Control: retitle -1 codeblocks: double free on exit
Control: found -1 13.12-3
On Sun, May 24, 2015 at 04:20:45PM +0100, Olly Betts wrote:
> Running it under valgrind is a bit more illuminating.
>
> The first issue that picked up is a use of an uninitialised member
> variable in codeblocks - the attached patch addresses that. This could
> cause codeblocks to kill a random process on exit, but while the patch
> fixes the valgrind error, codeblocks still crashes, so I think this is
> just an unrelated bug.
>
> But valgrind also shows that there are double deallocations going on,
> which seems to be the cause. It is not clear to me quite what's
> happening, but it looks like it's related to global objects and to
> shared libraries or plugins.
>
> Will dig some more later.
valgrind shows the same double deallocations under wxwidgets2.8, so this
is actually an existing bug in codeblocks - it just happens to not result in a
segfault with wx2.8, but does with wx3.0. Here are tests with codeblocks built
with wx2.8 (and including my patch for the uninitialised variable bug). I
just let codeblocks start up and then hit Ctrl+Q to exit:
==1467== Invalid read of size 4
==1467== at 0x45F1EF: __exchange_and_add (atomicity.h:49)
==1467== by 0x45F1EF: __exchange_and_add (atomicity.h:82)
==1467== by 0x45F1EF: __exchange_and_add_dispatch (atomicity.h:82)
==1467== by 0x45F1EF: _M_dispose (basic_string.h:246)
==1467== by 0x45F1EF: ~basic_string (basic_string.h:547)
==1467== by 0x45F1EF: wxString::~wxString() (string.h:393)
==1467== by 0xB126F4E: __cxa_finalize (cxa_finalize.c:56)
==1467== by 0x4FA8492: ??? (in /usr/lib/libcodeblocks.so.0.0.1)
==1467== by 0x400F009: _dl_fini (dl-fini.c:252)
==1467== by 0xB126BC8: __run_exit_handlers (exit.c:82)
==1467== by 0xB126C14: exit (exit.c:104)
==1467== by 0xB110B4B: (below main) (libc-start.c:321)
==1467== Address 0x15a67210 is 16 bytes inside a block of size 32 free'd
==1467== at 0x4C2A360: operator delete(void*) (vg_replace_malloc.c:507)
==1467== by 0x45F203: _M_dispose (basic_string.h:249)
==1467== by 0x45F203: ~basic_string (basic_string.h:547)
==1467== by 0x45F203: wxString::~wxString() (string.h:393)
==1467== by 0xB126BC8: __run_exit_handlers (exit.c:82)
==1467== by 0xB126C14: exit (exit.c:104)
==1467== by 0xB110B4B: (below main) (libc-start.c:321)
==1467==
==1467== Invalid free() / delete / delete[] / realloc()
==1467== at 0x4C2A360: operator delete(void*) (vg_replace_malloc.c:507)
==1467== by 0x45F203: _M_dispose (basic_string.h:249)
==1467== by 0x45F203: ~basic_string (basic_string.h:547)
==1467== by 0x45F203: wxString::~wxString() (string.h:393)
==1467== by 0xB126F4E: __cxa_finalize (cxa_finalize.c:56)
==1467== by 0x4FA8492: ??? (in /usr/lib/libcodeblocks.so.0.0.1)
==1467== by 0x400F009: _dl_fini (dl-fini.c:252)
==1467== by 0xB126BC8: __run_exit_handlers (exit.c:82)
==1467== by 0xB126C14: exit (exit.c:104)
==1467== by 0xB110B4B: (below main) (libc-start.c:321)
==1467== Address 0x15a67200 is 0 bytes inside a block of size 32 free'd
==1467== at 0x4C2A360: operator delete(void*) (vg_replace_malloc.c:507)
==1467== by 0x45F203: _M_dispose (basic_string.h:249)
==1467== by 0x45F203: ~basic_string (basic_string.h:547)
==1467== by 0x45F203: wxString::~wxString() (string.h:393)
==1467== by 0xB126BC8: __run_exit_handlers (exit.c:82)
==1467== by 0xB126C14: exit (exit.c:104)
==1467== by 0xB110B4B: (below main) (libc-start.c:321)
==1467==
==1467== Invalid read of size 8
==1467== at 0x6B44A15: __tcf_0 (in
/usr/lib/x86_64-linux-gnu/libwx_gtk2u_adv-3.0.so.0.2.0)
==1467== by 0xB126F4E: __cxa_finalize (cxa_finalize.c:56)
==1467== by 0x6AAA042: ??? (in
/usr/lib/x86_64-linux-gnu/libwx_gtk2u_adv-3.0.so.0.2.0)
==1467== by 0x400F009: _dl_fini (dl-fini.c:252)
==1467== by 0xB126BC8: __run_exit_handlers (exit.c:82)
==1467== by 0xB126C14: exit (exit.c:104)
==1467== by 0xB110B4B: (below main) (libc-start.c:321)
==1467== Address 0x148f0620 is 0 bytes inside a block of size 32 free'd
==1467== at 0x4C2A360: operator delete(void*) (vg_replace_malloc.c:507)
==1467== by 0xB126BC8: __run_exit_handlers (exit.c:82)
==1467== by 0xB126C14: exit (exit.c:104)
==1467== by 0xB110B4B: (below main) (libc-start.c:321)
==1467==
==1467== Invalid write of size 8
==1467== at 0x50A4EF: ~wxEventFunctorMethod (event.h:361)
==1467== by 0x50A4EF: wxEventFunctorMethod<wxEventTypeTag<wxSizeEvent>,
wxEvtHandler, wxEvent, wxEvtHandler>::~wxEventFunctorMethod() (event.h:361)
==1467== by 0x6B44A1A: __tcf_0 (in
/usr/lib/x86_64-linux-gnu/libwx_gtk2u_adv-3.0.so.0.2.0)
==1467== by 0xB126F4E: __cxa_finalize (cxa_finalize.c:56)
==1467== by 0x6AAA042: ??? (in
/usr/lib/x86_64-linux-gnu/libwx_gtk2u_adv-3.0.so.0.2.0)
==1467== by 0x400F009: _dl_fini (dl-fini.c:252)
==1467== by 0xB126BC8: __run_exit_handlers (exit.c:82)
==1467== by 0xB126C14: exit (exit.c:104)
==1467== by 0xB110B4B: (below main) (libc-start.c:321)
==1467== Address 0x148f0620 is 0 bytes inside a block of size 32 free'd
==1467== at 0x4C2A360: operator delete(void*) (vg_replace_malloc.c:507)
==1467== by 0xB126BC8: __run_exit_handlers (exit.c:82)
==1467== by 0xB126C14: exit (exit.c:104)
==1467== by 0xB110B4B: (below main) (libc-start.c:321)
==1467==
==1467== Invalid free() / delete / delete[] / realloc()
==1467== at 0x4C2A360: operator delete(void*) (vg_replace_malloc.c:507)
==1467== by 0x6B44A1A: __tcf_0 (in
/usr/lib/x86_64-linux-gnu/libwx_gtk2u_adv-3.0.so.0.2.0)
==1467== by 0xB126F4E: __cxa_finalize (cxa_finalize.c:56)
==1467== by 0x6AAA042: ??? (in
/usr/lib/x86_64-linux-gnu/libwx_gtk2u_adv-3.0.so.0.2.0)
==1467== by 0x400F009: _dl_fini (dl-fini.c:252)
==1467== by 0xB126BC8: __run_exit_handlers (exit.c:82)
==1467== by 0xB126C14: exit (exit.c:104)
==1467== by 0xB110B4B: (below main) (libc-start.c:321)
==1467== Address 0x148f0620 is 0 bytes inside a block of size 32 free'd
==1467== at 0x4C2A360: operator delete(void*) (vg_replace_malloc.c:507)
==1467== by 0xB126BC8: __run_exit_handlers (exit.c:82)
==1467== by 0xB126C14: exit (exit.c:104)
==1467== by 0xB110B4B: (below main) (libc-start.c:321)
==1467==
==1467==
==1467== HEAP SUMMARY:
==1467== in use at exit: 8,603,544 bytes in 72,983 blocks
==1467== total heap usage: 3,384,406 allocs, 3,311,425 frees, 876,760,727
bytes allocated
==1467==
==1467== LEAK SUMMARY:
==1467== definitely lost: 27,176 bytes in 141 blocks
==1467== indirectly lost: 104,816 bytes in 3,869 blocks
==1467== possibly lost: 134,458 bytes in 1,734 blocks
==1467== still reachable: 8,144,502 bytes in 66,243 blocks
==1467== suppressed: 0 bytes in 0 blocks
==1467== Rerun with --leak-check=full to see details of leaked memory
==1467==
==1467== For counts of detected and suppressed errors, rerun with: -v
==1467== ERROR SUMMARY: 7 errors from 5 contexts (suppressed: 0 from 0)
Also detected by glibc malloc checking:
$ MALLOC_CHECK_=1 codeblocks
[snip codeblocks debug output]
*** Error in `codeblocks': free(): invalid pointer: 0x0000000001734200 ***
Aborted
Cheers,
Olly
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
