Throwing exception in constructor causes segfault

Throwing exception in constructor causes segfault

[Craig Rodrigues]

Hi,

The following testcase was submitted in PR 5757:

class X
{
public:
  X ()
  {
    throw ""; 
  }

  ~X ()
  {
  }
};

int
main ()
{
  try
  {
    X *p = new X[4];
   delete[]p;
  }
  catch (...)
  {
  }
  return 0;
}


If this example is run, a segfault occurs.

The backtrace of the segfault is:
#0  operator delete[](void*) (ptr=0x804aa34) at del_opv.cc:36
#1  0x08048963 in main () at t.cpp:20
#2  0x401202ae in __libc_start_main (main=0x8048890 <main>, argc=1, 
    ubp_av=0xbffff754, init=0x8048670 <_init>, fini=0x8048a50 <_fini>, 
    rtld_fini=0x4000cf28 <_dl_fini>, stack_end=0xbffff74c)
    at ../sysdeps/generic/libc-start.c:129


I don't know how this stuff works, but I am guessing
that for some reason, during the stack unwinding, the
destructor is being called on *p, even though it
is not fully constructed, and this is causing problems.

Does anyone have any ideas about this?

Thanks.
-- 
Craig Rodrigues        
http://www.gis.net/~craigr    
rodrigc@attbi.com

Re: Throwing exception in constructor causes segfault

[Andreas Schwab]

Craig Rodrigues <rodrigc@attbi.com> writes:

|> I don't know how this stuff works, but I am guessing
|> that for some reason, during the stack unwinding, the
|> destructor is being called on *p, even though it
|> is not fully constructed, and this is causing problems.
|> 
|> Does anyone have any ideas about this?

The problem is that operator delete[]() is receiving a different address
than returned by operator new[]().  It looks like it is not adjusted for
the cookie.

Andreas.

-- 
Andreas Schwab, SuSE Labs, schwab@suse.de
SuSE GmbH, Deutschherrnstr. 15-19, D-90429 Nürnberg
Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Throwing exception in constructor causes segfault

[Craig Rodrigues]

On Sat, Feb 23, 2002 at 09:56:48PM +0100, Andreas Schwab wrote:
> The problem is that operator delete[]() is receiving a different address
> than returned by operator new[]().  It looks like it is not adjusted for
> the cookie.

I don't understand the gcc exception handling code, so
can you explain this in more detail?   What is a cookie
in this case?

Also, in my testcase, if you comment out the delete[] p; line,
the testcase will still segfault.  Looks like delete[] is
called in the stack unwind code for some reason, if you
don't call it yourself.
-- 
Craig Rodrigues        
http://www.gis.net/~craigr    
rodrigc@attbi.com

Re: Throwing exception in constructor causes segfault

[Andreas Schwab]

Craig Rodrigues <rodrigc@attbi.com> writes:

|> On Sat, Feb 23, 2002 at 09:56:48PM +0100, Andreas Schwab wrote:
|> > The problem is that operator delete[]() is receiving a different address
|> > than returned by operator new[]().  It looks like it is not adjusted for
|> > the cookie.
|> 
|> I don't understand the gcc exception handling code, so
|> can you explain this in more detail?   What is a cookie
|> in this case?

The cookie is just the number of elements of the array that is placed at
the beginning of the memory allocated with new[].  This has nothing to do
with exceptions.  It is needed so that delete[] knows how often it has to
call the destructor.

|> Also, in my testcase, if you comment out the delete[] p; line,
|> the testcase will still segfault.  Looks like delete[] is
|> called in the stack unwind code for some reason, if you
|> don't call it yourself.

Yes, the unwinder deallocates the array, since the exception occures when
the memory is already allocated.

Andreas.

-- 
Andreas Schwab, SuSE Labs, schwab@suse.de
SuSE GmbH, Deutschherrnstr. 15-19, D-90429 Nürnberg
Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Throwing exception in constructor causes segfault

[Jason Merrill]

Fixed.