[Bug libstdc++/52604] New: mt allocator crashes on multi-threaded

Fri, 16 Mar 2012 08:24:13 -0700 

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=52604

             Bug #: 52604
           Summary: mt allocator crashes on multi-threaded
    Classification: Unclassified
           Product: gcc
           Version: 4.8.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: libstdc++
        AssignedTo: [email protected]
        ReportedBy: [email protected]


Created attachment 26904
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=26904
Testcase to reproduce

There's a problem with mt_allocator when using multi-threads.
see example attached (g++ -lpthread).

At exit time, 
- the __freelist destructor is called.
  which does a __gthread_key_delete(_M_key).
- and then afterwards, the std::list<> destructor is called.
  This finally have for effect to use that thread key with gthread_setspecific.

Valgrind reports :
=================================
==5212== Invalid read of size 8
==5212==    at 0x4CA009D: __gnu_cxx::__pool<true>::_M_get_thread_id() (in
../gcc-4.6.3/lib64/libstdc++.so.6.0.16)
==5212==    by 0x4CA0173: __gnu_cxx::__pool<true>::_M_reclaim_block(char*,
unsigned long) (in ../gcc-4.6.3/lib64/libstdc++.so.6.0.16)
==5212==    by 0x401989: __gnu_cxx::__mt_alloc<std::_List_node<std::string>,
__gnu_cxx::__common_pool_policy<__gnu_cxx::__pool, true>
>::deallocate(std::_List_node<std::string>*, unsigned long) (in /tmp/a.out)
==5212==    by 0x401847: std::_List_base<std::string,
__gnu_cxx::__mt_alloc<std::string,
__gnu_cxx::__common_pool_policy<__gnu_cxx::__pool, true> >
>::_M_put_node(std::_List_node<std::string>*) (in /tmp/a.out)
==5212==    by 0x40168C: std::_List_base<std::string,
__gnu_cxx::__mt_alloc<std::string,
__gnu_cxx::__common_pool_policy<__gnu_cxx::__pool, true> > >::_M_clear() (in
/tmp/a.out)
==5212==    by 0x40151A: std::_List_base<std::string,
__gnu_cxx::__mt_alloc<std::string,
__gnu_cxx::__common_pool_policy<__gnu_cxx::__pool, true> > >::~_List_base() (in
/tmp/a.out)
==5212==    by 0x401BB1: std::list<std::string,
__gnu_cxx::__mt_alloc<std::string,
__gnu_cxx::__common_pool_policy<__gnu_cxx::__pool, true> > >::~list() (in
/tmp/a.out)
==5212==    by 0x3814E30C94: exit (in /lib64/tls/libc-2.3.4.so)
==5212==    by 0x3814E1C411: (below main) (in /lib64/tls/libc-2.3.4.so)
==5212==  Address 0x5b5ce88 is 24 bytes inside a block of size 65,536 free'd
==5212==    at 0x4A077EC: operator delete(void*) (vg_replace_malloc.c:457)
==5212==    by 0x3814E30C94: exit (in /lib64/tls/libc-2.3.4.so)
==5212==    by 0x3814E1C411: (below main) (in /lib64/tls/libc-2.3.4.so)
=================================

I ve seen a quite close bug report
(http://gcc.gnu.org/bugzilla/show_bug.cgi?id=22309), that is already fixed in
4.0.0.
This apparently leaded to re-write a part of mt_allocate (Jakub Jelinek). But
this was not sufficient for the current bug report i m reporting.

Thanks in advance.
Laurent Alfonsi

Reply via email to