[Gnucash-changes] Eliminate a double free of memory.

David Hampton hampton-gnucash at rainbolthampton.net
Thu Jun 2 13:26:59 EDT 2005

On Thu, 2005-06-02 at 13:00 -0400, Chris Shoemaker wrote:
> On Thu, Jun 02, 2005 at 11:10:48AM -0400, David Hampton wrote:
> > --- src/business/business-gnome/dialog-customer.c
> > +++ src/business/business-gnome/dialog-customer.c
> > @@ -383,7 +383,8 @@
> >    CustomerWindow *cw = user_data;
> >  
> >    gtk_widget_destroy (cw->dialog);
> > -  cw->dialog = NULL;
> > +  // cw has already been freed by this point.
> > +  // cw->dialog = NULL;
> >  }
> This patch looks wrong.  1) This certainly doesn't fix a double-free
> bug because it doesn't remove a free.

You're right; my comment is wrong.  This change prevents writing to
already freed memory.  The problem was this particular write trashes the
memory free list such that libc rolls over and dies.

> 2) gtk_widget_destroy() may
> free cw->dialog, in which case it's wise to assign NULL.
> gtk_widget_destroy should never free cw.  If it does, then something
> is seriously wrong somewhere else, but not here.

Calling gtk_widget_destroy on this dialog eventually causes the
gnc_customer_window_destroy_cb function to be called.  That function is
where the free of the cw data structure occurs.

The pattern of having a destroy callback function that frees the data
structure associated with a window is common in the gnucash code.  It
allows one function to handle the cleanup of a dialog and any associated
data structures, no matter how the dialog was closed.  This is
particularly important because closing a window via the title bar close
button translates directly to a call to gtk_widget_destroy on the window
widget.  There's no other way for the code to know the window was closed
this way, other than to attach a callback to the widget destruction.


More information about the gnucash-devel mailing list