Why does the following code crash?

Question

This simply creates some list elements, then deletes an element at its beginning approaching it via reverse iteration. It's a replica of an actual problem with the code which deletes elements while traversing them in reverse.

#include <list>

int main()
{
  std::list< int > lst;

  for ( int c = 33; c--; )
    lst.push_back( 0 );

  int count = 0;
  for ( std::list< int >::reverse_iterator i = lst.rbegin(), e = lst.rend();
        i != e; )
  {
    switch( count++ )
    {
      case 32:
      case 33:
        ++i;
        i = std::list< int >::reverse_iterator( lst.erase( i.base() ) );
      break;
      default:
        ++i;
    }
  }

  return 0;
}

When run, it crashes with:

*** glibc detected *** ./a.out: double free or corruption (out): 0x00007fff7f98c230 ***

When run with valgrind, it says:

==11113== Invalid free() / delete / delete[] / realloc()
==11113==    at 0x4C279DC: operator delete(void*) (vg_replace_malloc.c:457)
==11113==    by 0x40104D: __gnu_cxx::new_allocator<std::_List_node<int>     >::deallocate(std::_List_node<int>*, unsigned long) (in /tmp/a.out)
==11113==    by 0x400F47: std::_List_base<int, std::allocator<int>   >::_M_put_node(std::_List_node<int>*) (in /tmp/a.out)
==11113==    by 0x400E50: std::list<int, std::allocator<int> >::_M_erase(std::_List_iterator<int>) (in /tmp/a.out)
==11113==    by 0x400BB6: std::list<int, std::allocator<int> >::erase(std::_List_iterator<int>) (in /tmp/a.out)
==11113==    by 0x40095A: main (in /tmp/a.out)

Compiler:

$ g++ --version
g++ (Debian 4.7.1-7) 4.7.1

Arch:

$ uname -a
Linux hostname 3.2.0-2-amd64 #1 SMP Mon Apr 30 05:20:23 UTC 2012 x86_64 GNU/Linux

Do you think it's a bug, or am I doing something wrong here?

p.s. If you remove case 33 (which should never happen), this turns into an infinite loop instead of a crash.

Is there an off by 1 error in `count`? (Should it be `switch(++count)`?) — irrelephant, Dec 22 '12 at 10:31
No - the exit condition of the loop is `i != e`, it doesn't depend on count. — dragonroot, Dec 22 '12 at 10:31
That is - it is off by one, but it should not result in any problem. However, the iteration actually continues past 32 due to memory corruption. I've edited the question to be more clear on that. — dragonroot, Dec 22 '12 at 10:35
You update `i` when doing `lst.erase(i.base())`, but you might need to also update `e` or simply use `i != lst.rend()` as your `for` termination condition (don't have compiler on hand to verify). — Chris Schmich, Dec 22 '12 at 10:42
@ChrisSchmich: but why would `e` be invalidated? It points before the first element. — dragonroot, Dec 22 '12 at 10:45
@dragonroot that would be the first element that was just deleted, perhaps? — WhozCraig, Dec 22 '12 at 10:53
@dragonroot `e` may point before the first element conceptually, but its internal iterator actually points *at* the first element. — Joseph Mansfield, Dec 22 '12 at 11:23
May help that it crashes on VC++2010 with Debug assertion - "list iterators incompatible". — SChepurin, Dec 22 '12 at 11:46

Joseph Mansfield · Accepted Answer · 2012-12-22T11:21:50.473

Okay, so I got out a pen and paper and now I think it is to do with invalidated your e iterator. Remember, reverse iterators contain a normal iterator pointing to the next element in the container, which is its base iterator. That is, when you have the rbegin() iterator which points at the last element, its internal iterator points at the past-the-end element. Likewise, when you have the rend() iterator which points to the before-the-beginning iterator (an imaginary element that reverse iterators can point at), its internal iterator points at the first element.

So your list looks something like this (BTB = before the beginning, PTE = past the end):

BTB | 0 | 0 | ... | 0 | 0 | PTE
 ^    :                 ^    :
 |----'                 |----'
 e                      i

The dashed lines show where the base iterators are pointing.

Now, in the first iteration you are pointing at the last element (1st in reverse) and count is 0, because you do postfix increment. So, when the switch is matched for 32, you are pointing at the first element (33rd in reverse) in the list.

Okay, so now we're in this state:

BTB | 0 | 0 | ... | 0 | 0 | PTE
 ^    ^   :
 |----|---'
 e    i

You then execute the following code:

++i;
i = std::list< int >::reverse_iterator( lst.erase( i.base() ) );

The first line puts us in this state:

BTB | 0 | 0 | ... | 0 | 0 | PTE
 ^    :
 |----'
 i
 e

Then you erase the element that the base iterator is pointing at and sets your reverse iterator so that its base is now pointing to the element after the erased element. Now we have:

    BTB | 0 | ... | 0 | 0 | PTE
 ^   ^    :
 |---|----'
 e   i

Now, however, e has been invalidated. It's base doesn't point to the first element of the list any more, it points to an invalid element.

Now, your loop should stop because i is at the end, but it won't. It will continue another time, with count as 33, first doing i++:

    BTB | 0 | ... | 0 | 0 | PTE
 ^   :
 |---'
 i   
 e

And then trying to erase the base. Oh dear! The base isn't pointing at a valid element and we get a crash. In fact, I think you already hit undefined behaviour as soon as you iterated too far.

The solution

The way to fix it is to just get rend() each time you iterate:

for ( std::list< int >::reverse_iterator i = lst.rbegin();
      i != lst.rend(); )

Or alternatively, update e whenever you erase elements:

++i;
i = std::list< int >::reverse_iterator( lst.erase( i.base() ) );
e = lst.rend();

Now, my previous answer was to swap the increment and the erasing around, which worked, but why? Well let's go back to the point where it matters (I've added another element in for the sake of clarity over the next few steps):

BTB | 0 | 0 | 0 | ... | 0 | 0 | PTE
 ^    ^   :
 |----|---'
 e    i

So now we erase the base first, giving us this:

BTB | 0 |     0 | ... | 0 | 0 | PTE
 ^    ^       :
 |----|-------'
 e    i

Then we increment i:

BTB | 0 |     0 | ... | 0 | 0 | PTE
 ^    :
 |----'
 i
 e

Then i == e and we end the loop. So while this does work, it doesn't do what you want. It only removes the second element.

I used the following acclaimed answer: http://stackoverflow.com/questions/8621426/how-do-you-erase-and-continue-using-a-stdreverse-iterator — dragonroot, Dec 22 '12 at 10:34
Are we looking at the same code? I mean the accepted answer there. It clearly does the same thing I do. — dragonroot, Dec 22 '12 at 10:43
Makes sense, but I'm puzzled by the fact that reverse_iterator points to just a normal iterator underneath - it this mandated by the standard? — dragonroot, Dec 22 '12 at 11:36
@dragonroot It sure is. `reverse_iterator` is an *iterator adaptor*. The standard says: "The fundamental relation between a reverse iterator and its corresponding iterator `i` is established by the identity: `&*(reverse_iterator(i)) == &*(i - 1).`" In other words, dereferencing the reverse iterator gives you the element one before the iterator it's adapting would. — Joseph Mansfield, Dec 22 '12 at 11:47

score 4 · Answer 2 · answered Dec 22 '12 at 11:05

The error is that e gets invalidated, you should compare directly to lst.rend(). Why does it get invalidated? Well, let's look at the definition of rend() (§23.2.1.9): reverse_iterator(begin()).

So the construction rend() depends on the begin() iterator which points to the first element, which you'd actually delete with case 32. So because that operation invalidates begin() it very likely it also invalidates rend(), depending on how it's implemented, which clearly happens in this version of libstdc++.

It also makes sense that case 33 makes it crash, this time the iterator will point to something that's not at all in the list anymore. Removing it will of course loop indefinitely because e is invalid and your stop condition won't hit.

§23.2.1.9 - is this from ISO/IEC 14882? I don't see such a paragraph here. — dragonroot, Dec 22 '12 at 11:35

score 1 · Answer 3 · answered Dec 22 '12 at 10:43

1

When you erase elements, e is invalidated! You have to update e after easing:

i = std::list< int >::reverse_iterator( lst.erase( i.base() ) );
e = lst.rend(); // update e

answered Dec 22 '12 at 10:43

Anonymous Coward

6,186
1
23
29

Erasing from a list only invalidates iterators to the elements you erased. I'm not sure what affect this will have with reverse iterators. I suppose the base iterator of the `rend` is the first element of the list and will be invalidated. – Joseph Mansfield Dec 22 '12 at 10:43
@sftrabbit: it does feel like it. It does not make a lot of sense to me, though. – dragonroot Dec 22 '12 at 10:49
Because of the `++i` before erasing, `i == e` so that node will be invalid. – Anonymous Coward Dec 22 '12 at 11:10

score 0 · Answer 4 · answered Dec 22 '12 at 12:38

This shall work -

    #include <list>
    #include <iostream>

    int main()
    {
    std::list< int > list;
    for ( int c = 33; c--; )
    list.push_back( 0 );

    std::list<int>::reverse_iterator it = list.rbegin();
    int count = 0;
    while(  it != list.rend() )
    {

    switch( count++ )
    {
     case 32:
     case 33:
     std::cout<<*it<<std::endl;
     it = std::list< int >::reverse_iterator( list.erase((++it).base()));
     std::cout<<list.size()<<std::endl;
     break;
     default:

    ++it;
    }
   }
  return 0;}

Why does the following code crash?

4 Answers4