[Bug libstdc++/54186] New: PowerPC: Double free, same malloc address for two pointers after free

poyo_vl at yahoo dot com gcc-bugzilla@gcc.gnu.org
Mon Aug 6 08:11:00 GMT 2012 

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54186

             Bug #: 54186
           Summary: PowerPC: Double free, same malloc address for two
                    pointers after free
    Classification: Unclassified
           Product: gcc
           Version: 4.2.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: libstdc++
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: poyo_vl@yahoo.com


Hi,

This is first bug I post here, I'm not sure if it is a bug or not, but this is
how it looks like.

GCC version: gcc-4.2.187-eglibc-2.5.187

I compile something for PowerPC (32) and I have a class with:
- a constructor where there are 2 pointer malloc() allocations
- possible realloc() during class ussage
- a destructor where there are 2 free() for that pointers

During program execution I receive SIGSEGV (strace):

*** glibc detected *** /path/my_tool: double free or corruption (!prev):
0x100f6130 ***

[pid 24045] tgkill(23758, 24045, SIGABRT) = 0
[pid 24045] --- SIGABRT (Aborted) @ 0 (0) ---
[pid 24045] --- SIGSEGV (Segmentation fault) @ 0 (0) ---

Also, something strange, the process is not terminated, it looks like it is
locked in a futex. I killed it with SIGKILL.

[pid 23758] futex(0xf9b5ae8, FUTEX_WAIT, 2, NULL) = ? ERESTARTSYS (To be
restarted)
[pid 23758] --- SIGTERM (Terminated) @ 0 (0) ---
[pid 23758] futex(0xf9b5060, FUTEX_WAIT, 2, NULL <unfinished ...>
[pid 24045] +++ killed by SIGKILL +++
PANIC: handle_group_exit: 24045 leader 23758
+++ killed by SIGKILL +++

Following the backtrace, it looks like the problem is a double free in my
destructor. 

The example of the problem:

Creating a object, I get for my pointers:
- pointer 1: 0x100ee780
- pointer 2: 0x100f0228

And for this object, the destructor works ok.

However, creating a NEW object, I get SAME VALUES for newly malloc()ated
pointers (but I think "reversed"):
- pointer 1: 0x100f0228
- pointer 2: 0x100ee780

The 0x100ee780 pointer gets "relloc"ated, but the result is the same address:
0x100ee780

And in the destructor, when I try to free() those pointers I get the SIGSEGV...

Do you think this is a glibc problem? 

Also, this may be related: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=52839

I hope I posted ok.

Thank you,
Ionut

More information about the Gcc-bugs mailing list