[Valgrind-users] Invalid free/delete/delete[]?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

My program crashes on linux with the following stack trace...

#0  0x40a3455e in free () from /lib/libc.so.6
(gdb) where
#0  0x40a3455e in free () from /lib/libc.so.6
#1  0x40a344e4 in free () from /lib/libc.so.6
#2  0x4072b716 in __builtin_delete (ptr=0xbc1973c) at ../../gcc/cp/new2.cc:-1
#3  0x40431939 in String::~String (this=0xbc1973c, __in_chrg=3) at XSLString.cpp:356
#4  0x403f5792 in PathExpr::~PathExpr (this=0xbc19670, __in_chrg=3) at PathExpr.cpp:51
#5  0x4043070f in NamedMap::clear (this=0xbf5f9528, deleteObjects=1) at NamedMap.cpp:115
#6  0x4043066e in NamedMap::clear (this=0xbf5f9528) at NamedMap.cpp:98
#7  0x40430601 in NamedMap::~NamedMap (this=0xbf5f9528, __in_chrg=2) at NamedMap.cpp:86
#8  0x403c9226 in ProcessorState::~ProcessorState (this=0xbf5f942c, __in_chrg=2) at ProcessorState.cpp:123
#9  0x403c1f77 in XSLProcessor::process (this=0xbf5f998c, xmlDocument=@0xbc06fa0, xslDocument=@0x82dd5a8, out=@0xbc179ec, 
    documentBase=@0xbf5f996c) at XSLProcessor.cpp:789
.....

So I ran my program under valgrind and it reported invalid free .. in the same place
as where it crashed.

What does 'invalid free()/delete/delete[]' mean in valgrind output. 
Is it a memory corruption or stack overflow or double free?   

If it is a memory corruption or a double free, is there a way to find out which part of
the code causes this crash?

Also I have to use libpthead provided by valgrind package. Initially I ran without 
valgrind's libpthread and it reported the Invalid read errors.  But when I used
libpthread, it did not report those invalid read errors?  Am I doing anything wrong?

OS:  Linux AS 2.1 Edition
Compiler:  gcc/g++ 2.96 version.
Valgrind version: 20030725.

==7857== Invalid free() / delete / delete[]
==7857==    at 0x4002BCB7: __builtin_delete (vg_replace_malloc.c:233)
==7857==    by 0x4064D938: String::~String(void) (XSLString.cpp:356)
==7857==    by 0x40611791: PathExpr::~PathExpr(void) (PathExpr.cpp:51)
==7857==    by 0x4064C70E: NamedMap::clear(int) (NamedMap.cpp:115) 
==7857==    Address 0x5E5AF728 is 12 bytes inside a block of size 28 alloc'd
==7857==    at 0x4002BA38: __builtin_new (vg_replace_malloc.c:172)
==7857==    by 0x40608A0B: ExprParser::createExpr(ExprLexer &) (ExprParser.cpp:319)
==7857==    by 0x40607A4B: ExprParser::createExpr(String const &) (ExprParser.cpp:160)
==7857==    by 0x405E6568: ProcessorState::getExpr(String const &) (ProcessorState.cpp:450)
==7857== Warning: noted but unhandled ioctl 0x3 with no size/direction hints
==7857==    This could cause spurious value errors to appear.
==7857==    See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper.
==7857== valgrind's libpthread.so: IGNORED call to: pthread_attr_destroy
==7857==     
==7857== Thread 3:
==7857== Invalid free() / delete / delete[]
==7857==    at 0x4002BCB7: __builtin_delete (vg_replace_malloc.c:233)
==7857==    by 0x4064D938: String::~String(void) (XSLString.cpp:356)
==7857==    by 0x40611791: PathExpr::~PathExpr(void) (PathExpr.cpp:51)
==7857==    by 0x40612BE8: RelationalExpr::~RelationalExpr(void) (RelationalExpr.cpp:46)
==7857==    Address 0x5E28178C is 12 bytes inside a block of size 28 alloc'd
==7857==    at 0x4002BA38: __builtin_new (vg_replace_malloc.c:172)
==7857==    by 0x40608A0B: ExprParser::createExpr(ExprLexer &) (ExprParser.cpp:319)
==7857==    by 0x40607A4B: ExprParser::createExpr(String const &) (ExprParser.cpp:160)
==7857==    by 0x405E6568: ProcessorState::getExpr(String const &) (ProcessorState.cpp:450)

Any idea?

Thanks,
durai.