==11136== Invalid read of size 8
==11136== at 0x5AFC696: memrchr (memrchr.S:289)
==11136== by 0x5B57FAF: dirname (dirname.c:45)
==11136== by 0x405F43: push::lg_cmd_dirname(push::Env&) (LGExtension.cpp:379)
==11136== by 0x42533C: push::Instruction::operator()(push::Env&) const (in /home/bots/svn/eco/branches/skynet_BigPUSH/src/push3.0/extension/push_bloodline)
==11136== by 0x488ECD: push::Env::go(int) (Env.cpp:72)
==11136== by 0x4A84D5: main (bloodline.cpp:99)
==11136== Address 0x640daf8 is 8 bytes inside a block of size 10 alloc'd
==11136== at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11136== by 0x5AEF801: strdup (strdup.c:43)
==11136== by 0x405EF2: push::lg_cmd_dirname(push::Env&) (LGExtension.cpp:369)
==11136== by 0x42533C: push::Instruction::operator()(push::Env&) const (in /home/bots/svn/eco/branches/skynet_BigPUSH/src/push3.0/extension/push_bloodline)
==11136== by 0x488ECD: push::Env::go(int) (Env.cpp:72)
==11136== by 0x4A84D5: main (bloodline.cpp:99)
==11136==
Is this a legitimate error? It looks like the read takes place inside a valid block. In my program, the call looks like this:
char *path = strdup(full_path.c_str());
cerr << "Path is : " << path << endl;
result = dirname(path);
if(result < 0){
cerr << "Dirname failed for some reason. Check log." << endl;
}
and the output to cerr at the time of the error is:
Path is : /tmp/tmp/
which is a valid path. Dirname shouldn't have any trouble with this, and it's operating on a heap allocated duplicate.
EDIT:
Here is a minimal example that will produce this error:
#include <string.h>
#include <stdio.h>
#include <iostream>
#include <libgen.h>
int main(){
char *path = strdup("/tmp/tmp/");
char* result = dirname(path);
std::cerr << result << std::endl;
}
compile with g++.
run with valgrind, and you get:
==32466== Memcheck, a memory error detector
==32466== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==32466== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==32466== Command: ./a.out
==32466==
==32466== Invalid read of size 8
==32466== at 0x51C7696: memrchr (memrchr.S:289)
==32466== by 0x5222FAF: dirname (dirname.c:45)
==32466== by 0x400865: main (in /home/j3doucet/a.out)
==32466== Address 0x59ff048 is 8 bytes inside a block of size 10 alloc'd
==32466== at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==32466== by 0x51BA801: strdup (strdup.c:43)
==32466== by 0x400855: main (in /home/j3doucet/a.out)
==32466==
/tmp
==32466==
==32466== HEAP SUMMARY:
==32466== in use at exit: 10 bytes in 1 blocks
==32466== total heap usage: 1 allocs, 0 frees, 10 bytes allocated
==32466==
==32466== LEAK SUMMARY:
==32466== definitely lost: 10 bytes in 1 blocks
==32466== indirectly lost: 0 bytes in 0 blocks
==32466== possibly lost: 0 bytes in 0 blocks
==32466== still reachable: 0 bytes in 0 blocks
==32466== suppressed: 0 bytes in 0 blocks
==32466== Rerun with --leak-check=full to see details of leaked memory
==32466==
==32466== For counts of detected and suppressed errors, rerun with: -v
==32466== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2)
Valgrind indicates that a read of size 8 is done from the byte nr 8 in
a block of 10 bytes.
This read is done by memrchr.
Such functions are often optimised based on the assumption that you can read
more bytes than the allocated block.
To avoid reporting such problems, Valgrind has to replace such optimised
functions by its own redefining function.
memrchr has only been redefined in Valgrind from version 3.8 onwards.
=> you should retry with the latest version of Valgrind (3.8.1).
Error might then not be reported anymore (assuming it is effectively a false positive
due to non redefinition of memrchr).
Related
I have been trying to fix this issue for a while and I am out of ideas.
I would like to use libpropcs-dev api to access the /proc directory in Linux.
I have this peice of code so far:
#include <stdio.h>
#include <stdlib.h>
#include <proc/readproc.h>
#include <string.h>
#include <iostream>
using namespace std;
int main (){
PROCTAB* proc = openproc(PROC_FILLMEM | PROC_FILLSTAT | PROC_FILLSTATUS);
proc_t proc_info;
memset(&proc_info, 0, sizeof(proc_info));
while (readproc(proc, &proc_info) != NULL) {
fprintf(stdout, "%20s: \t%5d\t%5ld\n",
proc_info.cmd, proc_info.ppid,
proc_info.rss);
}
cout << "size of proc " << sizeof(proc) << "\n";
cout << "size of proc_info " << sizeof(proc_info) << "\n";
closeproc(proc);
return 1;
}
However, if I run it I get segfault. This is the output of valgrind:
==6492== Memcheck, a memory error detector
==6492== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==6492== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==6492== Command: ./a.out
==6492==
==6492== Invalid free() / delete / delete[] / realloc()
==6492== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6492== by 0x4E43846: readproc (in /lib/x86_64-linux-gnu/libprocps.so.4.0.0)
==6492== by 0x400B37: main (in /home/mohamad/Work/3000-myrepo/a.out)
==6492== Address 0x9ad2de89d83bae00 is not stack'd, malloc'd or (recently) free'd
==6492==
==6492== Invalid free() / delete / delete[] / realloc()
==6492== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6492== by 0x4E43857: readproc (in /lib/x86_64-linux-gnu/libprocps.so.4.0.0)
==6492== by 0x400B37: main (in /home/mohamad/Work/3000-myrepo/a.out)
==6492== Address 0x400c50 is in the Text segment of /home/mohamad/Work/3000-myrepo/a.out
==6492== at 0x400C50: __libc_csu_init (in /home/mohamad/Work/3000-myrepo/a.out)
==6492==
==6492== Invalid free() / delete / delete[] / realloc()
==6492== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6492== by 0x4E43868: readproc (in /lib/x86_64-linux-gnu/libprocps.so.4.0.0)
==6492== by 0x400B37: main (in /home/mohamad/Work/3000-myrepo/a.out)
==6492== Address 0x5409830 is in the Text segment of /lib/x86_64-linux-gnu/libc-2.23.so
==6492== at 0x5409830: (below main) (libc-start.c:325)
==6492==
==6492== Conditional jump or move depends on uninitialised value(s)
==6492== at 0x4E43873: readproc (in /lib/x86_64-linux-gnu/libprocps.so.4.0.0)
==6492== by 0x400B37: main (in /home/mohamad/Work/3000-myrepo/a.out)
==6492==
==6492== Invalid free() / delete / delete[] / realloc()
==6492== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6492== by 0x4E4388A: readproc (in /lib/x86_64-linux-gnu/libprocps.so.4.0.0)
==6492== by 0x400B37: main (in /home/mohamad/Work/3000-myrepo/a.out)
==6492== Address 0xffefffc38 is on thread 1's stack
==6492==
==6492== Conditional jump or move depends on uninitialised value(s)
==6492== at 0x4E43895: readproc (in /lib/x86_64-linux-gnu/libprocps.so.4.0.0)
==6492== by 0x400B37: main (in /home/mohamad/Work/3000-myrepo/a.out)
==6492==
==6492== Conditional jump or move depends on uninitialised value(s)
==6492== at 0x4C2EDA1: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6492== by 0x4E4389B: readproc (in /lib/x86_64-linux-gnu/libprocps.so.4.0.0)
==6492== by 0x400B37: main (in /home/mohamad/Work/3000-myrepo/a.out)
==6492==
==6492== Invalid free() / delete / delete[] / realloc()
==6492== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6492== by 0x4E4389B: readproc (in /lib/x86_64-linux-gnu/libprocps.so.4.0.0)
==6492== by 0x400B37: main (in /home/mohamad/Work/3000-myrepo/a.out)
==6492== Address 0x100000000 is not stack'd, malloc'd or (recently) free'd
==6492==
==6492== Invalid free() / delete / delete[] / realloc()
==6492== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6492== by 0x4E438AC: readproc (in /lib/x86_64-linux-gnu/libprocps.so.4.0.0)
==6492== by 0x400B37: main (in /home/mohamad/Work/3000-myrepo/a.out)
==6492== Address 0x400ad6 is in the Text segment of /home/mohamad/Work/3000-myrepo/a.out
==6492== at 0x400AD6: main (in /home/mohamad/Work/3000-myrepo/a.out)
==6492==
systemd: 0 1476
kthreadd: 0 0
kworker/0:0H: 2 0
mm_percpu_wq: 2 0
ksoftirqd/0: 2 0
rcu_sched: 2 0
rcu_bh: 2 0
migration/0: 2 0
watchdog/0: 2 0
cpuhp/0: 2 0
cpuhp/1: 2 0
watchdog/1: 2 0
migration/1: 2 0
ksoftirqd/1: 2 0
kworker/1:0H: 2 0
cpuhp/2: 2 0
watchdog/2: 2 0
migration/2: 2 0
ksoftirqd/2: 2 0
kworker/2:0H: 2 0
cpuhp/3: 2 0
watchdog/3: 2 0
migration/3: 2 0
ksoftirqd/3: 2 0
kworker/3:0H: 2 0
kdevtmpfs: 2 0
**continues to print all the processess running ...**
size of proc 8
size of proc_info 888
*** stack smashing detected ***: ./a.out terminated
==6492==
==6492== Process terminating with default action of signal 6 (SIGABRT)
==6492== at 0x541E428: raise (raise.c:54)
==6492== by 0x5420029: abort (abort.c:89)
==6492== by 0x54607E9: __libc_message (libc_fatal.c:175)
==6492== by 0x550215B: __fortify_fail (fortify_fail.c:37)
==6492== by 0x55020FF: __stack_chk_fail (stack_chk_fail.c:28)
==6492== by 0x400BF9: main (in /home/mohamad/Work/3000-myrepo/a.out)
==6492==
==6492== HEAP SUMMARY:
==6492== in use at exit: 336,896 bytes in 4 blocks
==6492== total heap usage: 235 allocs, 237 frees, 376,803 bytes allocated
==6492==
==6492== LEAK SUMMARY:
==6492== definitely lost: 0 bytes in 0 blocks
==6492== indirectly lost: 0 bytes in 0 blocks
==6492== possibly lost: 0 bytes in 0 blocks
==6492== still reachable: 336,896 bytes in 4 blocks
==6492== suppressed: 0 bytes in 0 blocks
==6492== Rerun with --leak-check=full to see details of leaked memory
==6492==
==6492== For counts of detected and suppressed errors, rerun with: -v
==6492== Use --track-origins=yes to see where uninitialised values come from
==6492== ERROR SUMMARY: 9 errors from 9 contexts (suppressed: 0 from 0)
Aborted (core dumped)
Once I run it under gdb I get the following:
Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x57a7587f19463b00) at malloc.c:2951
2951 malloc.c: No such file or directory.
Help or pointers regarding my issue would be awesome. Thanks!
This issue appears only on g++4.9.3. Consider the minimal code:
#include <iostream>
#include <Eigen/dense>
int main()
{
Eigen::MatrixXcd mat = Eigen::MatrixXcd::Identity(2,2);
std::cout << mat << std::endl;
}
I compiled it with -Og and -D_GLIBCXX_DEBUG (I needed both of these flag to trigger the error):
g++ -Og -D_GLIBCXX_DEBUG -I./eigen minimal.cpp
Running the program results in:
a.out(42247,0x7fff7cf9e300) malloc: * error for object 0x10c6ca3d0:
pointer being freed was not allocated
* set a breakpoint in malloc_error_break to debug Abort trap: 6
Valgrind spits out something along the lines:
==42296== Invalid free() / delete / delete[] / realloc()
==42296== at 0x10000B957: free (vg_replace_malloc.c:480)
==42296== by 0x100038594: std::basic_stringbuf<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >::pbackfail(int) (in /opt/local/lib/libgcc/libstdc++.6.dylib)
==42296== by 0x1048056C7: ???
==42296== by 0x27: ???
==42296== by 0x1048053E7: ???
==42296== by 0x100038CA1: std::basic_stringbuf<char, std::char_traits<char>, std::allocator<char> >::overflow(int) (in /opt/local/lib/libgcc/libstdc++.6.dylib)
==42296== by 0x672A2E24: ???
==42296== by 0x1000033E7: ??? (in ./a.out)
==42296== Address 0x1000033d0 is in the Data segment of ./a.out
==42296==
(1,0) (0,0)
(0,0) (1,0)
==42296==
==42296== HEAP SUMMARY:
==42296== in use at exit: 111,830 bytes in 436 blocks
==42296== total heap usage: 523 allocs, 91 frees, 124,150 bytes allocated
==42296==
==42296== LEAK SUMMARY:
==42296== definitely lost: 0 bytes in 0 blocks
==42296== indirectly lost: 0 bytes in 0 blocks
==42296== possibly lost: 0 bytes in 0 blocks
==42296== still reachable: 76,948 bytes in 5 blocks
==42296== suppressed: 34,882 bytes in 431 blocks
I am not sure what's happening. Does anyone know if this is a g++ related issue or an Eigen issue? I am using the latest Eigen 3.2.5 and g++4.9.3 from MacPorts on OS X Yosemite.
PS: The error does not appear if I compile with clang or with g++5.
I have a very simple C++ program.
#include <iostream>
int main()
{
std::cout << "HI" << std::endl;
return 0;
}
I compile this on a Mac with the command c++ --std=c++11 leak.cpp.
When I debug this with valgrind --leak-check=full ./a.out, I get the following output:
==2187== HEAP SUMMARY:
==2187== in use at exit: 38,906 bytes in 429 blocks
==2187== total heap usage: 508 allocs, 79 frees, 45,074 bytes allocated
==2187==
==2187== LEAK SUMMARY:
==2187== definitely lost: 0 bytes in 0 blocks
==2187== indirectly lost: 0 bytes in 0 blocks
==2187== possibly lost: 0 bytes in 0 blocks
==2187== still reachable: 4,096 bytes in 1 blocks
==2187== suppressed: 34,810 bytes in 428 blocks
==2187== Reachable blocks (those to which a pointer was found) are not shown.
==2187== To see them, rerun with: --leak-check=full --show-leak-kinds=all
Turns out there are 4096 bytes that are "still reachable". If I remove the cout statement then there are no more "still reachable" bytes.
Why is it the case that outputting to std::cout causes a memory leak?
It could be a false positive in the leak report. Valgrind can only be so clever; your standard library implementation is taking certain liberties that Valgrind doesn't have a special case for.
I'd be more worried about figuring out why this tiny program is performing 508 allocations, to a total of 45,074 bytes.
I am wondering if the size of float and double objects are equal from std::list point of view?
I've allocated 5-million Real(alias float or double) objects in a std::list and used Valgrind to monitor memory usage.
in both cases the used memory is equal although the size of a 'double' (8 bytes) is double the size if a 'float' object (4 bytes)!
Btw, when I allocate memory for the same amount of objects using 'new' operator, the memory usage of the double array is double the usage of the float array, which seems about right. I was expecting the same using std::list too.
I am using gcc 4.6.2, on Fedora 16.x86_64.
Any idea to help me figure the mystery is appreciated.
here is the code I wrote for test
#include <iostream>
#include <list>
typedef double Real;
int main(int argc, char** argv)
{
std::list<Real> pts;
int k;
int npts = 5000000; // 5 mil
std::cout << "sizeof(Real): " << sizeof(Real) << std::endl;
for(k=0; k < npts;++k)
pts.push_back(1.0);
return 0;
}
if I define Real <- double the Valgrind output is
==15335== Memcheck, a memory error detector
==15335== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==15335== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==15335== Command: /home/soheil/Workspace/tbin/test_memory_usage
==15335==
sizeof(Real): 8
==15335==
==15335== HEAP SUMMARY:
==15335== in use at exit: 616 bytes in 6 blocks
==15335== total heap usage: 5,000,053 allocs, 5,000,047 frees, 120,015,245 bytes allocated
==15335==
==15335== LEAK SUMMARY:
==15335== definitely lost: 0 bytes in 0 blocks
==15335== indirectly lost: 0 bytes in 0 blocks
==15335== possibly lost: 0 bytes in 0 blocks
==15335== still reachable: 616 bytes in 6 blocks
==15335== suppressed: 0 bytes in 0 blocks
==15335== Rerun with --leak-check=full to see details of leaked memory
==15335==
==15335== For counts of detected and suppressed errors, rerun with: -v
==15335== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 2)
if I define Real <- float the Valgrind output is
==15252== Memcheck, a memory error detector
==15252== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==15252== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==15252== Command: /home/soheil/Workspace/tbin/test_memory_usage
==15252==
sizeof(Real): 4
==15252==
==15252== HEAP SUMMARY:
==15252== in use at exit: 616 bytes in 6 blocks
==15252== total heap usage: 5,000,053 allocs, 5,000,047 frees, 120,015,245 bytes allocated
==15252==
==15252== LEAK SUMMARY:
==15252== definitely lost: 0 bytes in 0 blocks
==15252== indirectly lost: 0 bytes in 0 blocks
==15252== possibly lost: 0 bytes in 0 blocks
==15252== still reachable: 616 bytes in 6 blocks
==15252== suppressed: 0 bytes in 0 blocks
==15252== Rerun with --leak-check=full to see details of leaked memory
==15252==
==15252== For counts of detected and suppressed errors, rerun with: -v
==15252== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 2)
Each element in a std::list<T> is a linked-list node, so it's a struct containing two pointers, as well as the payload data of type T. For instance, for GCC 4.1.2, it's as follows:
struct _List_node_base
{
_List_node_base* _M_next;
_List_node_base* _M_prev;
// *** Non-virtual member functions ***
};
template<typename _Tp>
struct _List_node : public _List_node_base
{
_Tp _M_data;
};
The size allocated will be the size of that struct; if T is small enough then you may be seeing the figures dominated by struct padding.
So with the GCC definition, that's two 64-bit pointers (so 16 bytes), plus 4 or 8 bytes T, padded up to 8 bytes, so 24 bytes in total, which matches what you're measuring.
To test the theory, try changing Real to be float[2] or double[2].
I'm atempting to learn xerces-c and was following this tutorial online.
http://www.yolinux.com/TUTORIALS/XML-Xerces-C.html
I was able to get the tutorial to compile and run through a memory checker (valgrind) with no problems however when I made alterations to the program slightly, the memory checker returned some potential leak bytes. I only added a few extra lines to main to allow the program to read two files instead of one.
int main()
{
string configFile="sample.xml"; // stat file. Get ambigious segfault otherwise.
GetConfig appConfig;
appConfig.readConfigFile(configFile);
cout << "Application option A=" << appConfig.getOptionA() << endl;
cout << "Application option B=" << appConfig.getOptionB() << endl;
// Added code
configFile = "sample1.xml";
appConfig.readConfigFile(configFile);
cout << "Application option A=" << appConfig.getOptionA() << endl;
cout << "Application option B=" << appConfig.getOptionB() << endl;
return 0;
}
I was wondering why is it when I added the extra lines of code to read in another xml file, it would result in the following output?
==776== Using Valgrind-3.6.0 and LibVEX; rerun with -h for copyright info
==776== Command: ./a.out
==776==
Application option A=10
Application option B=24
Application option A=30
Application option B=40
==776==
==776== HEAP SUMMARY:
==776== in use at exit: 6 bytes in 2 blocks
==776== total heap usage: 4,031 allocs, 4,029 frees, 1,092,045 bytes allocated
==776==
==776== 3 bytes in 1 blocks are definitely lost in loss record 1 of 2
==776== at 0x4C28B8C: operator new(unsigned long) (vg_replace_malloc.c:261)
==776== by 0x5225E9B: xercesc_3_1::MemoryManagerImpl::allocate(unsigned long) (MemoryManagerImpl.cpp:40)
==776== by 0x53006C8: xercesc_3_1::IconvGNULCPTranscoder::transcode(unsigned short const*, xercesc_3_1::MemoryManager*) (IconvGNUTransService.cpp:751)
==776== by 0x4038E7: GetConfig::readConfigFile(std::string&) (in /home/bonniehan/workspace/test/a.out)
==776== by 0x403B13: main (in /home/bonniehan/workspace/test/a.out)
==776==
==776== 3 bytes in 1 blocks are definitely lost in loss record 2 of 2
==776== at 0x4C28B8C: operator new(unsigned long) (vg_replace_malloc.c:261)
==776== by 0x5225E9B: xercesc_3_1::MemoryManagerImpl::allocate(unsigned long) (MemoryManagerImpl.cpp:40)
==776== by 0x53006C8: xercesc_3_1::IconvGNULCPTranscoder::transcode(unsigned short const*, xercesc_3_1::MemoryManager*) (IconvGNUTransService.cpp:751)
==776== by 0x40393F: GetConfig::readConfigFile(std::string&) (in /home/bonniehan/workspace/test/a.out)
==776== by 0x403B13: main (in /home/bonniehan/workspace/test/a.out)
==776==
==776== LEAK SUMMARY:
==776== definitely lost: 6 bytes in 2 blocks
==776== indirectly lost: 0 bytes in 0 blocks
==776== possibly lost: 0 bytes in 0 blocks
==776== still reachable: 0 bytes in 0 blocks
==776== suppressed: 0 bytes in 0 blocks
==776==
==776== For counts of detected and suppressed errors, rerun with: -v
==776== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 2 from 2)
Looks like the example code has some shortcomings for your use case. It contains this code:
m_OptionA = XMLString::transcode(xmlch_OptionA);
From the documentation we can see that transcode requires its caller to deallocate the returned (C-style) string with XMLString::release(). We can see that this is done in the GetConfig destructor:
if(m_OptionA) XMLString::release( &m_OptionA );
But this code does not exist in readConfig(). You should add it there. You may also want to initialize those C-style string members to NULL in the constructor, or you will face another memory problem (potentially a crash bug) if you call readConfig() zero times instead of one or two.