Bug 162129
Summary: | *** glibc detected *** free(): invalid next size (fast): 0x0000000000502150 *** Aborted | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | sangameshwar Allipuram <asangameshwar> |
Component: | glibc | Assignee: | Jakub Jelinek <jakub> |
Status: | CLOSED NOTABUG | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-06-30 07:54:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
sangameshwar Allipuram
2005-06-30 06:39:29 UTC
glibc just points a bug in your testcase. If you used a memory allocation debugger like valgrind or ElectricFence, you'd see it yourself clearly: valgrind --tool=memcheck ./a ==31256== Memcheck, a memory error detector for x86-linux. ==31256== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al. ==31256== Using valgrind-2.2.0, a program supervision framework for x86-linux. ==31256== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al. ==31256== For more details, rerun with: -v ==31256== ==31256== Invalid write of size 1 ==31256== at 0x8048C5C: main (a.C:19) ==31256== Address 0x1BB4B1C8 is 0 bytes after a block of size 40 alloc'd ==31256== at 0x1B904AFB: operator new(unsigned) (vg_replace_malloc.c:133) ==31256== by 0x1B9A5181: std::string::_Rep::_S_create(unsigned, unsigned, std::allocator<char> const&) (in /usr/lib/libstdc++.so.6.0.3) ==31256== by 0x1B9A7296: (within /usr/lib/libstdc++.so.6.0.3) ==31256== by 0x1B9A749A: std::string::string(std::string const&, unsigned, unsigned) (in /usr/lib/libstdc++.so.6.0.3) -L/home/sangam/xxx/XXXX/lib -D__DDDD -D__XXXXXXX a.c -I/home/sangam/xxx/XXXX/include -L/home/sangam/xxx/XXXX/lib/xxxx -lxxXxxx -lXXxxxxxxXX ==31256== ==31256== ERROR SUMMARY: 8 errors from 1 contexts (suppressed: 19 from 1) ==31256== malloc/free: in use at exit: 176 bytes in 9 blocks. ==31256== malloc/free: 18 allocs, 9 frees, 652 bytes allocated. ==31256== For a detailed leak analysis, rerun with: --leak-check=yes ==31256== For counts of detected errors, rerun with: -v The bug is the this_opt[pos2 - pos1] = '\0'; line. a) it is unnecessary, it is STL's responsibility to make things terminated b) is wrong. You called substr with pos2 - pos1 - 1 length, which means the string is pos2 - pos1 - 1 bytes long, at this_opt[pos2 - pos1 - 1] there is the terminating '\0'. But by writing to this_opt[pos2 - pos1] you are writing one past the terminating '\0', and there is absolutely no guarantee that was allocated for the string. It was not, so you are clobbering internal malloc's control structures and glibc subsequently complains. Thanks alot for the help in solving the problem. I dont have valgrind tool. Thanks again for help. valgrind-2.2.0-5.EL4 is shipped as part of RHEL4, though for the time being it only supports 32-bit i?86 binaries/libraries, so you need to build with -m32 if you want to use valgrind on your program. |