My program crashes on linux with the following stack trace...
#0 0x40a3455e in free () from /lib/libc.so.6
(gdb) where
#0 0x40a3455e in free () from /lib/libc.so.6
#1 0x40a344e4 in free () from /lib/libc.so.6
#2 0x4072b716 in __builtin_delete (ptr=0xbc1973c) at ../../gcc/cp/new2.cc:-1
#3 0x40431939 in String::~String (this=0xbc1973c, __in_chrg=3) at XSLString.cpp:356
#4 0x403f5792 in PathExpr::~PathExpr (this=0xbc19670, __in_chrg=3) at PathExpr.cpp:51
#5 0x4043070f in NamedMap::clear (this=0xbf5f9528, deleteObjects=1) at NamedMap.cpp:115
#6 0x4043066e in NamedMap::clear (this=0xbf5f9528) at NamedMap.cpp:98
#7 0x40430601 in NamedMap::~NamedMap (this=0xbf5f9528, __in_chrg=2) at NamedMap.cpp:86
#8 0x403c9226 in ProcessorState::~ProcessorState (this=0xbf5f942c, __in_chrg=2) at ProcessorState.cpp:123
#9 0x403c1f77 in XSLProcessor::process (this=0xbf5f998c, xmlDocument=@0xbc06fa0, xslDocument=@0x82dd5a8, out=@0xbc179ec,
documentBase=@0xbf5f996c) at XSLProcessor.cpp:789
.....
So I ran my program under valgrind and it reported invalid free .. in the same place
as where it crashed.
What does 'invalid free()/delete/delete[]' mean in valgrind output.
Is it a memory corruption or stack overflow or double free?
If it is a memory corruption or a double free, is there a way to find out which part of
the code causes this crash?
Also I have to use libpthead provided by valgrind package. Initially I ran without
valgrind's libpthread and it reported the Invalid read errors. But when I used
libpthread, it did not report those invalid read errors? Am I doing anything wrong?
OS: Linux AS 2.1 Edition
Compiler: gcc/g++ 2.96 version.
Valgrind version: 20030725.
==7857== Invalid free() / delete / delete[]
==7857== at 0x4002BCB7: __builtin_delete (vg_replace_malloc.c:233)
==7857== by 0x4064D938: String::~String(void) (XSLString.cpp:356)
==7857== by 0x40611791: PathExpr::~PathExpr(void) (PathExpr.cpp:51)
==7857== by 0x4064C70E: NamedMap::clear(int) (NamedMap.cpp:115)
==7857== Address 0x5E5AF728 is 12 bytes inside a block of size 28 alloc'd
==7857== at 0x4002BA38: __builtin_new (vg_replace_malloc.c:172)
==7857== by 0x40608A0B: ExprParser::createExpr(ExprLexer &) (ExprParser.cpp:319)
==7857== by 0x40607A4B: ExprParser::createExpr(String const &) (ExprParser.cpp:160)
==7857== by 0x405E6568: ProcessorState::getExpr(String const &) (ProcessorState.cpp:450)
==7857== Warning: noted but unhandled ioctl 0x3 with no size/direction hints
==7857== This could cause spurious value errors to appear.
==7857== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper.
==7857== valgrind's libpthread.so: IGNORED call to: pthread_attr_destroy
==7857==
==7857== Thread 3:
==7857== Invalid free() / delete / delete[]
==7857== at 0x4002BCB7: __builtin_delete (vg_replace_malloc.c:233)
==7857== by 0x4064D938: String::~String(void) (XSLString.cpp:356)
==7857== by 0x40611791: PathExpr::~PathExpr(void) (PathExpr.cpp:51)
==7857== by 0x40612BE8: RelationalExpr::~RelationalExpr(void) (RelationalExpr.cpp:46)
==7857== Address 0x5E28178C is 12 bytes inside a block of size 28 alloc'd
==7857== at 0x4002BA38: __builtin_new (vg_replace_malloc.c:172)
==7857== by 0x40608A0B: ExprParser::createExpr(ExprLexer &) (ExprParser.cpp:319)
==7857== by 0x40607A4B: ExprParser::createExpr(String const &) (ExprParser.cpp:160)
==7857== by 0x405E6568: ProcessorState::getExpr(String const &) (ProcessorState.cpp:450)
Any idea?
Thanks,
durai.
|
|
From: Tom H. <th...@cy...> - 2003-10-06 07:41:23
|
In message <00bc01c38bda$5dc5a070$6501a8c0@guindy>
Durai Balusamy <durai.balusamy@Sun.COM> wrote:
> What does 'invalid free()/delete/delete[]' mean in valgrind output.
> Is it a memory corruption or stack overflow or double free?
It means that the pointer passed to free/delete is not one that was
previously returned from malloc/new, or if it is then it has already
been freed.
> If it is a memory corruption or a double free, is there a way to
> find out which part of the code causes this crash?
That depends on the cause - if it's a double free then you'll have
to try and catch the allocation in the debugger based on valgrind's
information about the block and then try and break on frees of that
block so you find the first and second frees.
If it's just that you are trying to free a bogus pointer then you'll
have to use valgrind's information about both the location of the free
and the pointer being freed to track back to the source of the problem.
> Also I have to use libpthead provided by valgrind package. Initially
> I ran without valgrind's libpthread and it reported the Invalid read
> errors. But when I used libpthread, it did not report those invalid
> read errors? Am I doing anything wrong?
I'm astonished that anything worked at all if you didn't use valgrind's
libpthread, as the real one will call the clone system call which valgrind
is not able to handle.
> ==7857== Invalid free() / delete / delete[]
> ==7857== at 0x4002BCB7: __builtin_delete (vg_replace_malloc.c:233)
> ==7857== by 0x4064D938: String::~String(void) (XSLString.cpp:356)
> ==7857== by 0x40611791: PathExpr::~PathExpr(void) (PathExpr.cpp:51)
> ==7857== by 0x4064C70E: NamedMap::clear(int) (NamedMap.cpp:115)
> ==7857== Address 0x5E5AF728 is 12 bytes inside a block of size 28 alloc'd
> ==7857== at 0x4002BA38: __builtin_new (vg_replace_malloc.c:172)
> ==7857== by 0x40608A0B: ExprParser::createExpr(ExprLexer &) (ExprParser.cpp:319)
> ==7857== by 0x40607A4B: ExprParser::createExpr(String const &) (ExprParser.cpp:160)
> ==7857== by 0x405E6568: ProcessorState::getExpr(String const &) (ProcessorState.cpp:450)
So valgrind is reporting here that you are freeing a pointer that
doesn't point to the start of a block, but rather 12 bytes inside
one. That might mean that you have got confused and are trying to
free the wrong thing or you might be trying to free a stale pointer
that has already been freed and reused, although valgrind tries to
delay reusing memory to avoid that case as much as possible.
> ==7857== Warning: noted but unhandled ioctl 0x3 with no size/direction hints
> ==7857== This could cause spurious value errors to appear.
> ==7857== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper.
That looks like a very odd ioctl...
Tom
--
Tom Hughes (th...@cy...)
Software Engineer, Cyberscience Corporation
http://www.cyberscience.com/
|
----- Original Message ----- From: "Tom Hughes" <th...@cy...> To: <val...@li...> Sent: Monday, October 06, 2003 12:40 AM Subject: Re: [Valgrind-users] Invalid free/delete/delete[]? > In message <00bc01c38bda$5dc5a070$6501a8c0@guindy> > Durai Balusamy <durai.balusamy@Sun.COM> wrote: > > > What does 'invalid free()/delete/delete[]' mean in valgrind output. > > Is it a memory corruption or stack overflow or double free? > > It means that the pointer passed to free/delete is not one that was > previously returned from malloc/new, or if it is then it has already > been freed. valgrind reported it correct and it turned out to be a pointer casting issue. > > > If it is a memory corruption or a double free, is there a way to > > find out which part of the code causes this crash? > > That depends on the cause - if it's a double free then you'll have > to try and catch the allocation in the debugger based on valgrind's > information about the block and then try and break on frees of that > block so you find the first and second frees. > > If it's just that you are trying to free a bogus pointer then you'll > have to use valgrind's information about both the location of the free > and the pointer being freed to track back to the source of the problem. > > > Also I have to use libpthead provided by valgrind package. Initially > > I ran without valgrind's libpthread and it reported the Invalid read > > errors. But when I used libpthread, it did not report those invalid > > read errors? Am I doing anything wrong? > > I'm astonished that anything worked at all if you didn't use valgrind's > libpthread, as the real one will call the clone system call which valgrind > is not able to handle. Yes you are correct. What I was trying to say is that it reported many invalid read errors without valgrind libpthread library but exited the process to link with valgrind libpthread library. When I ran my program thru' valgrind libpthread, it didnt complain about the invalid read errors. -durai. > > > ==7857== Invalid free() / delete / delete[] > > ==7857== at 0x4002BCB7: __builtin_delete (vg_replace_malloc.c:233) > > ==7857== by 0x4064D938: String::~String(void) (XSLString.cpp:356) > > ==7857== by 0x40611791: PathExpr::~PathExpr(void) (PathExpr.cpp:51) > > ==7857== by 0x4064C70E: NamedMap::clear(int) (NamedMap.cpp:115) > > ==7857== Address 0x5E5AF728 is 12 bytes inside a block of size 28 alloc'd > > ==7857== at 0x4002BA38: __builtin_new (vg_replace_malloc.c:172) > > ==7857== by 0x40608A0B: ExprParser::createExpr(ExprLexer &) (ExprParser.cpp:319) > > ==7857== by 0x40607A4B: ExprParser::createExpr(String const &) (ExprParser.cpp:160) > > ==7857== by 0x405E6568: ProcessorState::getExpr(String const &) (ProcessorState.cpp:450) > > So valgrind is reporting here that you are freeing a pointer that > doesn't point to the start of a block, but rather 12 bytes inside > one. That might mean that you have got confused and are trying to > free the wrong thing or you might be trying to free a stale pointer > that has already been freed and reused, although valgrind tries to > delay reusing memory to avoid that case as much as possible. > > > ==7857== Warning: noted but unhandled ioctl 0x3 with no size/direction hints > > ==7857== This could cause spurious value errors to appear. > > ==7857== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper. > > That looks like a very odd ioctl... > > Tom > > -- > Tom Hughes (th...@cy...) > Software Engineer, Cyberscience Corporation > http://www.cyberscience.com/ > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Valgrind-users mailing list > Val...@li... > https://lists.sourceforge.net/lists/listinfo/valgrind-users > |