Mail Archives: djgpp/2003/07/19/07:50:33
> Date: Fri, 18 Jul 2003 14:35:00 +0200
> From: Peter Claessens <peter DOT claessens AT psy DOT kuleuven DOT ac DOT be>
>
> Call frame traceback EIPs:
> 0x0006939c merge(BLOCK*, BLOCK*, BLOCK*)+170, file
> c:/src/dots2002/mallocsrc.c
> 0x000678e1 free+141, file c:/src/dots2002/mallocsrc.cpp, line 312
> 0x0006d94e destroy_bitmap+370, file c:/djgpp/allegro/src/graphics.c,
> line 1165
> 0x000133d5 .debug_str+544, file c:/src/dots2002/grafx.cpp, line 2496
> 0x0005f98a .debug_pubnames+42777, file c:/src/dots2002/exp.cpp, line 731
> 0x00033809 .debug_info+613, file c:/src/dots2002/irpreter.cpp, line 1006
> 0x00024d51 .debug_line+581, file c:/src/dots2002/irpreter.cpp, line 211
> 0x00023d59 interprete(std::string)+391, file
> c:/src/dots2002/irpreter.cpp, lin
>
> In GDB this looks like:
> SIGSEV, Segmentation Fault at 0x0006939c in merge(a=0x5ecfa24,
> b=0x6e971c, c=0x5eca24)
> mallocsrc.cpp:273: ENDSZ(a)=a->size
This means that either the dereference of `a' in "a->size" or whatever
ENDSZ(a) does caused the crash. Since "a->size" only _reads_ from the
address pointed to by `a' ("a->size" being on the right side of the
assignemnt), it's not where the crash happens, since we have this
line in the crash message:
> Page Fault at 0x0006939c, error=0006
"error=0006" means the crash happened when the program tried to
_write_ to some address, and that address was found to be invalid.
So, looking at the definition of ENDSZ:
> #define ENDSZ(bp) (*(size_t *)((char *)bp + bp->size + 4))
We see that it dereferences puts a value into the address computed
like this:
a + a->size + 4
`a' is almost certainly a good pointer, since otherwise the program
would have crashed when it computed "a->size". Therefore, if you
print the value of "a->size", you will most probably see a garbled
value, probably produced by some code that overwrote the value
recorded there by malloc. (a->size records the size of the allocated
buffer.)
Now the trick is to put a watchpoint at the address of a->size, and
then run the program again. Then you will see what code writes a
bogus value there.
> Unfortunately, if I put a watchpoint on 0x6939c or on 0x5ecfa24, gdb
> freezes or crashes badly in the run.
0x6939c is an address in the code section, so you cannot usefully
watch it. And as the analysis above suggests, 0x5ecfa24, which is the
value of `a', is not part of the problem; a->size is.
- Raw text -