[Bug libstdc++/16655] New: Segmentation fault in the std::ofstream destructor

[Bug libstdc++/16655] New: Segmentation fault in the std::ofstream destructor

[Serguei dot Kolos at cern dot ch]

On some file systems (for example on AFS), the ofstream destructor crashes the
application if there is no space left on that FS. This happens because it calls
the fclose() function 2 times. 
In more details the problem is that in case of no space left on AFS the fflush()
succeeds and only fclose() fails. In this case:

1. the __basic_file<char>::close() is called twice - first time by the
basic_filebuf<char, std::char_traits<char> >::close() and second time by the
__basic_file<char> destructor.
2. in the first call the fclose() fails and the _M_cfile is not set to 0.
3. in the second call __basic_file<char>::is_open() returns true because the
_M_cfile is not 0 and the fclose() is called second time and tries to use the
memory which was already freed by the previous invocation of the fclose().
4. Program crashes.

Here is the program, which reproduces the bug:

#include <fstream>
#include <iostream>

using namespace std;

int main()
{
    ofstream foo( "foo.bar", std::ios::out | std::ios::trunc );
    
    for ( int i = 0; i < 1000000; i++ )
	foo << "hello";
    
    cout << "foo.good() = " << foo.good() << endl;
    cout << "foo.bad() = " << foo.bad() << endl;
    cout << "foo.eof() = " << foo.eof() << endl;
    cout << "foo.fail() = " << foo.fail() << endl << endl;
    
    foo.flush();
    
    cout << "foo.good() = " << foo.good() << endl;
    cout << "foo.bad() = " << foo.bad() << endl;
    cout << "foo.eof() = " << foo.eof() << endl;
    cout << "foo.fail() = " << foo.fail() << endl << endl;
    
    foo.close();
    
    cout << "foo.good() = " << foo.good() << endl;
    cout << "foo.bad() = " << foo.bad() << endl;
    cout << "foo.eof() = " << foo.eof() << endl;
    cout << "foo.fail() = " << foo.fail() << endl;
    
    return 0;
}


The output is (on AFS with not enough space left):

foo.good() = 1
foo.bad() = 0
foo.eof() = 0
foo.fail() = 0

foo.good() = 1
foo.bad() = 0
foo.eof() = 0
foo.fail() = 0

foo.good() = 0
foo.bad() = 0
foo.eof() = 0
foo.fail() = 1
Segmentation fault (core dumped)

The problem does not appear for a local file system because in this case the
fflush() fails and destructor works correctly.

-- 
           Summary: Segmentation fault in the std::ofstream destructor
           Product: gcc
           Version: 3.2
            Status: UNCONFIRMED
          Severity: critical
          Priority: P3
         Component: libstdc++
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: Serguei dot Kolos at cern dot ch
                CC: gcc-bugs at gcc dot gnu dot org
 GCC build triplet: i386-pc-linux-gnu
  GCC host triplet: i386-pc-linux-gnu
GCC target triplet: i386-pc-linux-gnu


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=16655

[Bug libstdc++/16655] Segmentation fault in the std::ofstream destructor

[pinskia at gcc dot gnu dot org]

------- Additional Comments From pinskia at gcc dot gnu dot org  2004-07-21 19:29 -------
This sounds like a bug in AFS rather than libstdc++.  Also I think this is fixed for 3.4.0 anyways, can 
you try gcc 3.4.0?

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|critical                    |minor


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=16655

[Bug libstdc++/16655] Segmentation fault in the std::ofstream destructor

[pcarlini at suse dot de]

------- Additional Comments From pcarlini at suse dot de  2004-07-30 09:30 -------
Indeed, assuming the analysis is correct, the bug should be fixed also in 3.3.x,
since __basic_file<char>::close() sets _M_cfile = 0 even when fclose fails: 2.
does not hold.

-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=16655

[Bug libstdc++/16655] Segmentation fault in the std::ofstream destructor

[giovannibajo at libero dot it]

------- Additional Comments From giovannibajo at libero dot it  2004-08-16 00:33 -------
Waiting for feedback from Serguei: the bug should be fixed on 3.3.x, 3.4.x and 
mainline. Would you please check with one of those compilers?

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |WAITING


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=16655

[Bug libstdc++/16655] Segmentation fault in the std::ofstream destructor

[Serguei dot Kolos at cern dot ch]

------- Additional Comments From Serguei dot Kolos at cern dot ch  2004-08-16 07:52 -------
(In reply to comment #3)
> Waiting for feedback from Serguei: the bug should be fixed on 3.3.x, 3.4.x and 
> mainline. Would you please check with one of those compilers?
You are right. The bug is fixed in 3.3.x compiler. I did not check any of the
3.4.x, but I would assume they should have is correct also. 
The last compiler, which still has this bug is the 3.2.3. Do you still provide
bug fixes for the 3.2.x family? The problem for me is that I'm working for a
large scintific community and changing compiler takes ages for us. For the
moment we are still using 3.2.

-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=16655

[Bug libstdc++/16655] Segmentation fault in the std::ofstream destructor

[pinskia at gcc dot gnu dot org]

------- Additional Comments From pinskia at gcc dot gnu dot org  2004-08-16 07:57 -------
Well the 3.2 branch is no longer being maintain so no we do not provide patches for 3.2.

Now I don't even know if the patch which fixed this could be backported or not.

Closing as fixed.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |RESOLVED
         Resolution|                            |FIXED
   Target Milestone|---                         |3.3


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=16655