This is the mail archive of the fortran@gcc.gnu.org mailing list for the GNU Fortran project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Memory corruption on amd64 FreeBSD

From: Tobias Schlüter <tobias dot schlueter at physik dot uni-muenchen dot de>
To: Steve Kargl <sgk at troutmask dot apl dot washington dot edu>
Cc: fortran at gcc dot gnu dot org
Date: Wed, 01 Sep 2004 20:55:18 +0200
Subject: Re: Memory corruption on amd64 FreeBSD
References: <20040901003759.GA2421@troutmask.apl.washington.edu>

Steve Kargl wrote:
> Program terminated with signal 11, Segmentation fault.
> #0  _gfortran_internal_free (mem=Variable "mem" is not available.
> )
>     at ../../../gcc/libgfortran/runtime/memory.c:210
> 
> warning: Source file is more recent than executable.
> 
> 210       m->next->prev = m->prev;
> (gdb) bt
> #0  _gfortran_internal_free (mem=Variable "mem" is not available.
> )
>     at ../../../gcc/libgfortran/runtime/memory.c:210
> #1  0x0000000000415655 in _gfortran_deallocate (mem=0x7fffffffe080, stat=0x0)
>     at ../../../gcc/libgfortran/runtime/memory.c:306
> #2  0x000000000040495b in MAIN__ () at tdi.f90:347
> #3  0x0000000000414b5e in main (argc=Variable "argc" is not available) at ../../../gcc/libgfortran/fmain.c:18
> 
> (gdb) frame 0 
> #0  _gfortran_internal_free (mem=Variable "mem" is not available.
> )
>     at ../../../gcc/libgfortran/runtime/memory.c:210
> 210       m->next->prev = m->prev;
> (gdb) list
> 205
> 206       /* Move markers up the chain, so they don't get lost.  */
> 207       m->prev->marker += m->marker;
> 208       /* Remove from list.  */
> 209       m->prev->next = m->next;
> 210       m->next->prev = m->prev;
> 211
> 212       free (m);
> 213     }
> 214
> 
> I'm suspicious of line 207.  m->marker is an int and if I read
> the code correctly you are doing pointer arithmetic.

Actually, m->marker doesn't seem to be used anywhere, but I might have missed
something. You could try the appended patch to see if some memory is freed
twice. (This patch catches the case where the magic number is not overwritten,
but other memory in the structure is overwritten, after it has been freed.)
This would be a compiler error then, because this gfc_internal_free only deals
with temporaries.

Also, an out-of-bounds array access could be the problem here.

- Tobi

Index: memory.c
===================================================================
RCS file: /cvs/gcc/gcc/libgfortran/runtime/memory.c,v
retrieving revision 1.2
diff -u -p -r1.2 memory.c
--- memory.c    13 May 2004 06:41:03 -0000      1.2
+++ memory.c    1 Sep 2004 18:50:09 -0000
@@ -199,10 +208,15 @@ internal_free (void *mem)

   m = DATA_HEADER (mem);

+  if (m->magic == 0x038147ab)
+    runtime_error ("Internal: Doubly freed temporary memory detected");
+
   if (m->magic != GFC_MALLOC_MAGIC)
     runtime_error ("Internal: No magic memblock marker.  "
                   "Possible memory corruption");

+  m->magic = 0x038147ab;
+
   /* Move markers up the chain, so they don't get lost.  */
   m->prev->marker += m->marker;
   /* Remove from list.  */

Follow-Ups:
- Re: Memory corruption on amd64 FreeBSD
  - From: Steve Kargl
- ARRGH ... Re: Memory corruption on amd64 FreeBSD
  - From: Steve Kargl

References:
- Memory corruption on amd64 FreeBSD
  - From: Steve Kargl

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]