[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: possible bug
- From: Mike Pall <mikelu-0903@...>
- Date: Fri, 27 Mar 2009 16:59:16 +0100
Mike Pall wrote:
> Umm, I wouldn't classify this as a bug. The bounds checking tool
> simply doesn't analyze the code deeply enough (no offense
> intended, this is a tough problem). The lastfree pointer is never
> used if the loop exits, because the table is rehashed in turn. So
> this never causes any problems in reality.
Oops, I guess I have to retract this ...
The table rehashing could hit an out-of-memory error and this
would leave the table struct intact -- together with the invalid
lastfree pointer. On most systems with a flat address space this
would still work for a while, though. But if you keep trying to
insert into the same table and keep hitting the memory error, the
pointer will eventually wrap around. This makes the comparison
true and the code inside the loop likely causes a crash.
So it's indeed a genuine bug, though obscure. The fix is in my
last message. A big hooray for code analysis tools! :-)