https://bugs.kde.org/show_bug.cgi?id=472346
Bug ID: 472346
Summary: False positive mismatched frees
Classification: Developer tools
Product: valgrind
Version: 3.22 GIT
Platform: Compiled Sources
OS: Unspecified
Status: REPORTED
Severity: wishlist
Priority: NOR
Component: memcheck
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Some details. RHEL 7.9, GCC 5.3 home rolled. Debug exe but it dlopens a
Here are a couple of cases that I see
==12389== Mismatched free() / delete / delete []
==12389== at 0x63E3164: free (vg_replace_malloc.c:974)
==12389== by 0x1B4D75F5: __gnu_cxx::new_allocator ..snip ... ::deallocate
...snip... (new_allocator.h:110)
==12389== Address 0x27246130 is 0 bytes inside a block of size 88 alloc'd
==12389== at 0x63E0EF1: operator new(unsigned long)
(vg_replace_malloc.c:472)
==12389== by 0x2514CCD:
__gnu_cxx::new_allocator...snip...::allocate(unsigned long, void const*)
(ext/new_allocator.h:104)
The code for deallocate is
// __p is not permitted to be a null pointer.
void
deallocate(pointer __p, size_type)
{ ::operator delete(__p); }
The mangled last function in the callstack is
_ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEESt6vectorIS2_IS8_S8_ESaISB_EEEEE10deallocateEPSF_m
which is deallocating a std::map<std::string,
std::vector<std::pair<std::string,std::string> > >
cxx1112basic_stringIcSt11char_traitsIcESaIcEEESt6vectorIS2_IS8_S8_ESaISB_EEEEE10deallocateEPSF_m>:
925d6: 55 push %rbp
925d7: 48 89 e5 mov %rsp,%rbp
925da: 48 83 ec 20 sub $0x20,%rsp
925de: 48 89 7d f8 mov %rdi,-0x8(%rbp)
925e2: 48 89 75 f0 mov %rsi,-0x10(%rbp)
925e6: 48 89 55 e8 mov %rdx,-0x18(%rbp)
925ea: 48 8b 45 f0 mov -0x10(%rbp),%rax
925ee: 48 89 c7 mov %rax,%rdi
925f1: e8 6a 3c 9c 00 callq a56260 <_ZdlPv>
925f6: 90 nop
925f7: c9 leaveq
925f8: c3 retq
There is something weird there. _ZdlPv in mangle-speak is _Z (C++) dl (delete)
Pv (pointer to void). But Valgrind is redirecting this to free. Originally I
thought that the ::operator delete(__p) was simply being inlined.
A second error from the same testcase:
==31400== Mismatched free() / delete / delete []
==31400== at 0x63E36C5: operator delete(void*) (vg_replace_malloc.c:1025)
==31400== by 0x2543553: ...snip... user code
==31400== Address 0x285f41d0 is 0 bytes inside a block of size 64 alloc'd
==31400== at 0x63E078B: malloc (vg_replace_malloc.c:431)
==31400== by 0x27E4E2F7: operator new(unsigned long) (new_op.cc:50)
==31400== by 0x2778CA2A: ...snip... user code
This is definitely a Valgrind problem - operator delete is redirected but
operator new isn't. I tried debugging this with vgdb, and putting a break on
_Znwm and there were 4 sites. Need more tracing / debugging of redirs and
symtab when that shared library gets dlopen'd and mmap'd.
Now a second exe which generates huge numbers of errors on startup. These are
for things like
const set<string> options = { "option1", "option2"};
Temporary std::string objects get created for the options shich cause errors
like
==31386== Mismatched free() / delete / delete []
==31386== at 0x188D7164: free (vg_replace_malloc.c:974)
==31386== by 0x620C460: __static_initialization_and_destruction_0(int, int)
(header.h:63)
==31386== by 0x621BE96: _GLOBAL__sub_I_source.cc (source.cc:12969)
==31386== by 0x163647CC: __libc_csu_init (in /path/to/exe)
==31386== by 0x20E9A4E4: (below main) (in /usr/lib64/libc-2.17.so)
==31386== Address 0x217dc590 is 0 bytes inside a block of size 37 alloc'd
==31386== at 0x188D61E7: operator new[](unsigned long)
(vg_replace_malloc.c:714)
==31386== by 0x736C3DB: void std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >::_M_construct<char const*>(char
const*, char const*, std::forward_iterator_tag) (basic_string.tcc:223)
==31386== by 0x1B24FA9E: _M_construct_aux<char const*> (basic_string.h:236)
==31386== by 0x1B24FA9E: _M_construct<char const*> (basic_string.h:255)
==31386== by 0x1B24FA9E: std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >::basic_string(char const*,
std::allocator<char> const&) (basic_string.h:511)
==31386== by 0x620C3D7: __static_initialization_and_destruction_0(int, int)
(header.h:44)
==31386== by 0x621BE96: _GLOBAL__sub_I_source.cc (source.cc:12969)
==31386== by 0x163647CC: __libc_csu_init (in /path/to/exe)
==31386== by 0x20E9A4E4: (below main) (in /usr/lib64/libc-2.17.so)
What I had originally thought was inlining might be tail call optimization.
In 000000000012b000
<_ZNSt7__cxx1112basic_stringIwSt11char_traitsIwESaIwEE9_M_createERmm>:
there is
12b036: e9 25 b1 f5 ff jmpq 86160 <_Znwm@plt>
--
You are receiving this mail because:
You are watching all bug changes.
