C++ code with GCC optimisation causes core with invalid free() on strings

Question

I have C++ code that is built with gcc (4.1.2) with -O2.

When this code is compiled and run with no optimisation, the program executes without any issue.

When compiled with O1/O2/O3, the code will crash with a valgrind indicating an invalid free. This has been narrowed to the string variables inside the function.

The code will read in a file, and will iterate the contents. I have removed all processing code, and the following code snippet causes the core...

int MyParser::iParseConfig(Config &inConfig)
{
    bool keepGoing = true;

    while(keepGoing)
    {
        string valueKey = "";
        keepGoing = false;
    }
    return 0;
}

When this is run with non-optimised, it works fine. When I build and run this optimised, it will not work.

It looks to be an issue with the way GCC optimises the string class.

Any ideas how we can circumvent this?

Seems ok to me. The missing `else` clause seems suspicious though. — StoryTeller - Unslander Monica, Feb 12 '13 at 17:22
What is the value of `i` at the time of the crash? If it is more than 99, you've got a buffer overflow problem with your `charIndex` array. — Jonathan Leffler, Feb 12 '13 at 17:24
Can `i > 99` ?? For alternatives for appending an `int` to a `std::string` see http://stackoverflow.com/questions/10516196/append-an-int-to-a-stdstring/10516313#10516313 — hmjd, Feb 12 '13 at 17:24
Can you reproduce this behaviour in a small self-contained code sample that people could try to analyze on their own systems? — us2012, Feb 12 '13 at 17:27
Consider using snprintf() which limits the number of characters written. — , Feb 12 '13 at 17:28
It is more the optimisation issue of strings - if i == 2 and the function returns, the crash still occurs... — donalmg, Feb 12 '13 at 17:28
There is no way for it to exit with i == 1 in the code you showed — jmetcalfe, Feb 12 '13 at 17:30
Can you show us the `// Do some work` and `// do more work and return;` parts please? — Nik Bougalis, Feb 12 '13 at 17:36

piokuc · Answer 1 · 2013-02-12T17:35:37.137

I cannot explain why exactly this code crashes for you when compiled with optimizations, perhaps i gets more than 2 digits and you have a buffer overflow, maybe it's something different, but anyway I would change the code:

    sprintf(charIndex, "%d", i++);
    string valueKey = "";
    valueKey.append("Value").append(charIndex);
    string value = inConfig.sFindField(valueKey);

like this:

    stringstream ss;
    ss << "Value" << i++;
    string value(ss.str());

It is more C++-like and should work. Try it.

If you are curious if this is really a buffer overflow situation, insert the line:

    assert(i < 99);

before the call to printf. Or use snprintf:

    snprintf(charIndex, sizeof(charIndex), "%d", i++);

Or make your buffer bigger.

One guess: when optimized, `charIndex` is packed into exactly three bytes. When not optimized, `charIndex` has some padding. Another possibility is that the optimizer is moving things around, so the item being overflowed into is changing. — Gort the Robot, Feb 12 '13 at 17:31

score 2 · Answer 2 · answered Feb 12 '13 at 17:24

2

If you are overflowing the charIndex, (when i gets higher than 99) who knows what your program state is in... the storage you declare is not very big (2 chars and a null).

answered Feb 12 '13 at 17:24

David

9,635
5
62
68

score 0 · Answer 3 · answered Feb 13 '13 at 12:26

0

This was an issue with header files being incorrectly included - there was a duplicate include of the MyParser.h file in the list of includes. This caused some strange scenario around the string optimisation within the GCC optimisation levels.

answered Feb 13 '13 at 12:26

donalmg

627
5
15
22

C++ code with GCC optimisation causes core with invalid free() on strings

3 Answers3