3629 – Const Iterators for const Unbounded Object Ref Sequences Crashes using std::copy

Bug 3629 - Const Iterators for const Unbounded Object Ref Sequences Crashes using std::copy

Summary: Const Iterators for const Unbounded Object Ref Sequences Crashes using std::copy

Status:	NEW

Alias:	None

Product:	TAO
Classification:	Unclassified
Component:	other (show other bugs)
Version:	1.6.8
Hardware:	x86 Windows XP

Importance:	P3 normal
Assignee:	Joe Hoffert

URL:

Depends on:
Blocks:

Reported:	2009-03-23 14:59 CDT by Joe Hoffert
Modified:	2009-07-14 09:54 CDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joe Hoffert 2009-03-23 14:59:02 CDT

A seg fault occurs when const iterators for const unbounded object reference sequences are used in std::copy to copy to another sequence elements are double deleted. This problem occurs on Linux and Windows XP. Valgrind on Linux reports a double delete problem.

Reproduce by running the TAO/tests/Sequence_Iterators/Unbounded_Objectref test. Look for the comment "The copy call below causes double deletes and seg faults." right above the call to std::copy which causes the problem.

Comment 1 Johnny Willemsen 2009-03-23 15:09:36 CDT

Can you add the valgrind output?

Comment 2 Joe Hoffert 2009-03-23 15:18:29 CDT

Below is the output from valgrind:

$ valgrind ./Unbounded_Objectref
==2685== Memcheck, a memory error detector.
==2685== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==2685== Using LibVEX rev 1732, a library for dynamic binary translation.
==2685== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==2685== Using valgrind-3.2.3, a dynamic binary instrumentation framework.
==2685== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==2685== For more details, rerun with: -v
==2685==
==2685== Invalid read of size 4
==2685==    at 0x8048B0A: TAO::Objref_Traits<mock_reference>::release(mock_reference*) (mock_reference.cpp:42)
==2685==    by 0x804BF5F: int test_const_sequence<TAO::Const_MM_Sequence_Iterator<TAO::unbounded_object_reference_sequence<mock_reference, TAO_Objref_Var_T<mock_reference> > > >() (stl_algo.h:159)
==2685==    by 0x8048BC0: main (Unbounded_Objectref.cpp:651)
==2685==  Address 0x43BA000 is 0 bytes inside a block of size 8 free'd
==2685==    at 0x4004E16: operator delete(void*) (vg_replace_malloc.c:244)
==2685==    by 0x804C7DE: int test_const_sequence<TAO::Const_MM_Sequence_Iterator<TAO::unbounded_object_reference_sequence<mock_reference, TAO_Objref_Var_T<mock_reference> > > >() (stl_algo.h:159)
==2685==    by 0x8048BC0: main (Unbounded_Objectref.cpp:651)
==2685==
==2685== Invalid write of size 4
==2685==    at 0x8048A56: mock_reference::~mock_reference() (mock_reference.cpp:13)
==2685==    by 0x804BF5F: int test_const_sequence<TAO::Const_MM_Sequence_Iterator<TAO::unbounded_object_reference_sequence<mock_reference, TAO_Objref_Var_T<mock_reference> > > >() (stl_algo.h:159)
==2685==    by 0x8048BC0: main (Unbounded_Objectref.cpp:651)
==2685==  Address 0x43BA000 is 0 bytes inside a block of size 8 free'd
==2685==    at 0x4004E16: operator delete(void*) (vg_replace_malloc.c:244)
==2685==    by 0x804C7DE: int test_const_sequence<TAO::Const_MM_Sequence_Iterator<TAO::unbounded_object_reference_sequence<mock_reference, TAO_Objref_Var_T<mock_reference> > > >() (stl_algo.h:159)
==2685==    by 0x8048BC0: main (Unbounded_Objectref.cpp:651)
==2685==
==2685== Invalid free() / delete / delete[]
==2685==    at 0x4004E16: operator delete(void*) (vg_replace_malloc.c:244)
==2685==    by 0x804BF5F: int test_const_sequence<TAO::Const_MM_Sequence_Iterator<TAO::unbounded_object_reference_sequence<mock_reference, TAO_Objref_Var_T<mock_reference> > > >() (stl_algo.h:159)
==2685==    by 0x8048BC0: main (Unbounded_Objectref.cpp:651)
==2685==  Address 0x43BA000 is 0 bytes inside a block of size 8 free'd
==2685==    at 0x4004E16: operator delete(void*) (vg_replace_malloc.c:244)
==2685==    by 0x804C7DE: int test_const_sequence<TAO::Const_MM_Sequence_Iterator<TAO::unbounded_object_reference_sequence<mock_reference, TAO_Objref_Var_T<mock_reference> > > >() (stl_algo.h:159)
==2685==    by 0x8048BC0: main (Unbounded_Objectref.cpp:651)
==2685==
==2685== Invalid read of size 4
==2685==    at 0x8048B0A: TAO::Objref_Traits<mock_reference>::release(mock_reference*) (mock_reference.cpp:42)
==2685==    by 0x80498FF: int test_const_sequence_reverse<TAO::Const_MM_Sequence_Reverse_Iterator<TAO::unbounded_object_reference_sequence<mock_reference, TAO_Objref_Var_T<mock_reference> > > >() (stl_algo.h:159)
==2685==    by 0x8048BD5: main (Unbounded_Objectref.cpp:660)
==2685==  Address 0x43BAAB0 is 0 bytes inside a block of size 8 free'd
==2685==    at 0x4004E16: operator delete(void*) (vg_replace_malloc.c:244)
==2685==    by 0x8049EC3: int test_const_sequence_reverse<TAO::Const_MM_Sequence_Reverse_Iterator<TAO::unbounded_object_reference_sequence<mock_reference, TAO_Objref_Var_T<mock_reference> > > >() (stl_algo.h:159)
==2685==    by 0x8048BD5: main (Unbounded_Objectref.cpp:660)
==2685==
==2685== Invalid write of size 4
==2685==    at 0x8048A56: mock_reference::~mock_reference() (mock_reference.cpp:13)
==2685==    by 0x80498FF: int test_const_sequence_reverse<TAO::Const_MM_Sequence_Reverse_Iterator<TAO::unbounded_object_reference_sequence<mock_reference, TAO_Objref_Var_T<mock_reference> > > >() (stl_algo.h:159)
==2685==    by 0x8048BD5: main (Unbounded_Objectref.cpp:660)
==2685==  Address 0x43BAAB0 is 0 bytes inside a block of size 8 free'd
==2685==    at 0x4004E16: operator delete(void*) (vg_replace_malloc.c:244)
==2685==    by 0x8049EC3: int test_const_sequence_reverse<TAO::Const_MM_Sequence_Reverse_Iterator<TAO::unbounded_object_reference_sequence<mock_reference, TAO_Objref_Var_T<mock_reference> > > >() (stl_algo.h:159)
==2685==    by 0x8048BD5: main (Unbounded_Objectref.cpp:660)
==2685==
==2685== Invalid free() / delete / delete[]
==2685==    at 0x4004E16: operator delete(void*) (vg_replace_malloc.c:244)
==2685==    by 0x80498FF: int test_const_sequence_reverse<TAO::Const_MM_Sequence_Reverse_Iterator<TAO::unbounded_object_reference_sequence<mock_reference, TAO_Objref_Var_T<mock_reference> > > >() (stl_algo.h:159)
==2685==    by 0x8048BD5: main (Unbounded_Objectref.cpp:660)
==2685==  Address 0x43BAAB0 is 0 bytes inside a block of size 8 free'd
==2685==    at 0x4004E16: operator delete(void*) (vg_replace_malloc.c:244)
==2685==    by 0x8049EC3: int test_const_sequence_reverse<TAO::Const_MM_Sequence_Reverse_Iterator<TAO::unbounded_object_reference_sequence<mock_reference, TAO_Objref_Var_T<mock_reference> > > >() (stl_algo.h:159)
==2685==    by 0x8048BD5: main (Unbounded_Objectref.cpp:660)
==2685==
==2685== ERROR SUMMARY: 24 errors from 6 contexts (suppressed: 23 from 1)
==2685== malloc/free: in use at exit: 0 bytes in 0 blocks.
==2685== malloc/free: 157 allocs, 165 frees, 20,287 bytes allocated.
==2685== For counts of detected errors, rerun with: -v
==2685== All heap blocks were freed -- no leaks are possible.

Comment 3 Johnny Willemsen 2009-03-24 02:13:03 CDT

shouldn't the copy  increment the refcount on the object references?

Comment 4 Johnny Willemsen 2009-03-24 03:02:56 CDT

check the mock_reference with the real object reference element, I think it is not complete

Comment 5 Johnny Willemsen 2009-07-14 09:54:33 CDT

to reporter