------- Comment #11 from danglin at gcc dot gnu dot org 2009-05-22 01:30
-------
The first and second calls to delete free the same node:
Breakpoint 4, operator delete (p=0x800000010000e530)
Breakpoint 4, operator delete (p=0x800000010000e530)
Breakpoint 4, operator delete (p=0x800000010000e4f8)
Both the first and second calls appear to come from the same
hunk of code:
// Erase without rebalancing.
while (__x != 0)
{
_M_erase(_S_right(__x));
_Link_type __y = _S_left(__x);
_M_destroy_node(__x);
__x = __y;
}
The first time in, __y seems to point to garbage:
968 _M_destroy_node(__x);
(gdb) p __y
$13 = (_Link_type) 0xc000000000027eb3
(gdb) p *__y
$8 = {<std::_Rb_tree_node_base> = {_M_color = 22266430,
_M_parent = 0x37de3f0173c23f, _M_left = 0xe137de02802b7eef,
_M_right = 0xff73db3d81343f08}, _M_value_field = {
first = 0x3417004273da3d, second = {first = 10464070018962284560,
second = 11029061579702265872}}}
(gdb) p *__x
$9 = {<std::_Rb_tree_node_base> = {_M_color = std::_S_black,
_M_parent = 0x8000000100002940, _M_left = 0x0, _M_right = 0x0},
_M_value_field = {first = 0x800000010000e4f8, second = {first = 0,
second = 35}}}
__y points to something in the dynamic loader:
(gdb) info shared
>From To Syms Read Shared Object Library
0xc00000000000add0 0xc0000000000425e4 Yes /usr/lib/pa20_64/dld.sl
This is the backtrace for the first call:
51 printf("operator delete is called \n");
(gdb) bt
#0 operator delete (p=0x800000010000e530) at deallocate_global.cc:51
#1 0x400000000000de94 in
__gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<void* const,
std::pair<unsigned long, unsigned long> > > >::deallocate (
this=0x8000000100002938, __p=0x800000010000e530)
at
/test/gnu/gcc/objdir/hppa64-hp-hpux11.11/libstdc++-v3/include/ext/new_allocator.h:95
#2 0x400000000000d904 in std::_Rb_tree<void*, std::pair<void* const,
std::pair<unsigned long, unsigned long> >, std::_Select1st<std::pair<void*
const, std::pair<unsigned long, unsigned long> > >, std::less<void*>,
std::allocator<std::pair<void* const, std::pair<unsigned long, unsigned long> >
> >::_M_put_node (
this=0x8000000100002938, __p=0x800000010000e530)
at
/test/gnu/gcc/objdir/hppa64-hp-hpux11.11/libstdc++-v3/include/bits/stl_tree.h:363
#3 0x400000000000cf38 in std::_Rb_tree<void*, std::pair<void* const,
std::pair<unsigned long, unsigned long> >, std::_Select1st<std::pair<void*
const, std::pair<unsigned long, unsigned long> > >, std::less<void*>,
std::allocator<std::pair<void* const, std::pair<unsigned long, unsigned long> >
> >::_M_destroy_node
(this=0x8000000100002938, __p=0x800000010000e530)
at
/test/gnu/gcc/objdir/hppa64-hp-hpux11.11/libstdc++-v3/include/bits/stl_tree.h:384
#4 0x400000000000c124 in std::_Rb_tree<void*, std::pair<void* const,
std::pair<unsigned long, unsigned long> >, std::_Select1st<std::pair<void*
const, std::pair<unsigned long, unsigned long> > >, std::less<void*>,
std::allocator<std::pair<void* const, std::pair<unsigned long, unsigned long> >
> >::_M_erase (
this=0x8000000100002938, __x=0x800000010000e530)
at
/test/gnu/gcc/objdir/hppa64-hp-hpux11.11/libstdc++-v3/include/bits/stl_tree.h:968
#5 0x400000000000b440 in ~_Rb_tree (this=0x8000000100002938)
at
/test/gnu/gcc/objdir/hppa64-hp-hpux11.11/libstdc++-v3/include/bits/stl_tree.h:614
#6 0x400000000000a1d8 in ~map (this=0x8000000100002938)
at
/test/gnu/gcc/objdir/hppa64-hp-hpux11.11/libstdc++-v3/include/bits/stl_map.h:87
#7 0x400000000000a228 in __tcf_0 ()
at
/test/gnu/gcc/objdir/hppa64-hp-hpux11.11/libstdc++-v3/include/ext/throw_allocator.h:227
#8 0x800003fffdcd75d8 in exit () from /lib/pa20_64/libc.2
#9 0xc00000000000b394 in UT_exit () from /usr/lib/pa20_64/dld.sl
#10 0xc00000000000b3b4 in exit () from /usr/lib/pa20_64/dld.sl
#11 0xc00000000000b478 in $START$ () from /usr/lib/pa20_64/dld.sl
--
danglin at gcc dot gnu dot org changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|4.5.0 |---
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=40094
