Bug#185243: libstdc++3-dev: rope segfaults under heavy load

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#185243: libstdc++3-dev: rope segfaults under heavy load
From: Ian Turner <vectro@pipeline.com>
Date: Mon, 17 Mar 2003 20:44:13 -0800
Message-id: <[🔎] E18v8xR-0001IV-00@crafter.house>
Reply-to: Ian Turner <vectro@pipeline.com>, 185243@bugs.debian.org

Package: libstdc++3-dev
Version: 1:3.0.4-7
Severity: important

Consider the following program:

--- BEGIN ropetest.c ---
#include <ext/rope>

using namespace std;
using namespace __gnu_cxx;

unsigned int rand(unsigned int max) {
  unsigned int rval = (unsigned int)(((double)max)*rand()/(RAND_MAX));
  if (rval == max)
    return max-1;
}

int main() {
  crope r;
  char buf[10240];
  
  while (1) {
    if (rand(2) && r.size() < 1024*1024) {
      r.append(buf, rand(10240));
    } else if (r.size() > 10240) {
      r.erase(0, rand(10240));
    }
  }
  return 0;
}
--- END ropetest.c ---

It crashes when compiled with g++-3.0 or g++-3.2 (but not on g++ 2.95):

$ g++ ropetest.c -o ropetest-295 -Wall
[ press CTRL-C ]
$ ./ropetest-295
$ g++-3.0 ropetest.c -o ropetest-300 -Wall -g
$ ./ropetest-300
Segmentation fault
$ g++-3.2 ropetest.c -o ropetest-320 -Wall
$ ./ropetest-320
Aborted

$ gdb g++-3.0
GNU gdb 5.3-debian
[ snip ]
(gdb) run
Starting program: ropetest-300

Program received signal SIGSEGV, Segmentation fault.
std::_Refcount_Base::_M_incr() (this=0xef8)
    at /usr/include/g++-v3/bits/stl_threads.h:143
143         ++_M_ref_count;
(gdb) bt
#0  std::_Refcount_Base::_M_incr() (this=0xef8)
    at /usr/include/g++-v3/bits/stl_threads.h:143
#1  0x0804a6b5 in std::_Rope_RopeRep<char, std::allocator<char> >::_M_ref_nonnil() (this=0xef4)
    at /usr/include/g++-v3/ext/stl_rope.h:514
#2  0x0804bf1e in std::_Rope_RopeSubstring<char, std::allocator<char> >::_Rope_RopeSubstring(std::_Rope_RopeRep<char, std::allocator<char> >*, unsigned, unsigned, std::allocator<char>) (this=0x8054828, __b=0xef4, __s=1405, __l=2943, __a=0xbfffcbc0)
    at /usr/include/g++-v3/ext/stl_rope.h:717
#3  0x0804b778 in std::rope<char, std::allocator<char> >::_S_new_RopeSubstring(std::_Rope_RopeRep<char, std::allocator<char> >*, unsigned, unsigned, std::allocator<char>) (__b=0xef4, __s=1405, __l=2943, __a=0xbfffcc30)
    at /usr/include/g++-v3/ext/stl_rope.h:1392
#4  0x0804aa50 in std::rope<char, std::allocator<char> >::_S_substring(std::_Rope_RopeRep<char, std::allocator<char> >*, unsigned, unsigned) (__base=0x80547ec, __start=1405, __endp1=4348)
    at /usr/include/g++-v3/ext/ropeimpl.h:721
#5  0x0804a8b8 in std::rope<char, std::allocator<char> >::_S_substring(std::_Rope_RopeRep<char, std::allocator<char> >*, unsigned, unsigned) (__base=0x8050b68, __start=1405, __endp1=6370)
    at /usr/include/g++-v3/ext/ropeimpl.h:683
#6  0x0804a8b8 in std::rope<char, std::allocator<char> >::_S_substring(std::_Rope_RopeRep<char, std::allocator<char> >*, unsigned, unsigned) (__base=0x8050ad8, __start=1405, __endp1=11258)
    at /usr/include/g++-v3/ext/ropeimpl.h:683
#7  0x0804a8b8 in std::rope<char, std::allocator<char> >::_S_substring(std::_Rope_RopeRep<char, std::allocator<char> >*, unsigned, unsigned) (__base=0x8050b98, __start=1405, __endp1=14993)
    at /usr/include/g++-v3/ext/ropeimpl.h:683
#8  0x0804a8b8 in std::rope<char, std::allocator<char> >::_S_substring(std::_Rope_RopeRep<char, std::allocator<char> >*, unsigned, unsigned) (__base=0x8050bf8, __start=1405, __endp1=24743)
    at /usr/include/g++-v3/ext/ropeimpl.h:683
#9  0x0804a8b8 in std::rope<char, std::allocator<char> >::_S_substring(std::_Rope_RopeRep<char, std::allocator<char> >*, unsigned, unsigned) (__base=0x8050c58, __start=1405, __endp1=31252)
    at /usr/include/g++-v3/ext/ropeimpl.h:683
#10 0x0804a8b8 in std::rope<char, std::allocator<char> >::_S_substring(std::_Rope_RopeRep<char, std::allocator<char> >*, unsigned, unsigned) (__base=0x8050cb8, __start=1405, __endp1=32702)
    at /usr/include/g++-v3/ext/ropeimpl.h:683
#11 0x0804a8b8 in std::rope<char, std::allocator<char> >::_S_substring(std::_Rope_RopeRep<char, std::allocator<char> >*, unsigned, unsigned) (__base=0x8050d18, __start=1405, __endp1=32868)
    at /usr/include/g++-v3/ext/ropeimpl.h:683
#12 0x0804a055 in std::rope<char, std::allocator<char> >::replace(std::_Rope_RopeRep<char, std::allocator<char> >*, unsigned, unsigned, std::_Rope_RopeRep<char, std::allocator<char> >*) (__old=0x8050d18, __pos1=0, __pos2=1405, __r=0x0)
    at /usr/include/g++-v3/ext/stl_rope.h:1846
#13 0x08049d7d in std::rope<char, std::allocator<char> >::erase(unsigned, unsigned) (this=0xbffff9a0, __p=0, __n=1405)
    at /usr/include/g++-v3/ext/stl_rope.h:1993
#14 0x08049b81 in main () at ropetest.cc:21


-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux crafter 2.4.19 #1 Fri Sep 27 18:25:53 PDT 2002 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages libstdc++3-dev depends on:
ii  g++-3.0                       1:3.0.4-7  The GNU C++ compiler.
ii  gcc-3.0-base                  1:3.0.4-7  The GNU Compiler Collection (base 
ii  libc6-dev                     2.3.1-14   GNU C Library: Development Librari
ii  libstdc++3                    1:3.0.4-7  The GNU stdc++ library version 3

Reply to:

Prev by Date: Re: c++/10091: [3.3 regression] [parisc] ICE in cp_expr_size, at cp/cp-lang.c:307
Next by Date: Bug#185242: libstdc++5-dev: rope segfaults under heavy load
Previous by thread: gcc-2.95_2.95.4.ds14-17_i386.changes ACCEPTED
Next by thread: Bug#185243: Error in submission.
Index(es):
- Date
- Thread