double free when trying to call a C++ function in GDB

double free when trying to call a C++ function in GDB

[Srinath Avadhanula]

Hi,

I tried to call a C++ function and this crashed GDB (stack below for GDB 7.2).

What I tried to do was the following:

(gdb) call CG::printCfgGraph(cfg, "/tmp/foo.dot")

Here, the variable cfg was locally of type CG_Cfg, while
CG::printCfgGraph accepts CG::Cfg as its first argument. CG_Cfg is a
parent class of CG::Cfg. So it looks like GDB is trying to throw an
error about not being able to find an overloaded method of that
signature (although this seems to work for GDB 6.8).

The same stack happens with GDB 7.2.20100906.

Regards,
Srinath

#0  0x00007f8b5517ced5 in raise () from /lib/libc.so.6
#1  0x00007f8b5517e3f3 in abort () from /lib/libc.so.6
#2  0x00007f8b551b9388 in ?? () from /lib/libc.so.6
#3  0x00007f8b551be928 in ?? () from /lib/libc.so.6
#4  0x00007f8b551c0a36 in free () from /lib/libc.so.6
#5  0x0000000000413366 in do_my_cleanups (pmy_chain=0xa3b998,
old_chain=0x0) at utils.c:441
#6  0x000000000050f521 in throw_exception (exception={reason =
RETURN_ERROR, error = GENERIC_ERROR, message = 0xfc83900 "Cannot
resolve function printCfgGraph to any overloaded instance"}) at
exceptions.c:232
#7  0x000000000050f5f4 in throw_it (reason=RETURN_ERROR,
error=GENERIC_ERROR, fmt=<value optimized out>, ap=<value optimized
out>) at exceptions.c:400
#8  0x000000000050f6c6 in throw_verror (error=<value optimized out>,
fmt=<value optimized out>, ap=0xffffffffffffffff) at exceptions.c:406
#9  0x0000000000417083 in error (string=<value optimized out>) at utils.c:966
#10 0x00000000004d6edf in find_overload_match
(arg_types=0x7fff448e5290, nargs=<value optimized out>, name=0x0,
method=<value optimized out>, lax=<value optimized out>, objp=0x0,
fsym=0x10a7a000, valp=0x0, symp=0x7fff448e5520, staticp=0x0, no_adl=1)
at valops.c:2567
#11 0x00000000004d00b4 in evaluate_subexp_standard (expect_type=<value
optimized out>, exp=0xfc83780, pos=0x7fff448e56d4, noside=EVAL_NORMAL)
at eval.c:1723
#12 0x0000000000575b83 in evaluate_subexp_c (expect_type=0x31ad,
exp=0xfc83780, pos=0x7fff448e56d4, noside=EVAL_NORMAL) at
c-lang.c:1047
#13 0x00000000004cbf32 in evaluate_expression (exp=<value optimized
out>) at eval.c:76
#14 0x00000000004e2330 in print_command_1 (exp=0xca1215
"CG::printCfgGraph(cfg, \"/tmp/foo.dot\")", inspect=0, voidprint=0) at
./printcmd.c:969
#15 0x000000000041250f in execute_command (p=0xca123a ")", from_tty=1)
at top.c:422
#16 0x0000000000515d74 in command_handler (command=0xca1210 "call
CG::printCfgGraph(cfg, \"/tmp/foo.dot\")") at event-top.c:498
#17 0x00000000005168fc in command_line_handler (rl=<value optimized
out>) at event-top.c:702
#18 0x00000000005df529 in rl_callback_read_char () at callback.c:205
#19 0x0000000000515dd9 in rl_callback_read_char_wrapper
(client_data=0x31ad) at event-top.c:178
#20 0x00000000005147f8 in process_event () at event-loop.c:399
#21 0x000000000051577c in gdb_do_one_event (data=<value optimized
out>) at event-loop.c:452
#22 0x000000000050f90b in catch_errors (func=0x515690
<gdb_do_one_event>, func_args=0x0, errstring=0x697b42 "", mask=<value
optimized out>) at exceptions.c:518
#23 0x000000000048c8a0 in tui_command_loop (data=<value optimized
out>) at ./tui/tui-interp.c:171
#24 0x0000000000409df9 in captured_command_loop (data=0x31ad) at ./main.c:227
#25 0x000000000050f90b in catch_errors (func=0x409df0
<captured_command_loop>, func_args=0x0, errstring=0x697b42 "",
mask=<value optimized out>) at exceptions.c:518
#26 0x0000000000409c0e in captured_main (data=<value optimized out>)
at ./main.c:910
#27 0x000000000050f90b in catch_errors (func=0x408ee0 <captured_main>,
func_args=0x7fff448e5b20, errstring=0x697b42 "", mask=<value optimized
out>) at exceptions.c:518
#28 0x0000000000408cd4 in gdb_main (args=<value optimized out>) at ./main.c:919
#29 0x0000000000408ca6 in main (argc=<value optimized out>,
argv=0x31ad) at gdb.c:34

<In the paste below, please note that the name gdb-7.2.20100609 should
instead be gdb-7.2.20100906).


*** glibc detected *** /home/savadhan/bin/gdb-7.2.20100609: double
free or corruption (!prev): 0x0000000010c293a0 ***
======= Backtrace: =========
/lib/libc.so.6[0x7f5acae71928]
/lib/libc.so.6(cfree+0x76)[0x7f5acae73a36]
/home/savadhan/bin/gdb-7.2.20100609[0x457796]
/home/savadhan/bin/gdb-7.2.20100609(throw_exception+0x81)[0x5563f1]
/home/savadhan/bin/gdb-7.2.20100609[0x5564c4]
/home/savadhan/bin/gdb-7.2.20100609[0x556596]
/home/savadhan/bin/gdb-7.2.20100609[0x45b4d3]
/home/savadhan/bin/gdb-7.2.20100609[0x51d5cf]
/home/savadhan/bin/gdb-7.2.20100609(evaluate_subexp_standard+0x33b4)[0x516764]
/home/savadhan/bin/gdb-7.2.20100609[0x5c1b13]
/home/savadhan/bin/gdb-7.2.20100609(evaluate_expression+0x22)[0x5125a2]
/home/savadhan/bin/gdb-7.2.20100609[0x528ba0]
/home/savadhan/bin/gdb-7.2.20100609(execute_command+0x26f)[0x45693f]
/home/savadhan/bin/gdb-7.2.20100609[0x55cc44]
/home/savadhan/bin/gdb-7.2.20100609[0x55d7cc]
/home/savadhan/bin/gdb-7.2.20100609(rl_callback_read_char+0x1d9)[0x62bbe9]
/home/savadhan/bin/gdb-7.2.20100609[0x55cca9]
/home/savadhan/bin/gdb-7.2.20100609[0x55b6c8]
/home/savadhan/bin/gdb-7.2.20100609(gdb_do_one_event+0xec)[0x55c64c]
/home/savadhan/bin/gdb-7.2.20100609(catch_errors+0x5b)[0x5567db]
/home/savadhan/bin/gdb-7.2.20100609[0x4d1640]
/home/savadhan/bin/gdb-7.2.20100609[0x44e1e9]
/home/savadhan/bin/gdb-7.2.20100609(catch_errors+0x5b)[0x5567db]
/home/savadhan/bin/gdb-7.2.20100609[0x44dffe]
/home/savadhan/bin/gdb-7.2.20100609(catch_errors+0x5b)[0x5567db]
/home/savadhan/bin/gdb-7.2.20100609(gdb_main+0x24)[0x44d0c4]
/home/savadhan/bin/gdb-7.2.20100609(main+0x36)[0x44d096]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f5acae1c1a6]
/home/savadhan/bin/gdb-7.2.20100609[0x44cf99]
======= Memory map: ========
00400000-00876000 r-xp 00000000 00:18 20698189
  /mathworks/home/savadhan/bin/gdb-7.2.20100609
00a75000-00a8a000 rw-p 00475000 00:18 20698189
  /mathworks/home/savadhan/bin/gdb-7.2.20100609
00a8a000-00aa9000 rw-p 00a8a000 00:00 0
02636000-137a5000 rw-p 02636000 00:00 0                                  [heap]
7f5ab8000000-7f5ab8021000 rw-p 7f5ab8000000 00:00 0
7f5ab8021000-7f5abc000000 ---p 7f5ab8021000 00:00 0
7f5abf7c6000-7f5abf7dc000 r-xp 00000000 08:01 647187
  /lib/libgcc_s.so.1
7f5abf7dc000-7f5abf9dc000 ---p 00016000 08:01 647187
  /lib/libgcc_s.so.1
7f5abf9dc000-7f5abf9dd000 rw-p 00016000 08:01 647187
  /lib/libgcc_s.so.1
7f5abf9fb000-7f5abfa02000 r--s 00000000 08:01 15557271
  /usr/lib/gconv/gconv-modules.cache
7f5abfa02000-7f5abfbc1000 r--p 013bd000 08:01 14946523
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/libmwcg_ir.so.dbg
7f5abfbc1000-7f5abfd3d000 r--p 02e66000 08:01 14946762
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/libmwstateflow.so.dbg
7f5abfd3d000-7f5abfd65000 r--p 001c9000 08:01 14947945
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/libmwsl_lib_browse.so
7f5abfd65000-7f5abfde2000 r--p 0060b000 08:01 14947187
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/libmwcgir_hdl.so
7f5abfdf2000-7f5abfe02000 r--p 001f4000 00:3b 29780754
  /mathworks/devel/jobarchive/Acgir/.snapshot/2010_09_06_h20m10s28_job40208_pass/current/matlab/sys/os/glnxa64/libgfortran.so.3.0.0
7f5abfe02000-7f5abfe0f000 r--p 000ca000 00:3b 29780754
  /mathworks/devel/jobarchive/Acgir/.snapshot/2010_09_06_h20m10s28_job40208_pass/current/matlab/sys/os/glnxa64/libgfortran.so.3.0.0
7f5abfe10000-7f5abfe16000 r--p 00054000 08:01 14946662
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/libmwSimulinkMask.so
7f5abfe16000-7f5abfe1f000 r--p 00051000 08:01 14959616
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/imageformats/libqmng.so
7f5abfe1f000-7f5abfe28000 r--p 000e2000 08:01 14947614
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/libmwmathlinalg.so
7f5abfe28000-7f5abfe34000 r--p 0005b000 08:01 14947408
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/libmwCoder_res.so
7f5abfe34000-7f5abff48000 r--p 01a65000 08:01 10969656
  /usr/lib/libGLcore.so.195.36.15
7f5abff48000-7f5abff51000 r--p 00072000 08:01 14946325
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/libfreetype.so.6.3.16
7f5abff51000-7f5abff57000 r--p 00177000 08:01 14947438
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/libmwdesuite_sundials_solver.so
7f5abff57000-7f5abff62000 r--p 005e5000 08:01 14947432
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/libmwdesuite_kernel_solver.so
7f5abff62000-7f5abff6a000 r--p 00044000 08:01 14947118
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/libmwcgir_cpp_emitter.so
7f5abff6a000-7f5abff71000 r--p 00068000 08:01 14947070
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/libmwcgir_algorithm.so
7f5abff71000-7f5abff7c000 r--p 0006e000 08:01 14947086
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/libmwcgir_cgel.so
7f5abff7c000-7f5abffcc000 r--p 0030d000 08:01 14947481
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/libmweml.so
7f5abffcc000-7f5abffd4000 r--p 00043000 08:01 14947522
  /local/savadhan/sandbox/Acgirb/matlab/bin/glnxa64/libmwglue_mi.so
7f5abffd4000-7f5abffdd000 r--p 0005c000 08:01 14947530                   /local

Re: double free when trying to call a C++ function in GDB

[Srinath Avadhanula]

Hi,

On Sat, Sep 11, 2010 at 8:24 PM, Srinath Avadhanula
<srinathava@gmail.com> wrote:
>
> I tried to call a C++ function and this crashed GDB (stack below for GDB 7.2).
>

Just to get more information, I ran gdb-7.2 through valgrind and got
the following information:

(gdb) call CG::printCfgGraph(cfg, "/tmp/foo.dot")
==27266==
==27266== Invalid free() / delete / delete[]
==27266==    at 0x4C20B2E: free (vg_replace_malloc.c:323)
==27266==    by 0x457795: do_my_cleanups (utils.c:459)
==27266==    by 0x5563F0: throw_exception (exceptions.c:232)
==27266==    by 0x5564C3: throw_it (exceptions.c:400)
==27266==    by 0x556595: throw_verror (exceptions.c:406)
==27266==    by 0x45B4D2: error (utils.c:984)
==27266==    by 0x51D5CE: find_overload_match (valops.c:2565)
==27266==    by 0x516763: evaluate_subexp_standard (eval.c:1733)
==27266==    by 0x5C1B12: evaluate_subexp_c (c-lang.c:1047)
==27266==    by 0x5125A1: evaluate_expression (eval.c:76)
==27266==    by 0x528B9F: print_command_1 (printcmd.c:969)
==27266==    by 0x45693E: execute_command (top.c:422)
==27266==  Address 0x1936e920 is 0 bytes inside a block of size 808 free'd
==27266==    at 0x4C20B2E: free (vg_replace_malloc.c:323)
==27266==    by 0x457795: do_my_cleanups (utils.c:459)
==27266==    by 0x5563F0: throw_exception (exceptions.c:232)
==27266==    by 0x5564C3: throw_it (exceptions.c:400)
==27266==    by 0x556595: throw_verror (exceptions.c:406)
==27266==    by 0x45B4D2: error (utils.c:984)
==27266==    by 0x51D5CE: find_overload_match (valops.c:2565)
==27266==    by 0x516763: evaluate_subexp_standard (eval.c:1733)
==27266==    by 0x5C1B12: evaluate_subexp_c (c-lang.c:1047)
==27266==    by 0x5125A1: evaluate_expression (eval.c:76)
==27266==    by 0x528B9F: print_command_1 (printcmd.c:969)
==27266==    by 0x45693E: execute_command (top.c:422)

Hopefully, this helps someone debug this faster.

Regards,
Srinath

Re: double free when trying to call a C++ function in GDB

[sami wagiaalla]

Hi Srinath,

Thanks for the valgrind info. I will take a look at this and if you can 
provide me with a small reproducer that would be very helpful.

Thanks,
   Sami

Re: double free when trying to call a C++ function in GDB

[Srinath Avadhanula]

Hi Sami,

> provide me with a small reproducer that would be very helpful.

Unfortunately, I am unable to come up with a small reproduction
program which fails. Let me try to describe the situation we have:

1. We have a large number of shared libraries which get loaded
2. One of the libraries has an overloaded function with two signatures:
            void printCfgGraph(CG::Cfg* cfg, const char* fname);
            void printCfgGraph(CG::Region* region, const char* fname);
3. CG::Cfg and CG::Region are completely unrelated by inheritance etc.
4. We make a call in GDB to:
            (gdb) call printCfgGraph(mycfg, fname)
     where mycfg is of type CG_Cfg which is a super-class of CG::Cfg.
This crashed GDB

I tried to reproduce this, but without any shared libraries. I do not
know if that would make a difference.

Let me know if there is some instrumentation I can add somewhere to
help you narrow this down.

Thanks,
Srinath

Re: double free when trying to call a C++ function in GDB

[sami wagiaalla]

On 09/13/2010 08:58 PM, Srinath Avadhanula wrote:
> Hi Sami,
>
>> provide me with a small reproducer that would be very helpful.
>
> Unfortunately, I am unable to come up with a small reproduction
> program which fails. Let me try to describe the situation we have:
>
> 1. We have a large number of shared libraries which get loaded
> 2. One of the libraries has an overloaded function with two signatures:
>              void printCfgGraph(CG::Cfg* cfg, const char* fname);
>              void printCfgGraph(CG::Region* region, const char* fname);
> 3. CG::Cfg and CG::Region are completely unrelated by inheritance etc.
> 4. We make a call in GDB to:
>              (gdb) call printCfgGraph(mycfg, fname)
>       where mycfg is of type CG_Cfg which is a super-class of CG::Cfg.
> This crashed GDB
>

That did it :). I reproduced it using your description exactly. Filed a 
bug here: http://sourceware.org/bugzilla/show_bug.cgi?id=12028

I should have a fix for ya soon!

Thanks,
   Sami