Fix child_results loop accessing next after free()

src/userprog/process.c

@@ -170,7 +170,6 @@ start_process (void *proc_start_data)
   /* If stack initialization failed, free resources and quit. */
   if (!success)
     {
-      process_exit ();
       goto fail;
     }
 
@@ -189,7 +188,6 @@ start_process (void *proc_start_data)
 fail:
   data->success = false;
   sema_up (&data->loaded);
-  thread_exit ();
 }
 
 /* Helper function that initializes the stack of a newly created 
@@ -375,10 +373,11 @@ process_exit (void)
   /* Free child process results or signal parent's death. */
   struct list_elem *e;
   for (e = list_begin (&cur->child_results);
-       e != list_end (&cur->child_results); e = list_next (e))
+       e != list_end (&cur->child_results);)
     {
       struct process_result *result
           = list_entry (e, struct process_result, elem);
+      struct list_elem *next = list_next (e);
       lock_acquire (&result->lock);
       /* Child has died (and was not waited for). Free the result. */
       if (sema_try_down (&result->sema))
@@ -392,6 +391,7 @@ process_exit (void)
           sema_up (&result->sema);
           lock_release (&result->lock);
         }
+      e = next;
     }
 
   /* Destroy the current process's page directory and switch back