Ubuntu
gcc-4.1 package

segmentation fault in std::string destructor

Bug #185918 reported by Rafael Buchbinder
2
Affects Status Importance Assigned to Milestone
gcc-4.1 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: gcc-4.1

Using: Ubuntu 7.10
Default g++ installation.

following program crushes in ::free() from std::string destructor

\code

// file: main.cc

#include <iostream>
#include <string>
#include <typeinfo>
#include <cstdlib>
#include <cxxabi.h>

using namespace std;

std::string
demangle (const char* s)
{
        int status = 0;

        char* demangled = abi::__cxa_demangle(s, 0, 0, &status);

        if (!demangled)
                return "__demangle_failed";

        std::string ans (demangled);

        ::free(demangled);

        return ans;
}

template <class T>
std::string print_class_name (const T& t)
{
        cout << demangle(typeid(t).name()).c_str() << endl;
}

class A {};

int main (int argc, char* argv[])
{
        print_class_name((size_t)1);
        print_class_name((int)1);
        print_class_name((unsigned int)1);
        print_class_name(A());

        return 0;
}

\endcode

generating executable via: 'g++ -o test -g main.cc'

after running the generated executable the program crushes with following printed in the console:

unsigned int
*** glibc detected *** ./test: free(): invalid pointer: 0x0804a17c ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7d6ad65]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7d6e800]
/usr/lib/libstdc++.so.6(_ZdlPv+0x21)[0xb7f33d81]
/usr/lib/libstdc++.so.6(_ZNSs4_Rep10_M_destroyERKSaIcE+0x1d)[0xb7f0f90d]
/usr/lib/libstdc++.so.6(_ZNSsD1Ev+0x51)[0xb7f117b1]
./test(__gxx_personality_v0+0x288)[0x8048b50]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7d17050]
./test(__gxx_personality_v0+0x49)[0x8048911]
======= Memory map: ========
08048000-0804a000 r-xp 00000000 08:14 2518389 /home/rafi/tmp/test
0804a000-0804b000 rw-p 00001000 08:14 2518389 /home/rafi/tmp/test
0804b000-0806c000 rw-p 0804b000 00:00 0 [heap]
b7b00000-b7b21000 rw-p b7b00000 00:00 0
b7b21000-b7c00000 ---p b7b21000 00:00 0
b7d00000-b7d01000 rw-p b7d00000 00:00 0
b7d01000-b7e45000 r-xp 00000000 08:14 3989915 /lib/tls/i686/cmov/libc-2.6.1.so
b7e45000-b7e46000 r--p 00143000 08:14 3989915 /lib/tls/i686/cmov/libc-2.6.1.so
b7e46000-b7e48000 rw-p 00144000 08:14 3989915 /lib/tls/i686/cmov/libc-2.6.1.so
b7e48000-b7e4b000 rw-p b7e48000 00:00 0
b7e4b000-b7e55000 r-xp 00000000 08:14 3989955 /lib/libgcc_s.so.1
b7e55000-b7e56000 rw-p 0000a000 08:14 3989955 /lib/libgcc_s.so.1
b7e56000-b7e57000 rw-p b7e56000 00:00 0
b7e57000-b7e7a000 r-xp 00000000 08:14 3989947 /lib/tls/i686/cmov/libm-2.6.1.so
b7e7a000-b7e7c000 rw-p 00023000 08:14 3989947 /lib/tls/i686/cmov/libm-2.6.1.so
b7e7c000-b7f64000 r-xp 00000000 08:14 4155725 /usr/lib/libstdc++.so.6.0.9
b7f64000-b7f67000 r--p 000e8000 08:14 4155725 /usr/lib/libstdc++.so.6.0.9
b7f67000-b7f69000 rw-p 000eb000 08:14 4155725 /usr/lib/libstdc++.so.6.0.9
b7f69000-b7f6f000 rw-p b7f69000 00:00 0
b7f7e000-b7f81000 rw-p b7f7e000 00:00 0
b7f81000-b7f9b000 r-xp 00000000 08:14 3989901 /lib/ld-2.6.1.so
b7f9b000-b7f9d000 rw-p 00019000 08:14 3989901 /lib/ld-2.6.1.so
bf9a5000-bf9bb000 rw-p bf9a5000 00:00 0 [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
Aborted (core dumped)

I have tried to debug via gdb plus dbg packages for libstdc++ and libc
It seems that ::free() gets a null pointer.

Revision history for this message
Rafael Buchbinder (rafi-bk) wrote :

Bug resolved.

The problem is that the global template function print_class_name is declared to return std::string
but does not return anything.

THE real problem is that g++ does not issue even a warning when compiling the above
code via "g++ -o test main.cc". To get a warning one must call "g++ -Wall -o test main.cc".

It seems to me that I have reported this bug too soon, for which I apologise (it will not happen again).

Thanks

Changed in gcc-4.1:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.