[Bug ada/41100] New: [4.4 regression] Unchecked_Deallocation causes double-free errors

[Bug ada/41100] New: [4.4 regression] Unchecked_Deallocation causes double-free errors

[ludovic at ludovic-brenta dot org]

(Forwarding Debian Bug#542158)

Unchecked_Deallocation of a record extension containing an Unbounded_String
executes incorrectly. Here is a reproducer:

with Ada.Strings.Unbounded;
use Ada.Strings.Unbounded;
package Double_Free is
   type Test_Base is tagged null record;
   type Test_Class_Access is access all Test_Base'Class;
   type Test_Extension is new Test_Base with record
      Last_Name : Unbounded_String := Null_Unbounded_String;
   end record;
end Double_Free;

   ---

with Ada.Unchecked_Deallocation;
with Double_Free; use Double_Free;
procedure Main is
   procedure Free is new Ada.Unchecked_Deallocation
     (Object => Test_Base'Class,
      Name   => Test_Class_Access);
   Handle : Test_Class_Access := new Test_Extension;
begin
   Free (Handle);
end Main;

$ gnatmake main.adb
$ ./main
*** glibc detected *** main: double free or corruption errors.

valgrind --leak-check=full --show-reachable=yes --leak-resolution=high ./main

==5772== Memcheck, a memory error detector.
==5772== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==5772== Using LibVEX rev 1884, a library for dynamic binary translation.
==5772== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==5772== Using valgrind-3.4.1-Debian, a dynamic binary instrumentation
framework.
==5772== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==5772== For more details, rerun with: -v
==5772==
==5772== Invalid free() / delete / delete[]
==5772==    at 0x4C2261F: free (vg_replace_malloc.c:323)
==5772==    by 0x50A8D84: __gnat_free (in /usr/lib/libgnat-4.4.so.1)
==5772==    by 0x403FC4: _ada_main (in /home/reet/double-free/obj/main)
==5772==    by 0x40327B: main (in /home/reet/double-free/obj/main)
==5772==  Address 0x5b3b040 is 16 bytes inside a block of size 136 alloc'd
==5772==    at 0x4C2391E: malloc (vg_replace_malloc.c:207)
==5772==    by 0x50A8DC7: __gnat_malloc (in /usr/lib/libgnat-4.4.so.1)
==5772==    by 0x403EF0: _ada_main (in /home/reet/double-free/obj/main)
==5772==    by 0x40327B: main (in /home/reet/double-free/obj/main)
==5772==
==5772== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 8 from 1)
==5772== malloc/free: in use at exit: 136 bytes in 1 blocks.
==5772== malloc/free: 1 allocs, 1 frees, 136 bytes allocated.
==5772== For counts of detected errors, rerun with: -v
==5772== searching for pointers to 1 not-freed blocks.
==5772== checked 203,328 bytes.
==5772==
==5772==
==5772== 136 bytes in 1 blocks are definitely lost in loss record 1 of 1
==5772==    at 0x4C2391E: malloc (vg_replace_malloc.c:207)
==5772==    by 0x50A8DC7: __gnat_malloc (in /usr/lib/libgnat-4.4.so.1)
==5772==    by 0x403EF0: _ada_main (in /home/reet/double-free/obj/main)
==5772==    by 0x40327B: main (in /home/reet/double-free/obj/main)
==5772==
==5772== LEAK SUMMARY:
==5772==    definitely lost: 136 bytes in 1 blocks.
==5772==      possibly lost: 0 bytes in 0 blocks.
==5772==    still reachable: 0 bytes in 0 blocks.
==5772==         suppressed: 0 bytes in 0 blocks.

Freeing memory of a base type object (Test_Base) works without problems.
When the unbounded string field (Name) is removed or replaced (e.g. by
an Integer), freeing also works for the type extension.

The code has been tested with the following compiler / arch
combinations:

i386/gnat-4.3  : works
i386/gnat-4.4  : works
amd64/gnat-4.3 : works
amd64/gnat-4.4 : FAILS

This bug hurts PolyORB and prevents us from migrating all Ada packages in
Debian to gnat-4.4.


-- 
           Summary: [4.4 regression] Unchecked_Deallocation causes double-
                    free errors
           Product: gcc
           Version: 4.4.1
            Status: UNCONFIRMED
          Severity: major
          Priority: P3
         Component: ada
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: ludovic at ludovic-brenta dot org
  GCC host triplet: x86_64-linux-gnu


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4 regression] Unchecked_Deallocation causes double-free errors

[jsm28 at gcc dot gnu dot org]

-- 

jsm28 at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |4.4.2


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4 regression] Unchecked_Deallocation causes double-free errors

[jakub at gcc dot gnu dot org]

-- 

jakub at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P3                          |P4


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4 regression] Unchecked_Deallocation causes double-free errors

[ludovic at ludovic-brenta dot org]

------- Comment #1 from ludovic at ludovic-brenta dot org  2009-09-05 07:34 -------
Created an attachment (id=18499)
 --> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=18499&action=view)
Diff between gnatmake -gnatDg -Pdoublefree.gpr on 32-bit i486 and 64-bit amd64.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4 regression] Unchecked_Deallocation causes double-free errors

[ludovic at ludovic-brenta dot org]

------- Comment #2 from ludovic at ludovic-brenta dot org  2009-09-05 07:38 -------
Created an attachment (id=18500)
 --> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=18500&action=view)
Object and executable files, plus output of -gnatDg, on 32-bit i486.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4 regression] Unchecked_Deallocation causes double-free errors

[ludovic at ludovic-brenta dot org]

------- Comment #3 from ludovic at ludovic-brenta dot org  2009-09-05 07:39 -------
Created an attachment (id=18501)
 --> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=18501&action=view)
Object and executable files, plus output of -gnatDg, on 64-bit x86-64 (amd64). 


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4 regression] Unchecked_Deallocation causes wrong free errors

[laurent at guerby dot net]

------- Comment #4 from laurent at guerby dot net  2009-09-24 15:51 -------
It's not a double free: free is called once but not with the pointer returned
by malloc, it is passed for some reason the pointer returned by malloc + 0x10. 
valgrind detects it when it reports: "Address 0x5b3b040 is 16 bytes inside a
block of size 136 "

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/guerby/pr41100/main 

Breakpoint 5, <__gnat_malloc> (size=136) at
/opt/cfarm/release/4.4.1/lib/gcc/x86_64-unknown-linux-gnu/4.4.1/adainclude/s-memory.adb:74
74            Actual_Size : size_t := Size;
(gdb) fin
Run till exit from #0  <__gnat_malloc> (size=136) at
/opt/cfarm/release/4.4.1/lib/gcc/x86_64-unknown-linux-gnu/4.4.1/adainclude/s-memory.adb:74
0x000000000043fd5d in main () at main.adb.dg:22
22         P2b : constant double_free__test_class_access := new
Value returned is $1 = (system.address) 0x563010
(gdb) c
Continuing.

Breakpoint 6, <__gnat_free> (ptr=(system.address) 0x563020) at
/opt/cfarm/release/4.4.1/lib/gcc/x86_64-unknown-linux-gnu/4.4.1/adainclude/s-memory.adb:114
114              Abort_Defer.all;
(gdb) q
The program is running.  Exit anyway? (y or n) y

I'm trying with trunk just to see if it's still there.


-- 

laurent at guerby dot net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |laurent at guerby dot net
             Status|UNCONFIRMED                 |NEW
     Ever Confirmed|0                           |1
      Known to fail|                            |4.4.1
           Priority|P4                          |P3
   Last reconfirmed|0000-00-00 00:00:00         |2009-09-24 15:51:41
               date|                            |
            Summary|[4.4 regression]            |[4.4 regression]
                   |Unchecked_Deallocation      |Unchecked_Deallocation
                   |causes double-free errors   |causes wrong free errors


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4/4.5 regression] Unchecked_Deallocation causes wrong free errors

[laurent at guerby dot net]

------- Comment #5 from laurent at guerby dot net  2009-09-24 16:48 -------
Same issue on x86_64-linux with gcc version 4.5.0 20090924 (experimental)
[trunk revision 152124] (GCC) 


-- 

laurent at guerby dot net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |wrong-code
      Known to fail|4.4.1                       |4.4.1 4.5.0
            Summary|[4.4 regression]            |[4.4/4.5 regression]
                   |Unchecked_Deallocation      |Unchecked_Deallocation
                   |causes wrong free errors    |causes wrong free errors


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4/4.5 regression] Unchecked_Deallocation causes wrong free errors

[laurent at guerby dot net]

------- Comment #6 from laurent at guerby dot net  2009-09-24 17:44 -------
Eric, do you have an idea on what could be wrong here? -gnatDG output looks
fine, the bug is present at all optimization level so may be it's gigi?


-- 

laurent at guerby dot net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ebotcazou at gcc dot gnu dot
                   |                            |org


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4/4.5 regression] Unchecked_Deallocation causes wrong free errors

[ebotcazou at gcc dot gnu dot org]

------- Comment #7 from ebotcazou at gcc dot gnu dot org  2009-09-24 20:27 -------
Investigating.


-- 

ebotcazou at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|unassigned at gcc dot gnu   |ebotcazou at gcc dot gnu dot
                   |dot org                     |org
             Status|NEW                         |ASSIGNED
   Last reconfirmed|2009-09-24 15:51:41         |2009-09-24 20:27:07
               date|                            |


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4/4.5 regression] Unchecked_Deallocation causes wrong free errors

[ebotcazou at gcc dot gnu dot org]

------- Comment #8 from ebotcazou at gcc dot gnu dot org  2009-09-25 16:40 -------
OK, that's a known issue, unfortunately not straightforward to solve.  We'll
probably need to resort to a workaround for 4.4.x at least.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4/4.5 regression] Unchecked_Deallocation causes wrong free errors

[laurent at guerby dot net]

------- Comment #9 from laurent at guerby dot net  2009-09-25 17:03 -------
Thanks for your analysis! I'm curious at what's going wrong: it looks scary to
have wrong code in such a simple use case :)


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4/4.5 regression] Unchecked_Deallocation causes wrong free errors

[ebotcazou at gcc dot gnu dot org]

------- Comment #10 from ebotcazou at gcc dot gnu dot org  2009-09-25 17:20 -------
> Thanks for your analysis! I'm curious at what's going wrong: it looks scary to
> have wrong code in such a simple use case :)

See utils2.c:maybe_wrap_malloc and maybe_wrap_free for the story about the
super-alignment business.  This doesn't play nice with polymorphism.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4/4.5 regression] Unchecked_Deallocation causes wrong free errors

[laurent at guerby dot net]

------- Comment #11 from laurent at guerby dot net  2009-09-25 17:44 -------
Oh, I didn't realize Test_Extension'Alignment was 16, I wonder what causes it
to be super-aligned, I see no obvious candidate from -gnatR2...


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4/4.5 regression] Unchecked_Deallocation causes wrong free errors

[ludovic at ludovic-brenta dot org]

------- Comment #12 from ludovic at ludovic-brenta dot org  2009-09-25 18:15 -------
Eric, in comment #8, did you mean a workaround inside the compiler, or a
workaround in user code? Because the latter is impractical for Debian which
contains more than 2 million lines of Ada, with 350k more lines (PolyORB, known
to trigger the problem) on the way.

Thanks for all your efforts so far!


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4/4.5 regression] Unchecked_Deallocation causes wrong free errors

[ebotcazou at gcc dot gnu dot org]

------- Comment #13 from ebotcazou at gcc dot gnu dot org  2009-09-25 18:20 -------
> Oh, I didn't realize Test_Extension'Alignment was 16, I wonder what causes it
> to be super-aligned, I see no obvious candidate from -gnatR2...

A pointer to unconstrained array forces double-word alignment

  type String_Access is access all String;

  type Test_Extension is new Test_Base with record
    Last_Name : String_Access;
  end record;

for historical reasons.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4/4.5 regression] Unchecked_Deallocation causes wrong free errors

[ebotcazou at gcc dot gnu dot org]

------- Comment #14 from ebotcazou at gcc dot gnu dot org  2009-09-25 18:24 -------
> Eric, in comment #8, did you mean a workaround inside the compiler, or a
> workaround in user code? Because the latter is impractical for Debian which
> contains more than 2 million lines of Ada, with 350k more lines (PolyORB, known
> to trigger the problem) on the way.

The former, don't worry. :-)


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4/4.5 regression] Unchecked_Deallocation causes wrong free errors

[laurent at guerby dot net]

------- Comment #15 from laurent at guerby dot net  2009-09-28 19:01 -------
testcase fixed on trunk by:

2009-09-28  Olivier Hainque  <hainque@adacore.com>

        ada/
        * gcc-interface/targtyps.c (get_target_default_allocator_alignment):
        Account for observable alignments out of default allocators.

http://gcc.gnu.org/ml/gcc-patches/2009-09/msg01987.html

I checked with gcc version 4.5.0 20090928 (experimental) [trunk revision
152246] (GCC).

I didn't test 4.4 but the patch should apply there too, no?


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4/4.5 regression] Unchecked_Deallocation causes wrong free errors

[hainque at gcc dot gnu dot org]

------- Comment #16 from hainque at gcc dot gnu dot org  2009-09-28 21:56 -------
Subject: Bug 41100

Author: hainque
Date: Mon Sep 28 21:55:54 2009
New Revision: 152255

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=152255
Log:
        PR ada/41100

        ada/
        * gcc-interface/targtyps.c
        * (get_target_default_allocator_alignment):
        Account for observable alignments out of default allocators.

        testsuite/
        * gnat.dg (tagged_alloc_free.adb): New testcase.


Modified:
    branches/gcc-4_4-branch/gcc/ada/ChangeLog
    branches/gcc-4_4-branch/gcc/ada/gcc-interface/targtyps.c
    branches/gcc-4_4-branch/gcc/testsuite/ChangeLog


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4/4.5 regression] Unchecked_Deallocation causes wrong free errors

[hainque at adacore dot com]

------- Comment #17 from hainque at adacore dot com  2009-09-28 22:07 -------
> I checked with gcc version 4.5.0 20090928 (experimental) [trunk revision
> 152246] (GCC).
> 
> I didn't test 4.4 but the patch should apply there too, no?

Yes, and I just applied it. This is not a fullproof resolution of
the general problem with tagged types, but makes sense overall
and should get us back to the situation as it was in 4.3.

The particular instance you were observing should definitely
not cause trouble any more.

Olivier


-- 

hainque at adacore dot com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hainque at adacore dot com


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4/4.5 regression] Unchecked_Deallocation causes wrong free errors

[ebotcazou at gcc dot gnu dot org]

------- Comment #18 from ebotcazou at gcc dot gnu dot org  2009-09-29 05:05 -------
Thank you Olivier.


-- 

ebotcazou at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100

[Bug ada/41100] [4.4/4.5 regression] Unchecked_Deallocation causes wrong free errors

[ludovic at ludovic-brenta dot org]

------- Comment #19 from ludovic at ludovic-brenta dot org  2009-09-30 17:35 -------
I also applied the patch to GCC 4.4 and confirmed that it fixes this particular
bug.  Barring any other blocking problems, Debian will be able to switch to GCC
4.4 as the default Ada compiler.  Thank you all for this quick resolution!


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41100