eric@ontek.com (Eric Hanson) (10/18/90)
There is a bug in XtDestroyWidget v1.37. This is the rev arrived at after applying patch #15. In the routine _XtDoPhase2Destroy, the variable 'dr' is used as a pointer into 'app->destroy_list'. During the traversal of 'app->destroy_list', XtPhase2Destroy gets called. XtPhase2Destroy calls class and instance level destroy procedures, which themselves can call XtDestroyWidget. The result is that app->destroy_list may have records appended to it. In XtDestroyWidget, app->destroy_list gets realloc'd if the size of the list (actually an array) grows past ten elements. When it gets realloc'd, the array is moved in memory and the value of app->destroy_list is changed. 'dr', which is still active in _XtDoPhase2Destroy, now points at the old (invalid) copy of 'app->destroy_list'. As the traversal continues, 'dr' eventually references unitialized memory and ... (fill in the error). The q&d fix is to change the realloc size in XtDestroyWidget from 10 to something ungodly high. The long term fix is to update 'dr' if the value of 'app->destroy_list' gets changed. I hereby humbly beg the great gods of Xt for just such a change. Eric Hanson Ontek Corporation Laguna Hills, CA