help-gplusplus
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: memory allocation bug in g++-4.1.2 and glibc

From: Paul Pluzhnikov
Subject: Re: memory allocation bug in g++-4.1.2 and glibc
Date: Sat, 21 Apr 2007 12:11:20 -0700
User-agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Jumbo Shrimp, linux) 
alikin <shahrokni@gmail.com> writes:

> So does that imply that the heap corruption might be in the first bit
> of code which generates the data?

I can't tell from your description.

>From what I understood:
- you've split your program into two parts, and now neither crashes

- VG doesn't give any errors for the first part, and only "read
  uninitialized" for the second part, which doesn't explain the crash.

- the second part crashes with this stack trace:

> #0  0x402bc847 in raise () from /lib/libc.so.6
> #1  0x402be0b8 in abort () from /lib/libc.so.6
> #2  0x402f2c1b in __libc_message () from /lib/libc.so.6
> #3  0x402fb317 in _int_malloc () from /lib/libc.so.6
> #4  0x402fcb3e in malloc () from /lib/libc.so.6
> #5  0x4022d908 in operator new () from /usr/lib/libstdc++.so.6
> #6  0x4022da3d in operator new[] () from /usr/lib/libstdc++.so.6
>
> Does that mean anything?!

Yes, it means you have corrupted heap (in whichever process is
crashing).

It would be *extremely* strange is VG does not report any heap
corruption errors, but you get the crash above.

What's likely happening is that VG does report a heap corruption
error, but you don't notice it among all the "read uninitialized"
noise. Here is what "heap corruption" looks like in VG output:

$ cat junk.cpp
int main()
{
    char *p = new char[10];
    p[10] = 'a'; // Write beyond allocated
    delete p;    // Delete mismatch, should be "delete [] p;"
}

$ g++ -g junk.cpp && valgrind ./a.out
==16933== Memcheck, a memory error detector.
...
==16933== Invalid write of size 1
==16933==    at 0x4005D6: main (junk.cpp:4)
==16933==  Address 0x4C2703A is 0 bytes after a block of size 10 alloc'd
==16933==    at 0x4A05D29: operator new[](unsigned long) 
(vg_replace_malloc.c:199)
==16933==    by 0x4005C9: main (junk.cpp:3)
==16933== 
==16933== Mismatched free() / delete / delete []
==16933==    at 0x4A051A0: operator delete(void*) (vg_replace_malloc.c:244)
==16933==    by 0x4005E1: main (junk.cpp:5)
==16933==  Address 0x4C27030 is 0 bytes inside a block of size 10 alloc'd
==16933==    at 0x4A05D29: operator new[](unsigned long) 
(vg_replace_malloc.c:199)
==16933==    by 0x4005C9: main (junk.cpp:3)

Look for *these* kinds of errors in VG output.

> Also with the latest version of glibc (2.5-2) I get this error at run
> time:
> *** glibc detected *** ./ibr_render: malloc(): memory corruption:
> 0x0876dd08 ***
> ======= Backtrace: =========
> /lib/libc.so.6[0x402fb317]
> /lib/libc.so.6(malloc+0x7e)[0x402fcb3e]
> /usr/lib/libstdc++.so.6(_Znwj+0x28)[0x4022d908]
> /usr/lib/libstdc++.so.6(_Znaj+0x1d)[0x4022da3d]
> ./ibr_render[0x805f26b]
> ./ibr_render[0x805107f]
> ./ibr_render[0x805171e]
> /lib/libc.so.6(__libc_start_main+0xd8)[0x402a8878]
> ./ibr_render(__gxx_personality_v0+0xa1)[0x804c031]
...
> which doesn't mean anything to me, but I find the 0's in heap line
> suspicious.

The error is telling you exactly the same thing you already know --
ibr_render dies with heap corruption. The 0's in the heap line
are expected.

If VG really doesn't tell you where heap corruption happens (which
implies a bug in VG), you can try to set a watchpoint on the address
glibc reports, and see which code last writest to that location
(before the crash). That code likely writes to dangling memory.

Cheers,
-- 
In order to understand recursion you must first understand recursion.
Remove /-nsp/ for email.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]