From: boost-bounces@lists.boost.org [mailto:boost-bounces@lists.boost.org] On Behalf Of Phil Bouchard Sent: Wednesday, October 01, 2008 12:06 PM
My mistake. I forgot taking the chunk_size_ away and relying on array of chars. Now here is the crash I got:
I've reproduced and debugged this crash and I think this one it another bug in the shifted_ptr code, though I have not yet been able to pin it down. Something is corrupting the free list in the unallocated chunks held by the pool. It's very deterministic, so I managed to set a watchpoint on the chunk that gets clobbered; here's what I see: Hardware watchpoint 2: *137317164 Old value = 137317168 New value = 137317167 0x080498c5 in boost::detail::sp_counted_base::release (this=0x82f4b28) at /usr/include/boost/detail/sp_counted_base_nt.hpp:77 77 if( --use_count_ == 0 ) (gdb) where #0 0x080498c5 in boost::detail::sp_counted_base::release (this=0x82f4b28) at /usr/include/boost/detail/sp_counted_base_nt.hpp:77 #1 0x0804bf60 in ~shifted_ptr_base (this=0x82eceb0) at ../../../boost/detail/shifted_ptr_base.hpp:64 #2 0x08055f64 in ~shifted_ptr (this=0x82eceb0) at ../../../boost/shifted_ptr.hpp:255 #3 0x08055ff8 in ~_List_node_base (this=0x82ecea8) at ../../../bits/stl_list.h:76 #4 0x080569f5 in ~_List_node (this=0x82ecea8) at ../../../bits/stl_list.h:108 #5 0x08056a50 in ~shifted (this=0x82ece7c) at ../../../boost/detail/sh_owned_base_nt.hpp:197 #6 0x08049862 in boost::detail::sp_counted_base::destroy (this=0x82ece7c) at /usr/include/boost/detail/sp_counted_base_nt.hpp:58 #7 0x080498ae in boost::detail::sp_counted_base::weak_release (this=0x82ece7c) at /usr/include/boost/detail/sp_counted_base_nt.hpp:93 #8 0x080498f1 in boost::detail::sp_counted_base::release (this=0x82ece7c) at /usr/include/boost/detail/sp_counted_base_nt.hpp:80 #9 0x0804b9ca in ~shifted_ptr_base (this=0x82ece74) at ../../../boost/detail/shifted_ptr_base.hpp:64 #10 0x080565ce in ~shifted_ptr (this=0x82ece74) at ../../../boost/shifted_ptr.hpp:255 #11 0x08056611 in ~_List_impl (this=0x82ece74) at ../../../bits/stl_list.h:318 #12 0x0805670e in ~_List_base (this=0x82ece74) at ../../../bits/stl_list.h:352 #13 0x0805674f in ~list (this=0x82ece74) at ../../../bits/stl_list.h:412 #14 0x08056770 in ~vector (this=0x82ece74) at shifted_ptr_test2.cpp:66 #15 0x0805679c in ~shifted (this=0x82ece48) at ../../../boost/detail/sh_owned_base_nt.hpp:197 #16 0x0805571f in boost::detail::sh::set::release (this=0x82ec228) at ../../../boost/shifted_ptr.hpp:86 #17 0x080568af in boost::detail::sh::shifted_ptr<vector>::release (this=0xbfb9389c, d=true) at ../../../boost/shifted_ptr.hpp:263 #18 0x0805698d in ~shifted_ptr (this=0xbfb9389c) at ../../../boost/shifted_ptr.hpp:255 #19 0x080492b8 in main () at shifted_ptr_test2.cpp:95 (gdb) print sizeof(*this) $3 = 12 (gdb) print *this $4 = {_vptr.sp_counted_base = 0x82f4b2c, use_count_ = 137317167, weak_count_ = 137317172} (gdb) print this $5 = (class boost::detail::sp_counted_base * const) 0x82f4b28 The sp_counted_base at 0x82f4b28 at frame #0 is completely bogus. Some further instrumentation of the pool reveals that the address 0x82f4b28 is owned by the pool, but has never been handed out to the application. -Chris