[SOLVED] Mysterious write violation on my variable

Mysterious write violation on my variable

I have an library that don't give correct output. I guess it is possibly an write violation, and focused it on this section of code:

void Page::build_default_frame(PosType genome_display_length)
{
    Frame* frame = new Frame(*this,
                             margin_left,
                             margin_top,
                             width - margin_left - margin_right,
                             genome_display_length);
    default_frame = frame;
    frames.insert(default_frame);
}

The default_frame is a boost intrusive_ptr<Frame>.

Before execute the sentence default_frame = frame, the content of object frame was all right, but after that, its contents were modified to weird value. So I set two watches on two member variables of frame object:

(gdb) watch -l frame->genome_scale.genome_display_length 
Hardware watchpoint 4: -location frame->genome_scale.genome_display_length
(gdb) watch -l frame->genome_scale.frame_width 
Hardware watchpoint 5: -location frame->genome_scale.frame_width

and then continue. It suddenly reports write operation on these address:

(gdb) c
Continuing.
Hardware watchpoint 4: -location frame->genome_scale.genome_display_length

Old value = 1000
New value = 16
_dl_runtime_resolve () at ../sysdeps/x86_64/dl-trampoline.S:39
39  ../sysdeps/x86_64/dl-trampoline.S: No such file or directory.
(gdb) bt
#0  _dl_runtime_resolve () at ../sysdeps/x86_64/dl-trampoline.S:39
#1  0x00007ffff7b93dd0 in geno_eye::Page::build_default_frame (this=0x6071b0, genome_display_length=1000)
    at /home/yangxi/projects/GenoEye/src/geno_eye/Page.cpp:127
#2  0x00007ffff7b93cc1 in geno_eye::Page::Page (this=0x6071b0, context=0x607750, width=300, height=300, 
    genome_display_length=1000) at /home/yangxi/projects/GenoEye/src/geno_eye/Page.cpp:29
#3  0x00000000004016b8 in geno_eye::__tester__::run (this=0x7fffffffe1c8)
    at /home/yangxi/projects/GenoEye/t/t_page.cpp:15
#4  0x00000000004015d1 in main () at /home/yangxi/projects/GenoEye/t/t_page.cpp:36
(gdb) c
Continuing.
Hardware watchpoint 5: -location frame->genome_scale.frame_width

Old value = 240
New value = 3.1228427039313504e-317
_dl_runtime_resolve () at ../sysdeps/x86_64/dl-trampoline.S:40
40  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) bt
#0  _dl_runtime_resolve () at ../sysdeps/x86_64/dl-trampoline.S:40
#1  0x00007ffff7b93dd0 in geno_eye::Page::build_default_frame (this=0x6071b0, genome_display_length=1000)
    at /home/yangxi/projects/GenoEye/src/geno_eye/Page.cpp:127
#2  0x00007ffff7b93cc1 in geno_eye::Page::Page (this=0x6071b0, context=0x607750, width=300, height=300, 
    genome_display_length=1000) at /home/yangxi/projects/GenoEye/src/geno_eye/Page.cpp:29
#3  0x00000000004016b8 in geno_eye::__tester__::run (this=0x7fffffffe1c8)
    at /home/yangxi/projects/GenoEye/t/t_page.cpp:15
#4  0x00000000004015d1 in main () at /home/yangxi/projects/GenoEye/t/t_page.cpp:36

The two old values are the correct values for that two member variables. This write operation is happened before executing the = function of boost intrusive_ptr, as I pressed tens of "next", and the code is still in file dl-trampoline.S.

(gdb) n
41  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) n
42  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) n
43  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) n
44  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) n
45  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) n
46  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) n
47  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) n
48  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) n
49  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) n
50  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) n
51  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) n
52  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) n
53  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) n
54  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) n
56  in ../sysdeps/x86_64/dl-trampoline.S
(gdb) n
boost::intrusive_ptr<geno_eye::Frame>::operator= (this=0x6071b0, rhs=0x3e8)
    at /usr/include/boost/smart_ptr/intrusive_ptr.hpp:134
134     {

What is dl-trampoline.S ? Why it silently write on the memory of my object?

In addition of that, I also run valgrind:

$ valgrind ./t_page

However, instead of invalid write, it reports invalid read to that object, which is happened after the object creation is finished.

Solution

This is caused by an reference-to-stack bug.

Object genome_scale holds two references to two member variables of frame object. When I reconstruct my code, it accidentally reference to two stack variables...

So, maybe I should avoid the use of reference types in this situation, as you can easily provide stack stuffs to them and don't get any warns.