In the function apr_sms_destroy() in the file apr_sms.c the function appears
to be using free() to destroy a lock which has already been destroyed. On
about #597 the follow code appears:
/* Remove the memory system from the parent memory systems child list */
if (pms) {
if (pms->sms_lock)
apr_lock_acquire(pms->sms_lock);
if ((*sms->ref = sms->sibling) != NULL)
sms->sibling->ref = sms->ref;
if (pms->sms_lock)
apr_lock_release(pms->sms_lock);
}
/* Call the pre-destroy if present */
if (sms->pre_destroy_fn)
sms->pre_destroy_fn(sms);
if (sms->sms_lock)
{
apr_lock_destroy(sms->sms_lock);
if (pms->free_fn)
apr_sms_free(sms->parent, sms->sms_lock);
}
In the last outer if statement a call is made to destroy the sms->sms_lock
which should completely destroy and free the lock. In the next if statement a
call to apr_sms_free () then tries to free it again. When traced through it
ultimately calls free() on sms->sms_lock which should have already been
destroyed by the call to apr_lock_destroy(). Am I missing something or is the
code trying to free a lock that has already been destroyed?
Brad
