I have the same problem after upgrade to 3.2.0, 3.0.4 is all good. In my program, when free a TStringList that used in a thread, exception occurs in 80%~90% time. I try to finger out what happening and got fpc_ansistr_decr_ref calling FreeMem then got wrong memory. The program was x86-64 on Windows 10.
I haven't dig so deep like Martin has done, but I think it's the same problem. At 2021-01-09 00:11:19, "Martin Frb via fpc-devel" <fpc-devel@lists.freepascal.org> wrote: >I only tested with 3.2.0 so far. Maybe someone recalls if this is fixed >or not. > >Also because it seems to happen only in very rare conditions, it may be >that trunk does not cause it in this place even if the bug is not yet >fixed. (as other code changes could simply change the context enough to >mitigate it) > > >Using fpc 3.2.0 >compiling lazarus SVN 64346@trunk with -gw -gl -gt -Criot -Sa -O-1 -gh -gv >(this also happened at -O3 / but I could not trace it as valgrinds >reported stack was unreadable / The attached valgrind is with -O-1) > >unit MaskEdit >procedure TCustomMaskEdit.SetMask(Value : String); > > From the generated ASM > ># Temps allocated between rbp-696 and rbp-296 > ># [575] for I := 1 To Utf8Length(S) do > leaq -400(%rbp),%rdi > call fpc_ansistr_decr_ref@PLT > leaq -408(%rbp),%rdi > call fpc_ansistr_decr_ref@PLT > leaq -272(%rbp),%rsi > xorl %edx,%edx > leaq -408(%rbp),%rdi > call fpc_shortstr_to_ansistr@PLT > movq -408(%rbp),%rsi ////// ><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< > movq %rsi,-400(%rbp) > testq %rsi,%rsi > je .Lj156 > movq -8(%rsi),%rsi >.Lj156: > movq -400(%rbp),%rdi > testq %rdi,%rdi > jne .Lj157 > movq FPC_EMPTYCHAR@GOTPCREL(%rip),%rdi >.Lj157: > call LAZUTF8_$$_UTF8LENGTH$PCHAR$INT64$$INT64@PLT > >On the marked line, the string (ref) in temp(-408) is copied to temp(-400). >But the refcount is NOT increased > >***** >Temp(-408) is later passed as "var param Result" to > ># [741] FTextOnEnter := inherited RealGetText; > movq -16(%rbp),%rdi > leaq -408(%rbp),%rsi > call STDCTRLS$_$TCUSTOMEDIT_$__$$_REALGETTEXT$$TTRANSLATESTRING@PLT > >This will assign an empty string (in this case), and free the memory >(apparently the refcount happens to be 1 at that time) > >***** >in the autogenerated code for the procedures "end" statement: > ># [743] end; > leaq -408(%rbp),%rdi > call fpc_ansistr_decr_ref@PLT > leaq -400(%rbp),%rdi > call fpc_ansistr_decr_ref@PLT > >Temp-408 is already free (or may have a new value that gets correctly freed) > >Temp-400 still points to the already freed string => double free. > > > > > > _______________________________________________ fpc-devel maillist - fpc-devel@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
