[Bug c++/70758] New: unique_ptr<T[]> of aligned T calls invalid free

2013.bugzilla.gcc.gnu.org at ingomueller dot net gcc-bugzilla@gcc.gnu.org
Thu Apr 21 17:36:00 GMT 2016 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70758

            Bug ID: 70758
           Summary: unique_ptr<T[]> of aligned T calls invalid free
           Product: gcc
           Version: 4.9.2
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: 2013.bugzilla.gcc.gnu.org at ingomueller dot net
  Target Milestone: ---

Created attachment 38321
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=38321&action=edit
Example c++ program that produces the invalid free.

In a certain situation, the default delete of a unique_ptr<T[]> calls an
invalid free.

The situation occurs for a struct that as an __attributed__ ((aligned(x))) with
a google dense_hash_map as a member. I haven't been able to figure out what is
special about the dense_hash_map yet. A short version of the code that produces
the bug (full version is attached):

typedef google::dense_hash_map<uint32_t,uint32_t> HmType;

typedef struct C {
    HmType hm;
} C __attribute__ ((aligned(64)));

int main(int,char**)
{
    std::unique_ptr<C[]> cx( new C[100] );
}

The free called by delete [] called by the deleter of the unique pointer is
invalid: valgrind says it is "56 bytes inside a block of size 8,064 alloc'd".

To reproduce:
1) Install google sparsehash-2.0.3
(https://github.com/sparsehash/sparsehash/releases).
2) Compile and run with valgrind: g++ -std=c++11 uniqueptr.cpp && valgrind
./a.out

Relevant output:
==7631== Invalid free() / delete / delete[] / realloc()
==7631==    at 0x4C2A8E0: operator delete[](void*) (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7631==    by 0x401D3D: std::default_delete<C []>::operator()(C*) const (in
/tmp/a.out)
==7631==    by 0x4018B4: std::unique_ptr<C [], std::default_delete<C []>
>::~unique_ptr() (in /tmp/a.out)
==7631==    by 0x400D10: main (in /tmp/a.out)
==7631==  Address 0x5a07fd8 is 56 bytes inside a block of size 8,064 alloc'd
==7631==    at 0x4C298A0: operator new[](unsigned long) (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7631==    by 0x400CBB: main (in /tmp/a.out)

Other remark: g++ warns that it ignores attributes on C of the unique_ptr<C>,
but doesn't warn on unique_ptr<C[]>. Maybe it should ignore the alignment for
the array as well, but doesn't?

More information about the Gcc-bugs mailing list