Otto Moerbeek wrote:
> static void
> -ofree(struct dir_info *pool, void *p)
> +ofree(struct dir_info *argpool, void *p)
> {
> + struct dir_info *pool;
> struct region_info *r;
> size_t sz;
> + int i;
>
> + pool = argpool;
> r = find(pool, p);
> if (r == NULL) {
> - wrterror(pool, "bogus pointer (double free?)", p);
> - return;
> + for (i = 0; i < _MALLOC_MUTEXES; i++) {
> + if (i == pool->mutex)
> + continue;
> + pool->active--;
> + _MALLOC_UNLOCK(pool->mutex);
> + pool = mopts.malloc_pool[i];
> + _MALLOC_LOCK(pool->mutex);
> + pool->active++;
> + r = find(pool, p);
> + if (r != NULL)
> + break;
> + }
> + if (r == NULL) {
> + wrterror(pool, "bogus pointer (double free?)", p);
> + goto done;
> + }
I'm having trouble understanding this loop. I think you are trying to avoid
locking the initial pool again. but this only works if argpool is 0. if it's
something else, then pool will change, and pool->mutex will never equal i.
