This is the mail archive of the
libstdc++@gcc.gnu.org
mailing list for the libstdc++ project.
strange problem in libc: free invalid pointer, but valgrind doesn't show it.
- From: "Linda A. Walsh" <gcc at tlinx dot org>
- To: "libc-help at sourceware dot org" <libc-help at sourceware dot org>, libstdc++ <libstdc++ at gcc dot gnu dot org>
- Date: Tue, 12 Aug 2014 02:18:00 -0700
- Subject: strange problem in libc: free invalid pointer, but valgrind doesn't show it.
- Authentication-results: sourceware.org; auth=none
I'm getting a glibc dump soon after startup...(~3-4 seconds)....
It seems repeatable in normal execution, but not under valgrind -- which
makes me think the problem might be in the glibc memory management,
or the C++ routines that call them.
The error looks like:
FMG:rfrsh:sc(0)<W(696);sw={0/1;1},s/c={0/1;1}
fields_sz=3, vals=2147483636,2147483637,2147483637,
col_samp_dat_sz=3, vals=2147483630,2147483637,2147483637,
*** Error in `./xosview': free(): invalid pointer: 0xbabababababababa ***
======= Backtrace: =========
/lib64/libc.so.6[0x300207410f]
/lib64/libc.so.6[0x300207996e]
./xosview[0x40cb5e]
./xosview[0x40ce4c]
./xosview[0x425014]
./xosview[0x424007]
./xosview[0x411926]
./xosview[0x411884]
./xosview[0x4108e9]
./xosview[0x4127a8]
./xosview[0x40d79c]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x3002021be5]
./xosview[0x405c19]
======= Memory map: ========
00400000-0043b000 r-xp 00000000 fe:02 1077284696
/home/tools/xosview/xosview-1.8.4.2/xosview
0043b000-0043d000 rw-p 0003a000 fe:02 1077284696
/home/tools/xosview/xosview-1.8.4.2/xosview
0048c000-004e1000 rw-p 00000000 00:00 0
[heap]
3000000000-3000020000 r-xp 00000000 08:31 51558553
/lib64/ld-2.18.so
300021f000-3000220000 r--p 0001f000 08:31 51558553
/lib64/ld-2.18.so
3000220000-3000221000 rw-p 00020000 08:31 51558553
/lib64/ld-2.18.so
3000221000-3000222000 rw-p 00000000 00:00 0
3002000000-30021a5000 r-xp 00000000 08:31 51558555
/lib64/libc-2.18.so
30021a5000-30023a5000 ---p 001a5000 08:31 51558555
/lib64/libc-2.18.so
30023a5000-30023a9000 r--p 001a5000 08:31 51558555
/lib64/libc-2.18.so
30023a9000-30023ab000 rw-p 001a9000 08:31 51558555
/lib64/libc-2.18.so
30023ab000-30023af000 rw-p 00000000 00:00 0
3002800000-3002803000 r-xp 00000000 08:31 51558588
/lib64/libdl-2.18.so
3002803000-3002a02000 ---p 00003000 08:31 51558588
/lib64/libdl-2.18.so
3002a02000-3002a03000 r--p 00002000 08:31 51558588
/lib64/libdl-2.18.so
3002a03000-3002a04000 rw-p 00003000 08:31 51558588
/lib64/libdl-2.18.so
3002c00000-3002d02000 r-xp 00000000 08:31 51558581
/lib64/libm-2.18.so
3002d02000-3002f01000 ---p 00102000 08:31 51558581
/lib64/libm-2.18.so
3002f01000-3002f02000 r--p 00101000 08:31 51558581
/lib64/libm-2.18.so
3002f02000-3002f03000 rw-p 00102000 08:31 51558581
/lib64/libm-2.18.so
3003400000-3003416000 r-xp 00000000 08:31 51558618
/lib64/libgcc_s.so.1
3003416000-3003615000 ---p 00016000 08:31 51558618
/lib64/libgcc_s.so.1
3003615000-3003616000 r--p 00015000 08:31 51558618
/lib64/libgcc_s.so.1
3003616000-3003617000 rw-p 00016000 08:31 51558618
/lib64/libgcc_s.so.1
3004400000-3004403000 r-xp 00000000 08:36 38247401
/usr/lib64/libXau.so.6.0.0
3004403000-3004602000 ---p 00003000 08:36 38247401
/usr/lib64/libXau.so.6.0.0
3004602000-3004603000 r--p 00002000 08:36 38247401
/usr/lib64/libXau.so.6.0.0
3004603000-3004604000 rw-p 00003000 08:36 38247401
/usr/lib64/libXau.so.6.0.0
3004800000-300481e000 r-xp 00000000 08:36 38340784
/usr/lib64/libxcb.so.1.1.0
300481e000-3004a1d000 ---p 0001e000 08:36 38340784
/usr/lib64/libxcb.so.1.1.0
3004a1d000-3004a1e000 r--p 0001d000 08:36 38340784
/usr/lib64/libxcb.so.1.1.0
3004a1e000-3004a1f000 rw-p 0001e000 08:36 38340784
/usr/lib64/libxcb.so.1.1.0
3004c00000-3004d38000 r-xp 00000000 08:36 39049543
/usr/lib64/libX11.so.6.3.0
3004d38000-3004f38000 ---p 00138000 08:36 39049543
/usr/lib64/libX11.so.6.3.0
3004f38000-3004f39000 r--p 00138000 08:36 39049543
/usr/lib64/libX11.so.6.3.0
3004f39000-3004f3e000 rw-p 00139000 08:36 39049543
/usr/lib64/libX11.so.6.3.0
3006c00000-3006c05000 r-xp 00000000 08:36 39253754
/usr/lib64/libXfixes.so.3.1.0
3006c05000-3006e04000 ---p 00005000 08:36 39253754
/usr/lib64/libXfixes.so.3.1.0
3006e04000-3006e05000 r--p 00004000 08:36 39253754
/usr/lib64/libXfixes.so.3.1.0
3006e05000-3006e06000 rw-p 00005000 08:36 39253754
/usr/lib64/libXfixes.so.3.1.0
3007c00000-3007c09000 r-xp 00000000 08:36 39251734
/usr/lib64/libXrender.so.1.3.0
3007c09000-3007e08000 ---p 00009000 08:36 39251734
/usr/lib64/libXrender.so.1.3.0
3007e08000-3007e09000 r--p 00008000 08:36 39251734
/usr/lib64/libXrender.so.1.3.0
3007e09000-3007e0a000 rw-p 00009000 08:36 39251734
/usr/lib64/libXrender.so.1.3.0
3008c00000-3008c0a000 r-xp 00000000 08:36 39253790
/usr/lib64/libXcursor.so.1.0.2
3008c0a000-3008e09000 ---p 0000a000 08:36 39253790
/usr/lib64/libXcursor.so.1.0.2
3008e09000-3008e0a000 r--p 00009000 08:36 39253790
/usr/lib64/libXcursor.so.1.0.2
3008e0a000-3008e0b000 rw-p 0000a000 08:36 39253790
/usr/lib64/libXcursor.so.1.0.2
3029400000-3029411000 r-xp 00000000 08:36 38531865
/usr/lib64/libXpm.so.4.11.0
3029411000-3029610000 ---p 00011000 08:36 38531865
/usr/lib64/libXpm.so.4.11.0
3029610000-3029611000 r--p 00010000 08:36 38531865
/usr/lib64/libXpm.so.4.11.0
3029611000-3029612000 rw-p 00011000 08:36 38531865
/usr/lib64/libXpm.so.4.11.0
303d000000-303d0ea000 r-xp 00000000 08:36 34114354
/usr/lib64/libstdc++.so.6.0.18
303d0ea000-303d2e9000 ---p 000ea000 08:36 34114354
/usr/lib64/libstdc++.so.6.0.18
303d2e9000-303d2f1000 r--p 000e9000 08:36 34114354
/usr/lib64/libstdc++.so.6.0.18
303d2f1000-303d2f3000 rw-p 000f1000 08:36 34114354
/usr/lib64/libstdc++.so.6.0.18
303d2f3000-303d308000 rw-p 00000000 00:00 0
7fcf64b98000-7fcf64bd9000 rw-p 00000000 00:00 0
7fcf64bd9000-7fcf64be5000 r-xp 00000000 08:31 50467012
/lib64/libnss_files-2.18.so
7fcf64be5000-7fcf64de4000 ---p 0000c000 08:31 50467012
/lib64/libnss_files-2.18.so
7fcf64de4000-7fcf64de5000 r--p 0000b000 08:31 50467012
/lib64/libnss_files-2.18.so
7fcf64de5000-7fcf64de6000 rw-p 0000c000 08:31 50467012
/lib64/libnss_files-2.18.so
7fcf64de6000-7fcf64ded000 rw-p 00000000 00:00 0
7fcf64e27000-7fcf64e2a000 rw-p 00000000 00:00 0
7fff16425000-7fff16447000 rw-p 00000000 00:00 0
[stack]
7fff1645d000-7fff1645e000 r-xp 00000000 00:00 0
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Aborted (core dumped)
gcc options:
CFLAGS=-g3 -ggdb -Og -fstack-protector-all
LDFLAGS = -Og -ggdb
CXXFLAGS += $(CFLAGS) -std=c++11 -fno-rtti -ftabstop=2 -fstack-protector
Program terminated with signal SIGABRT, Aborted.
#0 0x0000003002035849 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) where
#0 0x0000003002035849 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x0000003002036cd8 in __GI_abort () at abort.c:89
#2 0x0000003002074114 in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x300216a220 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x000000300207996e in malloc_printerr (action=3,
str=0x30021662bb "free(): invalid pointer", ptr=<optimized out>)
at malloc.c:4916
#4 0x000000000040cb5e in __valarray_release_memory (__p=<optimized out>)
at /usr/include/c++/4.8/bits/valarray_array.h:66
#5 operator= (__v=..., this=0x4ab460) at /usr/include/c++/4.8/valarray:719
#6 FieldMeterGraph::render_samps_outputQ (this=this@entry=0x4a3340,
col_samp_dat=...) at fieldmetergraph.cc:295
#7 0x000000000040ce4c in FieldMeterGraph::drawfields (
this=this@entry=0x4a3340, manditory=manditory@entry=false)
at fieldmetergraph.cc:339
#8 0x0000000000425014 in NetMeter::checkevent (this=0x4a3340)
at linux/netmeter.cc:199
#9 0x0000000000424007 in operator() (__closure=<optimized out>)
at linux/netmeter.cc:71
#10 std::_Function_handler<void(), NetMeter::NetMeter(XOSView*, long
int)::__lambda0>::_M_invoke(const std::_Any_data &) (__functor=...)
at /usr/include/c++/4.8/functional:2071
#11 0x0000000000411926 in std::function<void ()>::operator()() const (
this=this@entry=0x4a2cc8) at /usr/include/c++/4.8/functional:2468
#12 0x0000000000411884 in Task::run (this=this@entry=0x4a2cb0) at
ltask.cc:96
#13 0x00000000004108e9 in Scheduler::sched_run (
this=this@entry=0x7fff164444a0, wait_ms=wait_ms@entry=10,
once=once@entry=false) at lsched.cc:79
#14 0x00000000004127a8 in XOSView::run (this=this@entry=0x7fff16444210)
at xosview.cc:98
#15 0x000000000040d79c in main (argc=<optimized out>, argv=0x7fff16444738)
at main.cc:20
----
Stack entry #6 points at line 295
278 void val_array_status(const char* name, valarray<uint64_t>&vaa) {
279 printf("%s_sz=%d, vals=",name, vaa.size());
280 for(auto &vamem:vaa) printf("%ld,");
281 printf("\n");
282 }
...
291 shift_samples();
292 val_array_status("fields", fields_);
293 col_samp_dat = fields_;
294 val_array_status("col_samp_dat", col_samp_dat);
295 samples[0].D = fields_;
296 val_array_status("samples[0].D", samples[0].D);
---
Output (repeated from above before the glib dump):
FMG:rfrsh:sc(0)<W(696);sw={0/1;1},s/c={0/1;1}
fields_sz=3, vals=2147483636,2147483637,2147483637,
col_samp_dat_sz=3, vals=2147483630,2147483637,2147483637,
So it prints fields_, col_samp_dat, but dies on line 295 in the
assignment to samples.
At the point of 'death', it looks like glib is printing out a guard string,
but it is in free() and I'm doing assignments (those appear to be
valid numbers for numbers of ethernet bytes on a specific interface.
----
kernel=Linux Ishtar 3.15.8-Isht-Van #1 SMP PREEMPT Sat Aug 2 01:04:05
PDT 2014 x86_64 x86_64 x86_64 GNU/Linux
glib rpm:
glibc-2.18-4.4.1.x86_64
C++
gcc-c++-4.8-2.1.2.x86_64
-----
So any idea *why* it doesn't crash under valgrind and valgrind
finds no signs of memory corruption?
maybe the stack guard? Though I'd be afraid to turn it off, since
if it is a real bug and that hides it... that would be bad.
... double posting this to the G++ lib list as well... hope that
doesn't violate any protocols...but at this point, I'm not sure
where the problem is -- glib's alloc, or the c++ libs that call it,
or somehow in my program safely hidden so valgrind doesn't find it. ;-(
FWIW, vg summary:
==38919== LEAK SUMMARY:
==38919== definitely lost: 0 bytes in 0 blocks
==38919== indirectly lost: 0 bytes in 0 blocks
==38919== possibly lost: 131 bytes in 4 blocks
==38919== still reachable: 475,759 bytes in 979 blocks
==38919== suppressed: 0 bytes in 0 blocks
==38919== Reachable blocks (those to which a pointer was found) are not
shown.
==38919== To see them, rerun with: --leak-check=full --show-reachable=yes
==38919==
==38919== For counts of detected and suppressed errors, rerun with: -v
==38919== ERROR SUMMARY: 8 errors from 8 contexts (suppressed: 2 from 2)
(full report available if wanted).
Ideas?