[Bug libstdc++/54186] New: PowerPC: Double free, same malloc address for two pointers after free

[Bug libstdc++/54186] New: PowerPC: Double free, same malloc address for two pointers after free

[poyo_vl at yahoo dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54186

             Bug #: 54186
           Summary: PowerPC: Double free, same malloc address for two
                    pointers after free
    Classification: Unclassified
           Product: gcc
           Version: 4.2.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: libstdc++
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: poyo_vl@yahoo.com


Hi,

This is first bug I post here, I'm not sure if it is a bug or not, but this is
how it looks like.

GCC version: gcc-4.2.187-eglibc-2.5.187

I compile something for PowerPC (32) and I have a class with:
- a constructor where there are 2 pointer malloc() allocations
- possible realloc() during class ussage
- a destructor where there are 2 free() for that pointers

During program execution I receive SIGSEGV (strace):

*** glibc detected *** /path/my_tool: double free or corruption (!prev):
0x100f6130 ***

[pid 24045] tgkill(23758, 24045, SIGABRT) = 0
[pid 24045] --- SIGABRT (Aborted) @ 0 (0) ---
[pid 24045] --- SIGSEGV (Segmentation fault) @ 0 (0) ---

Also, something strange, the process is not terminated, it looks like it is
locked in a futex. I killed it with SIGKILL.

[pid 23758] futex(0xf9b5ae8, FUTEX_WAIT, 2, NULL) = ? ERESTARTSYS (To be
restarted)
[pid 23758] --- SIGTERM (Terminated) @ 0 (0) ---
[pid 23758] futex(0xf9b5060, FUTEX_WAIT, 2, NULL <unfinished ...>
[pid 24045] +++ killed by SIGKILL +++
PANIC: handle_group_exit: 24045 leader 23758
+++ killed by SIGKILL +++

Following the backtrace, it looks like the problem is a double free in my
destructor. 

The example of the problem:

Creating a object, I get for my pointers:
- pointer 1: 0x100ee780
- pointer 2: 0x100f0228

And for this object, the destructor works ok.

However, creating a NEW object, I get SAME VALUES for newly malloc()ated
pointers (but I think "reversed"):
- pointer 1: 0x100f0228
- pointer 2: 0x100ee780

The 0x100ee780 pointer gets "relloc"ated, but the result is the same address:
0x100ee780

And in the destructor, when I try to free() those pointers I get the SIGSEGV...

Do you think this is a glibc problem? 

Also, this may be related: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=52839

I hope I posted ok.

Thank you,
Ionut

[Bug libstdc++/54186] PowerPC: Double free, same malloc address for two pointers after free

[rguenth at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54186

Richard Guenther <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Target|                            |powerpc-*-linux
             Status|UNCONFIRMED                 |WAITING
   Last reconfirmed|                            |2012-08-06
     Ever Confirmed|0                           |1

--- Comment #1 from Richard Guenther <rguenth at gcc dot gnu.org> 2012-08-06 08:31:58 UTC ---
GCC 4.2.x is no longer maintained, please try at least GCC 4.6.4 and reproduce
your issue.

[Bug libstdc++/54186] PowerPC: Double free, same malloc address for two pointers after free

[redi at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54186

--- Comment #2 from Jonathan Wakely <redi at gcc dot gnu.org> 2012-08-06 10:12:13 UTC ---
(In reply to comment #0)
> I hope I posted ok.

Please read http://gcc.gnu.org/bugs/

[Bug libstdc++/54186] PowerPC: Double free, same malloc address for two pointers after free

[pinskia at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54186

--- Comment #3 from Andrew Pinski <pinskia at gcc dot gnu.org> 2012-08-06 17:31:05 UTC ---
A testcase would be nice.

[Bug libstdc++/54186] PowerPC: Double free, same malloc address for two pointers after free

[poyo_vl at yahoo dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54186

--- Comment #4 from Ionut Popescu <poyo_vl at yahoo dot com> 2012-08-06 19:38:37 UTC ---
I'm sorry for posting it wrong.

First, I can't use other compiler (a newer one), it not depends on me...

Second, I figured out where is the problem: realloc()!

The problem is that when I don't have enough space (512 B blocks) I realloc()
for more space, both of my pointers. 

Even if the pointers get the same value as before or new values, it crashes on
free, free on the realloc() resulted pointer!

I also wrote my own "realloc" function, that calls just malloc(), memcpy() and
free() to avoid original realloc() but strange, it also crashes on free()-ing
resulted pointers.

I'm sorry and thank you for your time, please close this.

Ionut

[Bug libstdc++/54186] PowerPC: Double free, same malloc address for two pointers after free

[paolo.carlini at oracle dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54186

Paolo Carlini <paolo.carlini at oracle dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |RESOLVED
         Resolution|                            |INVALID

--- Comment #5 from Paolo Carlini <paolo.carlini at oracle dot com> 2012-08-06 19:43:29 UTC ---
Closing.