Hi,
I think I've found a possible situation where we call two times free on the
same pointer.
in sysexec() there is essentially
sysexec(...) {
…
if(waserror()){
free(file0);
free(elem);
nexterror();
}
for(;;){
tc = namec(file, Aopen, OEXEC, 0);
if(waserror()){
cclose(tc);
nexterror();
}
…
}
qlock(&up->seglock);
if(waserror()){
qunlock(&up->seglock);
nexterror();
}
…
free(file0);
+ file0 = nil; <------------------------- we should add that, for the same
reason we do elem = nil below
free(up->text);
up->text = elem;
elem = nil; /* so waserror() won't free elem */
USED(elem);
…
qunlock(&up->seglock);
poperror(); /* seglock */
- poperror(); /* elem */ <----------------------- actually this is
not the poperror of elem, but of tc
…
poperror();
cclose(tc);
+ poperror(); /* elem and file0 */ <----------- this is where the poperror
of elem should be.
}
