GNOME Bugzilla – Bug 731227
crash bug in orc-0.4.19
Last modified: 2014-06-05 15:10:01 UTC
Created attachment 277890 [details] crash orc 0.4.19 Hi, I'm seeing crashes in my image processing library with orc-0.4.19. I've made a test-case, attached. It's been generated automatically as a trace of the orc calls my library is making, so I'm afraid it's very long, sorry about that, but it does crash every time for me. Sample run: $ gcc -g -Wall orc-crash.c `pkg-config orc-0.4 --cflags --libs` $ valgrind --db-attach=yes ./a.out ==21575== Memcheck, a memory error detector ==21575== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==21575== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info ==21575== Command: ./a.out ==21575== ==21575== Invalid read of size 4 ==21575== at 0x4E4A168: orc_code_chunk_free (orccodemem.c:192) ==21575== by 0x4E59E8D: orc_code_free (orccode.c:33) ==21575== by 0x4E4A5EA: orc_program_free (orcprogram.c:175) ==21575== by 0x40F72B: main (orc-crash.c:2238) ==21575== Address 0x6b18e08 is 24 bytes inside a block of size 40 free'd ==21575== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21575== by 0x4E4A17F: orc_code_chunk_free (orccodemem.c:190) ==21575== by 0x4E59E8D: orc_code_free (orccode.c:33) ==21575== by 0x4E4A5EA: orc_program_free (orcprogram.c:175) ==21575== by 0x40F5F3: main (orc-crash.c:2210) This is on Ubuntu 14.04 with orc-0.4.19 compiled from source. It seems to also crash on OS X. I've not tested other platforms. All orcs before 0.4.19 seem to work fine. This is only compiling code, no code is executed. The crash occurs when p[274] is freed, but I think the corruption of the orccodemem heap is happening some time before that. John
That's probably crashing now because all previous orc versions leaked quite some memory ;)
Created attachment 277908 [details] shorter version of the crash program trimmed the crash program down quite a bit
Created attachment 277911 [details] [review] orccodemem: fix list corruption when splitting memory chunks When splitting orc memory chunks in two, the 'prev' pointer of the new memory chunk to be inserted was wrong, causing invalid memory access and double frees later down the line.
Confirming that this fix resolves my problems, everything valgrinds cleanly now. Thank you very much Tim!
commit 5763373b60ac970d4a9154de8cb3994b52e76efb Author: Tim-Philipp Müller <tim@centricular.com> Date: Wed Jun 4 23:25:52 2014 +0100 orccodemem: fix list corruption when splitting memory chunks in two When splitting orc memory chunks in two, the 'prev' pointer of the new memory chunk to be inserted was wrong, causing invalid memory access and double frees later down the line. https://bugzilla.gnome.org/show_bug.cgi?id=731227