Preprocessor option -remap (gcc -Wp,-remap ...) ocasionally causes write to freed memory. It's enough to specify this option, there is no need for header.gcc files to be present. Initially noticed for target i586-pc-msdosdjgpp, when cc1plus crashed for some files while reading header files. Removing -remap from specs fixed the problem. After that reproduced bug for i686-linux-gnu by specifying command line option -Wp,-remap and trying to build some C++ packages for example glibmm-2.4.2 or cln-1.1.6 Here is information which I got from valgrind-2.1.1: rm -f .libs/cl_debug.lo valgrind --tool=memcheck --trace-children=yes --num-callers=15 g++ -v -g -O2 -I../include -I../include -I./base -c ./base/cl_debug.cc -fPIC -DPIC -o .libs/cl_debug.lo ==26799== Memcheck, a memory error detector for x86-linux. ==26799== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward. ==26799== Using valgrind-2.1.1, a program supervision framework for x86-linux. ==26799== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward. ==26799== For more details, rerun with: -v ==26799== Reading specs from /disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/specs Configured with: ./configure --prefix=/disk2/gcc34test --enable-languages=c,c++ Thread model: posix gcc version 3.4.1 /disk2/gcc34test/libexec/gcc/i686-pc-linux-gnu/3.4.1/cc1plus -quiet -v -I../include -I../include -I./base -D_GNU_SOURCE -remap -DPIC ./base/cl_debug.cc -quiet -dumpbase cl_debug.cc -mtune=pentiumpro -auxbase-strip .libs/cl_debug.lo -g -O2 -version -fPIC -o /tmp/cc8STD4d.s ==26801== Memcheck, a memory error detector for x86-linux. ==26801== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward. ==26801== Using valgrind-2.1.1, a program supervision framework for x86-linux. ==26801== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward. ==26801== For more details, rerun with: -v ==26801== ignoring duplicate directory "/usr/lib/qt/include" ignoring nonexistent directory "/disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/../../../../i686-pc-linux-gnu/include" ignoring duplicate directory "../include" #include "..." search starts here: #include <...> search starts here: ../include ./base /usr/lib/qt/include /disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/../../../../include/c++/3.4.1 /disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/../../../../include/c++/3.4.1/i686-pc-linux-gnu /disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/../../../../include/c++/3.4.1/backward /usr/local/include /disk2/gcc34test/include /disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/include /usr/include End of search list. GNU C++ version 3.4.1 (i686-pc-linux-gnu) compiled by GNU C version 3.4.1. GGC heuristics: --param ggc-min-expand=90 --param ggc-min-heapsize=113227 ==26801== Invalid read of size 4 ==26801== at 0x836349E: _cpp_find_file (cppfiles.c:433) ==26801== by 0x8363986: _cpp_stack_include (cppfiles.c:733) ==26801== by 0x8359651: do_include_common (cpplib.c:695) ==26801== by 0x8358E87: _cpp_handle_directive (cpplib.c:424) ==26801== by 0x835D1EA: _cpp_lex_token (cpplex.c:716) ==26801== by 0x835DD1B: cpp_get_token (cppmacro.c:1061) ==26801== by 0x80E703C: c_lex_with_flags (c-lex.c:308) ==26801== by 0x808F1CB: cp_lexer_get_preprocessor_token (parser.c:602) ==26801== by 0x808F2A5: cp_lexer_read_token (parser.c:492) ==26801== by 0x808F598: cp_lexer_peek_token (parser.c:649) ==26801== by 0x809A925: cp_parser_declaration_seq_opt (parser.c:6201) ==26801== by 0x809A780: cp_parser_declaration (parser.c:9495) ==26801== by 0x809A91E: cp_parser_declaration_seq_opt (parser.c:6231) ==26801== by 0x809AAEA: c_parse_file (parser.c:2319) ==26801== by 0x80EC4B1: c_common_parse_file (c-opts.c:1237) ==26801== Address 0x3C1EE2A8 is 884 bytes inside a block of size 1004 free'd ==26801== at 0x3C01D8A1: free (vg_replace_malloc.c:127) ==26801== by 0x836B9C8: htab_expand (hashtab.c:421) ==26801== by 0x836BBFC: htab_find_slot_with_hash (hashtab.c:510) ==26801== by 0x8362947: make_cpp_dir (cppfiles.c:797) ==26801== by 0x836356A: _cpp_find_file (cppfiles.c:1202) ==26801== by 0x8363986: _cpp_stack_include (cppfiles.c:733) ==26801== by 0x8359651: do_include_common (cpplib.c:695) ==26801== by 0x8358E87: _cpp_handle_directive (cpplib.c:424) ==26801== by 0x835D1EA: _cpp_lex_token (cpplex.c:716) ==26801== by 0x835DD1B: cpp_get_token (cppmacro.c:1061) ==26801== by 0x80E703C: c_lex_with_flags (c-lex.c:308) ==26801== by 0x808F1CB: cp_lexer_get_preprocessor_token (parser.c:602) ==26801== by 0x808F2A5: cp_lexer_read_token (parser.c:492) ==26801== by 0x808F598: cp_lexer_peek_token (parser.c:649) ==26801== by 0x809A925: cp_parser_declaration_seq_opt (parser.c:6201) ==26801== ==26801== Invalid write of size 4 ==26801== at 0x83634B7: _cpp_find_file (cppfiles.c:436) ==26801== by 0x8363986: _cpp_stack_include (cppfiles.c:733) ==26801== by 0x8359651: do_include_common (cpplib.c:695) ==26801== by 0x8358E87: _cpp_handle_directive (cpplib.c:424) ==26801== by 0x835D1EA: _cpp_lex_token (cpplex.c:716) ==26801== by 0x835DD1B: cpp_get_token (cppmacro.c:1061) ==26801== by 0x80E703C: c_lex_with_flags (c-lex.c:308) ==26801== by 0x808F1CB: cp_lexer_get_preprocessor_token (parser.c:602) ==26801== by 0x808F2A5: cp_lexer_read_token (parser.c:492) ==26801== by 0x808F598: cp_lexer_peek_token (parser.c:649) ==26801== by 0x809A925: cp_parser_declaration_seq_opt (parser.c:6201) ==26801== by 0x809A780: cp_parser_declaration (parser.c:9495) ==26801== by 0x809A91E: cp_parser_declaration_seq_opt (parser.c:6231) ==26801== by 0x809AAEA: c_parse_file (parser.c:2319) ==26801== by 0x80EC4B1: c_common_parse_file (c-opts.c:1237) ==26801== Address 0x3C1EE2A8 is 884 bytes inside a block of size 1004 free'd ==26801== at 0x3C01D8A1: free (vg_replace_malloc.c:127) ==26801== by 0x836B9C8: htab_expand (hashtab.c:421) ==26801== by 0x836BBFC: htab_find_slot_with_hash (hashtab.c:510) ==26801== by 0x8362947: make_cpp_dir (cppfiles.c:797) ==26801== by 0x836356A: _cpp_find_file (cppfiles.c:1202) ==26801== by 0x8363986: _cpp_stack_include (cppfiles.c:733) ==26801== by 0x8359651: do_include_common (cpplib.c:695) ==26801== by 0x8358E87: _cpp_handle_directive (cpplib.c:424) ==26801== by 0x835D1EA: _cpp_lex_token (cpplex.c:716) ==26801== by 0x835DD1B: cpp_get_token (cppmacro.c:1061) ==26801== by 0x80E703C: c_lex_with_flags (c-lex.c:308) ==26801== by 0x808F1CB: cp_lexer_get_preprocessor_token (parser.c:602) ==26801== by 0x808F2A5: cp_lexer_read_token (parser.c:492) ==26801== by 0x808F598: cp_lexer_peek_token (parser.c:649) ==26801== by 0x809A925: cp_parser_declaration_seq_opt (parser.c:6201) ==26801== ==26801== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 11 from 1) ==26801== malloc/free: in use at exit: 947389 bytes in 6810 blocks. ==26801== malloc/free: 27194 allocs, 20384 frees, 9137121 bytes allocated. ==26801== For a detailed leak analysis, rerun with: --leak-check=yes ==26801== For counts of detected errors, rerun with: -v as -V -Qy -o .libs/cl_debug.lo /tmp/cc8STD4d.s ==26804== Memcheck, a memory error detector for x86-linux. ==26804== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward. ==26804== Using valgrind-2.1.1, a program supervision framework for x86-linux. ==26804== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward. ==26804== For more details, rerun with: -v ==26804== GNU assembler version 2.15.90.0.3 (i486-slackware-linux) using BFD version 2.15.90.0.3 20040415 ==26804== ==26804== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 13 from 1) ==26804== malloc/free: in use at exit: 524637 bytes in 4101 blocks. ==26804== malloc/free: 4242 allocs, 141 frees, 701301 bytes allocated. ==26804== For a detailed leak analysis, rerun with: --leak-check=yes ==26804== For counts of detected errors, rerun with: -v ==26799== ==26799== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 13 from 2) ==26799== malloc/free: in use at exit: 27177 bytes in 193 blocks. ==26799== malloc/free: 249 allocs, 56 frees, 33094 bytes allocated. ==26799== For a detailed leak analysis, rerun with: --leak-check=yes ==26799== For counts of detected errors, rerun with: -v valgrind --tool=memcheck --trace-children=yes --num-callers=15 g++ -v -g -O2 -I../include -I../include -I./base -c ./base/cl_debug.cc -o cl_debug.o >/dev/null 2>&1 mv -f .libs/cl_debug.lo cl_debug.lo
Created attachment 6688 [details] Patch to fix the bug The reason was that in case if option -remap was specified pfile->file_hash was updated before attempt to use pointer hash_slot. If the array additionally gets reallocated then the result is accessing already freed memory. Calling htab_find_slot_with_hash once more later fixes the problem (verified for i586-pc-msdosdjgpp)
As always patch should be done off the CVS and be sent to gcc-patches@, In this case files have moved and the function has changes a little.
Reproduced under Linux (i686-pc-linux-gnu) also with gcc version 3.5.0 20040705 (experimental) Verified that similar patch fixes problem
Subject: Bug 16366 CVSROOT: /cvs/gcc Module name: gcc Changes by: zack@gcc.gnu.org 2004-07-16 17:07:01 Modified files: libcpp : ChangeLog files.c internal.h Log message: 2004-07-16 Andris Pavenis <pavenis@latnet.lv> PR preprocessor/16366 * internal.h (struct cpp_reader): New field dir_hash. * files.c (make_cpp_dir): Use dir_hash, not file_hash. (_cpp_init_files, _cpp_cleanup_files): Update for new field. Patches: http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libcpp/ChangeLog.diff?cvsroot=gcc&r1=1.17&r2=1.18 http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libcpp/files.c.diff?cvsroot=gcc&r1=1.4&r2=1.5 http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libcpp/internal.h.diff?cvsroot=gcc&r1=1.4&r2=1.5
Subject: Bug 16366 CVSROOT: /cvs/gcc Module name: gcc Branch: gcc-3_4-branch Changes by: zack@gcc.gnu.org 2004-07-16 17:16:46 Modified files: gcc : ChangeLog cppfiles.c cpphash.h Log message: 2004-07-16 Andris Pavenis <pavenis@latnet.lv> PR preprocessor/16366 * internal.h (struct cpp_reader): New field dir_hash. * files.c (make_cpp_dir): Use dir_hash, not file_hash. (_cpp_init_files, _cpp_cleanup_files): Update for new field. Patches: http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/ChangeLog.diff?cvsroot=gcc&only_with_tag=gcc-3_4-branch&r1=2.2326.2.561&r2=2.2326.2.562 http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/cppfiles.c.diff?cvsroot=gcc&only_with_tag=gcc-3_4-branch&r1=1.198.4.2&r2=1.198.4.3 http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/cpphash.h.diff?cvsroot=gcc&only_with_tag=gcc-3_4-branch&r1=1.203.4.3&r2=1.203.4.4
fixed