Bug 690586 - Ref counting problems with latest code
Summary: Ref counting problems with latest code
Status: RESOLVED FIXED
Alias: None
Product: MuPDF
Classification: Unclassified
Component: mupdf (show other bugs)
Version: unspecified
Hardware: PC Windows XP
: P4 critical
Assignee: Tor Andersson
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-30 19:39 UTC by Krzysztof Kowalczyk
Modified: 2009-07-02 08:36 UTC (History)
0 users

See Also:
Customer:
Word Size: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Krzysztof Kowalczyk 2009-06-30 19:39:25 UTC 
There are refcounting problemes with latest code (most likely caued by
http://darcs.ghostscript.com/darcsweb.cgi?r=fitz;a=commitdiff;h=20090630002357-f546f-340ed1793203dab30d21977ba4cc9a2c3e7045e0.gz)

It happens with any PDF: when closing PDF (in pdf_closexref) some object will be
read from and written to after being freed. This is easily caught with debug crt
in msvc 2008, which says:
"HEAP[sumatrapdf.exe]: HEAP: Free Heap block 1148ad0 modified at 1148af8 after
it was freed
Windows has triggered a breakpoint in sumatrapdf.exe.

This may be due to a corruption of the heap, which indicates a bug in
sumatrapdf.exe or any of the DLLs it has loaded."

	msvcr90d.dll!_free_base(void * pBlock=0x01148a80)  Line 109 + 0x13 bytes	C
 	msvcr90d.dll!_free_dbg_nolock(void * pUserData=0x01148aa0, int nBlockUse=1) 
Line 1426 + 0x9 bytes	C++
 	msvcr90d.dll!_free_dbg(void * pUserData=0x01148aa0, int nBlockUse=1)  Line
1258 + 0xd bytes	C++
 	msvcr90d.dll!free(void * pUserData=0x01148aa0)  Line 49 + 0xb bytes	C++
 	SumatraPDF.exe!fz_free(void * p=0x01148aa0)  Line 21 + 0xc bytes	C
 	SumatraPDF.exe!fz_dropobj(fz_obj_s * o=0x01148aa0)  Line 100 + 0x9 bytes	C
 	SumatraPDF.exe!fz_freedict(fz_obj_s * obj=0x01148788)  Line 399 + 0x13 bytes	C
 	SumatraPDF.exe!fz_dropobj(fz_obj_s * o=0x01148788)  Line 94 + 0x9 bytes	C
 	SumatraPDF.exe!pdf_flushxref(pdf_xref_s * xref=0x0114e000, int force=1)  Line
109 + 0x16 bytes	C
 	SumatraPDF.exe!pdf_closexref(pdf_xref_s * xref=0x0114e000)  Line 54 + 0xb bytes	C
 	SumatraPDF.exe!PdfEngine::~PdfEngine()  Line 174 + 0xc bytes	C++
 	SumatraPDF.exe!PdfEngine::`scalar deleting destructor'()  + 0x16 bytes	C++
 	SumatraPDF.exe!DisplayModel::~DisplayModel()  Line 207 + 0x1e bytes	C++
 	SumatraPDF.exe!DisplayModel::`scalar deleting destructor'()  + 0x16 bytes	C++
 	SumatraPDF.exe!CloseWindow(WindowInfo * win=0x01149218, bool quitIfLast=false)
 Line 4097 + 0x1f bytes	C++

libc with debug malloc options will also detect this but the best tool to catch
this is valgrind, which will detect the problem at the time freed memory is read
from or being written to.

Empirically, the following patch fixes the issue:

Index: mupdf/pdf_pagetree.c
===================================================================
--- mupdf/pdf_pagetree.c        (revision 1177)
+++ mupdf/pdf_pagetree.c        (working copy)
@@ -200,9 +200,6 @@
        error = loadpagetree(xref, p, inherit, pages, treeref, &pagenum);
        if (error) { error = fz_rethrow(error, "cannot load pagetree (%d %d R)",
fz_tonum(treeref), fz_togen(treeref)); goto cleanup; }

-       fz_dropobj(pages);
-       fz_dropobj(catalog);
-
        pdf_logpage("}\n", count);

        *pp = p;
Comment 1 Tor Andersson 2009-07-02 08:36:48 UTC 
Yup. I found and fixed this in a patch yesterday.