Strange glibc detected free() invalid pointer error

Question

I realise that there are a lot of questions on so with this error

    *** glibc detected *** /usr/bin/obj_to_bob_debug: free(): invalid pointer: 0x0000000000bde130 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7ec66)[0x7f2d1f33fc66]
/usr/lib/x86_64-linux-gnu/libstdc++.so.6(_ZNSsD1Ev+0x23)[0x7f2d1fc31c13]
/usr/bin/obj_to_bob_debug[0x4023b7]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f2d1f2e278d]
/usr/bin/obj_to_bob_debug[0x402109]
======= Memory map: ========
00400000-00415000 r-xp 00000000 fc:00 1061803                            /usr/bin/obj_to_bob_debug
00614000-00615000 r--p 00014000 fc:00 1061803                            /usr/bin/obj_to_bob_debug
00615000-00616000 rw-p 00015000 fc:00 1061803                            /usr/bin/obj_to_bob_debug
00bde000-00bff000 rw-p 00000000 00:00 0                                  [heap]
7f2d1f2c1000-7f2d1f476000 r-xp 00000000 fc:00 275257                     /lib/x86_64-linux-gnu/libc-2.15.so
7f2d1f476000-7f2d1f676000 ---p 001b5000 fc:00 275257                     /lib/x86_64-linux-gnu/libc-2.15.so
7f2d1f676000-7f2d1f67a000 r--p 001b5000 fc:00 275257                     /lib/x86_64-linux-gnu/libc-2.15.so
7f2d1f67a000-7f2d1f67c000 rw-p 001b9000 fc:00 275257                     /lib/x86_64-linux-gnu/libc-2.15.so
7f2d1f67c000-7f2d1f681000 rw-p 00000000 00:00 0
7f2d1f681000-7f2d1f696000 r-xp 00000000 fc:00 262189                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f2d1f696000-7f2d1f895000 ---p 00015000 fc:00 262189                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f2d1f895000-7f2d1f896000 r--p 00014000 fc:00 262189                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f2d1f896000-7f2d1f897000 rw-p 00015000 fc:00 262189                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f2d1f897000-7f2d1f992000 r-xp 00000000 fc:00 275262                     /lib/x86_64-linux-gnu/libm-2.15.so
7f2d1f992000-7f2d1fb91000 ---p 000fb000 fc:00 275262                     /lib/x86_64-linux-gnu/libm-2.15.so
7f2d1fb91000-7f2d1fb92000 r--p 000fa000 fc:00 275262                     /lib/x86_64-linux-gnu/libm-2.15.so
7f2d1fb92000-7f2d1fb93000 rw-p 000fb000 fc:00 275262                     /lib/x86_64-linux-gnu/libm-2.15.so
7f2d1fb93000-7f2d1fc75000 r-xp 00000000 fc:00 1054000                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.16
7f2d1fc75000-7f2d1fe74000 ---p 000e2000 fc:00 1054000                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.16
7f2d1fe74000-7f2d1fe7c000 r--p 000e1000 fc:00 1054000                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.16
7f2d1fe7c000-7f2d1fe7e000 rw-p 000e9000 fc:00 1054000                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.16
7f2d1fe7e000-7f2d1fe93000 rw-p 00000000 00:00 0
7f2d1fe93000-7f2d1feb5000 r-xp 00000000 fc:00 275249                     /lib/x86_64-linux-gnu/ld-2.15.so
7f2d200a8000-7f2d200ad000 rw-p 00000000 00:00 0
7f2d200b2000-7f2d200b5000 rw-p 00000000 00:00 0
7f2d200b5000-7f2d200b6000 r--p 00022000 fc:00 275249                     /lib/x86_64-linux-gnu/ld-2.15.so
7f2d200b6000-7f2d200b8000 rw-p 00023000 fc:00 275249                     /lib/x86_64-linux-gnu/ld-2.15.so
7fffe2f9f000-7fffe2fc0000 rw-p 00000000 00:00 0                          [stack]
7fffe2ffe000-7fffe3000000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)

Before I post up a load of code, I'll try to explain what I find strange about it... I compile my program (4 .cpp files and 3 .h file) with g++ and 95% of the time it runs fine. It parses .obj files and writes out to my own binary format .bob. On files where this error occurs it is consistent for the exact same call to it eg.

root@DevVm64-Liam:/# /usr/bin/obj_to_bob_debug /usr/local/apache2/htdocs/uploads/3dmodels/3/24/sample\ obj\ file.obj

However for any file that fails, changing the input file name's length makes it run fine eg.

root@DevVm64-Liam:/# /usr/bin/obj_to_bob_debug /usr/local/apache2/htdocs/uploads/3dmodels/3/24/sample\ obj\ file1.obj

but changing the file name so that it is the same length the error will occur.

This happens regardless of [properly escaped] spaces in the file name.

Rather that posting up a load of code (I have no idea where in my code the error is occuring) Can anyone suggest why this might be happening? If necessary I can try to cut out the bulk of the code and post up the possible areas it could be happening.

Note: I never call free or delete as I only use one or two auto_ptr

Ive a feeling but I'm not sure that theres a problem with this bit of code

    string outFile;

    //if no output file given set to same as input file with obj replaced with bob
    if (argc == 2) {
        char* tempOutFile = new char[fineName.length()];
        strcpy(tempOutFile, (fileName.substr(0, fileName.length()-4) + ".bob").c_str());
        outFile.assign(tempOutFile);
        delete tempOutFile;
    } else {
        outFile = argv[2];
    }

I've been reading that there can be problems with strcpy but I don't see any problems with the code...

Answer 1

Pretty sure this is an undefined behaviour. strcpy is copying to an uninitialized pointer.

char* tempOutFile; // = ???
// now your copying from the sub-string to an unknown memory address
strcpy(tempOutFile, (fileName.substr(0, fileName.length()-4) + ".bob").c_str());

All of this to simply copy the substring to another string? Just do so:

string outFile;

//if no output file given set to same as input file with obj replaced with bob
if (argc == 2) {
    outFile = fileName.substr(0, fileName.length()-4) + ".bob";
} else {
    outFile = argv[2];
}

Also, don't forget that name use to call the program is stored in argv[0] . So if argc == 2 , your program really has only one argument, argv[1] .

     $ ./prog arg1 arg2
argv   ^-- 0  ^--1 ^--2
argc == 3 (size of argv)