Please report new issues athttps://github.com/DOCGroup
This was borne out of a regression on the test for bug 2074, caused by the fact that the recent addition of a call to reset_state () does not account for a corner case where CH's reference count may be 1. In the code below, when the connection handler's reference count gets to 1, close() will cause "delete this" and reset_state() will write to deallocated memory (line 343, IIOP_Connection_Handler.cpp, TAO 1.5.2-HEAD): 335 int 336 TAO_IIOP_Connection_Handler::handle_timeout (const ACE_Time_Value &, 337 const void *) 338 { 339 // We don't use this upcall for I/O. This is only used by the 340 // Connector to indicate that the connection timedout. Therefore, 341 // we should call close(). 342 int const ret = this->close (); 343 this->reset_state (TAO_LF_Event::LFS_TIMEOUT); 344 return ret; 345 } Perhaps this hints to a problem with CH's reference counting, which is perhaps more general than this. There are many places where reference count is manipulated up or down, without using resource-acquisition-is-initialization idiom (aka "smart pointer" ...). This can often lead to serious trouble down the road and perhaps is causing this regression. Thus defined however, the problem is bigger than my understanding of how this stuff works...