Version: 1.7.0
Platform: Other
OS/Version: Other
Status: NEW
Severity: Critical
Priority: Other
Component: DOM
AssignedTo: xerces-c-dev@xml.apache.org
ReportedBy: claymayers@hotmail.com
In DOMStringHandle::operator delete(void *pMem),
DOMString::gLiveStringHandleCount is examined and the results acted on (e.g.,
zeroing freeListPtr) w/o holding the DOMStringHandleMutex mutex. While the
buffers are being freed, a thread can enter DOMStringHandle::operator new() and
allocate itself a piece of memory that's already been freed to the O/S. Also,
the XMLPlatformUtils::atomicIncrement(DOMString::gLiveStringHandleCount) in
DOMStringHandle::createNewStringHandle must be before the new DOMStringHandle
to avoid having op delete() destory the heap before it can increment
gLiveStringHandleCount.
---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-c-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-c-dev-help@xml.apache.org