This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug c++/29235] New: Memory corruption (double fclose()?) with syntax error and -frepo in cc1plus when .rpo exists.
- From: "jukkaho at mail dot student dot oulu dot fi" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: 26 Sep 2006 13:00:26 -0000
- Subject: [Bug c++/29235] New: Memory corruption (double fclose()?) with syntax error and -frepo in cc1plus when .rpo exists.
- Reply-to: gcc-bugzilla at gcc dot gnu dot org
The following was found and tested on Gentoo system.
Compiler corrupts memory when a C++ file is compiled with -frepo and .rpo file
exists from previous (successful) compilation.
When .rpo file is removed, the problem disappears.
Reproducing the problem:
------------------------
$ cat main.cpp
int main(int argc, char **argv)
{
return 0; // First run. Everything ok.
// return a0; // Second run. Syntax error.
}
$ g++ -O0 -frepo -c main.cpp
# edit main.cpp
$ $ cat main.cpp
int main(int argc, char **argv)
{
// return 0; // First run. Everything ok.
return a0; // Second run. Syntax error.
}
$ g++ -O0 -frepo -c main.cpp
main.cpp: In function ?int main(int, char**)?:
main.cpp:5: error: ?a0? was not declared in this scope
*** glibc detected *** /usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus:
malloc(): memory corruption: 0x00002b27ee3f6010 ***
======= Backtrace: =========
/lib/libc.so.6[0x2b27edf1241d]
/lib/libc.so.6[0x2b27edf1439a]
/lib/libc.so.6(malloc+0x7d)[0x2b27edf15d5d]
/lib/libc.so.6[0x2b27eded5a15]
/lib/libc.so.6[0x2b27eded4020]
/lib/libc.so.6[0x2b27eded3b33]
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus[0x5779d1]
[0x7fffbcd1ace0]
======= Memory map: ========
00400000-009e1000 r-xp 00000000 09:00 28249286
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus
00ae0000-00ae9000 rw-p 005e0000 09:00 28249286
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus
00ae9000-00bc5000 rw-p 00ae9000 00:00 0 [heap]
2b27edd8d000-2b27edda8000 r-xp 00000000 09:00 4080370
/lib/ld-2.4.so
2b27edda8000-2b27edda9000 rw-p 2b27edda8000 00:00 0
2b27edda9000-2b27edddc000 r--p 00000000 09:00 48496671
/usr/lib/locale/fi_FI.utf8/LC_CTYPE
2b27edde1000-2b27edde2000 rw-p 2b27edde1000 00:00 0
2b27edde2000-2b27edde9000 r--s 00000000 09:00 48349351
/usr/lib/gconv/gconv-modules.cache
2b27edde9000-2b27eddea000 r--p 00000000 09:00 48496771
/usr/lib/locale/fi_FI.utf8/LC_MESSAGES/SYS_LC_MESSAGES
2b27eddea000-2b27ede14000 rw-p 2b27eddea000 00:00 0
2b27edea7000-2b27edea8000 r--p 0001a000 09:00 4080370
/lib/ld-2.4.so
2b27edea8000-2b27edea9000 rw-p 0001b000 09:00 4080370
/lib/ld-2.4.so
2b27edea9000-2b27edfca000 r-xp 00000000 09:00 4079852
/lib/libc-2.4.so
2b27edfca000-2b27ee0ca000 ---p 00121000 09:00 4079852
/lib/libc-2.4.so
2b27ee0ca000-2b27ee0ce000 r--p 00121000 09:00 4079852
/lib/libc-2.4.so
2b27ee0ce000-2b27ee0cf000 rw-p 00125000 09:00 4079852
/lib/libc-2.4.so
2b27ee0cf000-2b27ee2dd000 rw-p 2b27ee0cf000 00:00 0
2b27ee2de000-2b27ee3f8000 rw-p 2b27ee2de000 00:00 0
2b27ee500000-2b27ee521000 rw-p 2b27ee500000 00:00 0
2b27ee521000-2b27ee600000 ---p 2b27ee521000 00:00 0
2b27ee600000-2b27ee60c000 r-xp 00000000 09:00 55984380
/lib/libgcc_s.so.1
2b27ee60c000-2b27ee70c000 ---p 0000c000 09:00 55984380
/lib/libgcc_s.so.1
2b27ee70c000-2b27ee70d000 rw-p 0000c000 09:00 55984380
/lib/libgcc_s.so.1
7fffbcd06000-7fffbcd1d000 rw-p 7fffbcd06000 00:00 0
[stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vdso]
main.cpp:6: confused by earlier errors, bailing out
When main.rpo file is removed, glibc doesn't notice any memory corruption.
Optimization level does not seem to affect the end result.
Valgrind shows the following:
-----------------------------------------------------
$ valgrind --trace-children=yes g++ -O0 -Wall -frepo -c main.cpp
==15389== Memcheck, a memory error detector.
==15389== Copyright (C) 2002-2006, and GNU GPL'd, by Julian Seward et al.
==15389== Using LibVEX rev 1606, a library for dynamic binary translation.
==15389== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==15389== Using valgrind-3.2.0, a dynamic binary instrumentation framework.
==15389== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al.
==15389== For more details, rerun with: -v
==15389==
==15389== Memcheck, a memory error detector.
==15389== Copyright (C) 2002-2006, and GNU GPL'd, by Julian Seward et al.
==15389== Using LibVEX rev 1606, a library for dynamic binary translation.
==15389== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==15389== Using valgrind-3.2.0, a dynamic binary instrumentation framework.
==15389== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al.
==15389== For more details, rerun with: -v
==15389==
==15394== Memcheck, a memory error detector.
==15394== Copyright (C) 2002-2006, and GNU GPL'd, by Julian Seward et al.
==15394== Using LibVEX rev 1606, a library for dynamic binary translation.
==15394== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==15394== Using valgrind-3.2.0, a dynamic binary instrumentation framework.
==15394== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al.
==15394== For more details, rerun with: -v
==15394==
main.cpp: In function ?int main(int, char**)?:
main.cpp:5: error: ?a0? was not declared in this scope
==15394== Invalid read of size 1
==15394== at 0x4B7F4EB: fclose@@GLIBC_2.2.5 (in /lib/libc-2.4.so)
==15394== by 0x445778: cp_finish_file (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x4BF88E: c_common_parse_file (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x74656975712CFF: ???
==15394== Address 0x4DBC669 is 1 bytes inside a block of size 568 free'd
==15394== at 0x4A1FEEF: free (vg_replace_malloc.c:233)
==15394== by 0x4B7F62C: fclose@@GLIBC_2.2.5 (in /lib/libc-2.4.so)
==15394== by 0x48869F: init_repo (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x44C255: cxx_init (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x75D845: toplev_main (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x74656975712CFF: ???
==15394==
==15394== Invalid read of size 4
==15394== at 0x4B7F4F5: fclose@@GLIBC_2.2.5 (in /lib/libc-2.4.so)
==15394== by 0x445778: cp_finish_file (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x4BF88E: c_common_parse_file (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x74656975712CFF: ???
==15394== Address 0x4DBC668 is 0 bytes inside a block of size 568 free'd
==15394== at 0x4A1FEEF: free (vg_replace_malloc.c:233)
==15394== by 0x4B7F62C: fclose@@GLIBC_2.2.5 (in /lib/libc-2.4.so)
==15394== by 0x48869F: init_repo (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x44C255: cxx_init (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x75D845: toplev_main (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x74656975712CFF: ???
.
. [many more errors with identical backtraces omitted]
.
==15394==
==15394== Invalid write of size 4
==15394== at 0x4B7F61E: fclose@@GLIBC_2.2.5 (in /lib/libc-2.4.so)
==15394== by 0x445778: cp_finish_file (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x4BF88E: c_common_parse_file (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x74656975712CFF: ???
==15394== Address 0x4DBC668 is 0 bytes inside a block of size 568 free'd
==15394== at 0x4A1FEEF: free (vg_replace_malloc.c:233)
==15394== by 0x4B7F62C: fclose@@GLIBC_2.2.5 (in /lib/libc-2.4.so)
==15394== by 0x48869F: init_repo (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x44C255: cxx_init (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x75D845: toplev_main (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x74656975712CFF: ???
==15394==
==15394== Invalid free() / delete / delete[]
==15394== at 0x4A1FEEF: free (vg_replace_malloc.c:233)
==15394== by 0x4B7F62C: fclose@@GLIBC_2.2.5 (in /lib/libc-2.4.so)
==15394== by 0x445778: cp_finish_file (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x4BF88E: c_common_parse_file (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x74656975712CFF: ???
==15394== Address 0x4DBC668 is 0 bytes inside a block of size 568 free'd
==15394== at 0x4A1FEEF: free (vg_replace_malloc.c:233)
==15394== by 0x4B7F62C: fclose@@GLIBC_2.2.5 (in /lib/libc-2.4.so)
==15394== by 0x48869F: init_repo (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x44C255: cxx_init (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x75D845: toplev_main (in
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.1.1/cc1plus)
==15394== by 0x74656975712CFF: ???
==15394==
==15394== ERROR SUMMARY: 24 errors from 22 contexts (suppressed: 4 from 1)
==15394== malloc/free: in use at exit: 372,082 bytes in 1,079 blocks.
==15394== malloc/free: 1,740 allocs, 662 frees, 770,177 bytes allocated.
==15394== For counts of detected errors, rerun with: -v
==15394== searching for pointers to 1,079 not-freed blocks.
==15394== checked 4,323,112 bytes.
==15394==
[other summaries snipped]
To me it looks like cp_finish_file() is closing a file descriptor that was
already closed by init_repo();
--
Summary: Memory corruption (double fclose()?) with syntax error
and -frepo in cc1plus when .rpo exists.
Product: gcc
Version: 4.1.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: jukkaho at mail dot student dot oulu dot fi
GCC build triplet: x86_64-pc-linux-gnu
GCC host triplet: x86_64-pc-linux-gnu
GCC target triplet: x86_64-pc-linux-gnu
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29235