On Mon, Nov 12, 2012 at 4:29 PM, Philip Martin <philip.mar...@wandisco.com> wrote: > Ivan Zhakov <i...@visualsvn.com> writes: > >> On Wed, Nov 7, 2012 at 2:03 AM, <cmpil...@apache.org> wrote: >>> /* Open the file associated with INFO for editing, pass along any >>> propchanges we've recorded for it, and then close the file. */ >>> static svn_error_t * >>> @@ -1189,6 +1234,7 @@ handle_propchange_only(report_info_t *in >>> svn_pool_destroy(info->pool); >>> >>> info->dir->ref_count--; >>> + SVN_ERR(maybe_close_dir_chain(info->dir)); >>> >>> return SVN_NO_ERROR; >>> } >>> @@ -1213,6 +1259,7 @@ handle_local_content(report_info_t *info >>> svn_pool_destroy(info->pool); >>> >>> info->dir->ref_count--; >>> + SVN_ERR(maybe_close_dir_chain(info->dir)); >>> >> Mike, >> >> This change seems to cause problem with access to freed memory: list >> item also allocated in dir pool and finish_report() accesses it after >> calling to handle_local_content(). > > I get SEGV when using a 1.8 client to checkout from a 1.7 server, > valgrind reports: > > ==19159== Invalid read of size 8 > ==19159== at 0x6EF7E1F: finish_report (update.c:2637) > ==19159== by 0x50CCC6C: svn_wc_crawl_revisions5 (adm_crawler.c:858) > ==19159== by 0x4EA000C: update_internal (update.c:427) > ==19159== by 0x4EA0596: svn_client__update_internal (update.c:569) > ==19159== by 0x4E46E44: svn_client__checkout_internal (checkout.c:165) > ==19159== by 0x4E46F59: svn_client_checkout3 (checkout.c:205) > ==19159== by 0x409614: svn_cl__checkout (checkout-cmd.c:161) > ==19159== by 0x4197E3: sub_main (main.c:2735) > ==19159== by 0x4199CC: main (main.c:2790) > ==19159== Address 0xa3b1bd0 is not stack'd, malloc'd or (recently) free'd > I'm also get similar crash on Windows and MacOS. Commenting call to maybe_close_dir() in handle_propchange_only()/handle_local_content() fixes them, but increase memory usage.
-- Ivan Zhakov
