different segfault with lastest master

[Dirk Hohndel]

On Mon, Jul 13, 2015 at 01:27:54PM -0700, Linus Torvalds wrote:
> On Mon, Jul 13, 2015 at 1:10 PM, Dirk Hohndel <dirk at hohndel.org> wrote:
> >
> > I still don't see how this can overflow. If you put a printf or qDebug()
> > or something at this line
> >
> >         ds->taxonomy.nr = ri;
> 
> You missed the part where I pointed out that that store is conditional.
> 
> It's inside the
> 
>         if (geoNames.count() > 0) {
> 
> test. So what I *suspect* happens is that that code sometimes just
> doesn't trigger, so that the taxonomy.nr re-initialization is missing

The idea is that the taxomony should always be consistent. NULL pointer
and nothing there, or .nr in sync with the number of valid pointers.

The fact that this part is conditional should not matter.

> I say "suspect", because I'm not able to recreate the error. I've seen
> it three times, so I know it's real, but I'm not at all sure how I
> triggered it. The first time it happened while just playing around,
> the second time I ran things under gdb and got the "mallco corruption"
> thing and a callback that was much later for some probably unrelated
> free/alloc, and the third time I got it while using valgrind so I have
> *one* actual valgrind report for this.
> 
> But I tried to recreate it today, and couldn't (I have done an update,
> but I didn't actually re-build subsurface, exactly because I was
> trying to just recreate the valgrind thing to see if I could get any
> other patterns)

So there was one code path where we would not clear out the pointer (and
.nr) after freeing things. I fixed that yesterday. Before that fix I could
get it to corrupt the malloc memory chain quite reliably by just playing
around like crazy long enough. And since that fix I haven't been able to
get that particular crash again.

If you haven't been able to create the corruption today then I'm somewhat
optimistic that my fix was correct...

/D