What could this be? [program bug]

I am开发者_如何学JAVA having some trouble figuring this out .. so time to ask for help.

OS: OSX, Snow Leopard

gcc: Xcode version of gcc, 4.2.1

Library: gmp, gmpxx

Problem: a function is crashing right at the end with:

flx_run(94749) malloc: *** error for object 0x7fff706d1500: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug

Program received signal SIGABRT, Aborted.
0x00007fff835cd886 in __kill ()
(gdb) bt
#0  0x00007fff835cd886 in __kill ()
#1  0x00007fff8366deae in abort ()
#2  0x00007fff83585a75 in free ()
#3  0x00000001000bca45 in flxusr::gmp__hyphen_0::_init_ ()
Previous frame inner to this frame (gdb could not unwind past this frame)

I am not calling free() in the function init, and the function does run correctly right up to the closing curly brace .. so the crash point has to be in the destructors of local objects (right?)

The funny thing is:

a) The program (seems to) work fine if statically linked, it only fails if the code is built into a *.dylib and dynamically loaded.

b) the program fails the same way with two completely different versions of gmp/gmpxx. [4.3 or something and 5.01]

c) both static and dynamic linkage versions work fine on Ubuntu 10.5 LTS

The code is generated by my compiler, it is not hand written code. The user code is run by a top level driver program. The system runs several hundred regression tests successfully. however the following hand written code is used in this particular test case:

namespace flx { namespace gmp {
string flx_mpf_get_str(mpf_class const &a)
{
  mp_exp_t x;
  std::string s = a.get_str(x,10,0);
  char b[100];
  std::snprintf(b,100,"e%ld",(long)x);
  return std::string(".")+s+b;
}
}}

but it looks fine to me. The stack frame of the function contains several mpz_class, mpq_class and mpf_class objects.

Apart from bugs in gmp/gmpxx the only other thing I can think of is that my run time system or generated code is corrupting memory. The address being "freed" which wasn't allocated is suspicious (it's nowhere near the heap). I built a version of gmp with -g flag but get no more information (which suggests it isn't a bad free from inside a gmpxx class destructor).

I need some ideas! I have no idea where to look now. Thx in advance :)

Link to the source

http://felix-lang.org:1116/$/home/skaller/felix/felix/build/release-optimized/test/gmp/gmp-0.cpp

Meta: SO's markdown doesn't work! So you'll have to copy by hand.

Might as well throw in the link to the Felix code since it's a bit more readable and has some fun stuff in it (like user defined syntax and if you go to the library you can see typeclasses being instantiated)

http://felix-lang.org:1116/$/home/skaller/felix/felix/build/release-optimized/test/gmp/gmp-0.flx

Where did you get the gmp source? It might be a 32 bit version (at least macports does not offer 64 bit sources). Snow Leopard on the other hand is 64 bit (by default).

Personally I force all code to 32 bit by gcc -m32. You could try the same.

br,
Juha

edit: How to force /usr/bin/gcc -> /usr/bin/gcc -m32?

You can't deallocate memory allocated by a dynamic library. Perhaps that is the problem here. Check out this answer: Shared libraries memory space