glibc double-free crash

[robn]

I don't know how to describe what the problem is, but here's a test case:

fn main() { 
    let s = "a b c d e f g";
    let mut split = ~[];
    str::each_split_char_nonempty(s, ' ', |bit| {
        split.push(str::from_slice(bit));
        true
    });

    match vec::shift(&mut split) {
        x => io::println(fmt!("first bit: %s", x)),
    }
}

robn@pyro:~$ rustc -v
rustc 0.6
host: x86_64-unknown-linux-gnu
robn@pyro:~$ rustc -o test test.rs

On run, we get:

robn@pyro:~$ ./test 
first bit: a
*** glibc detected *** ./test: double free or corruption (fasttop): 0x0000000000822d80 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x76d76)[0x7f28a44f8d76]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7f28a44fdaac]
/home/robn/bin/rust/lib/rustc/x86_64-unknown-linux-gnu/lib/librustrt.so(+0x2c6c9)[0x7f28a531c6c9]
/home/robn/bin/rust/lib/rustc/x86_64-unknown-linux-gnu/lib/librustrt.so(upcall_call_shim_on_c_stack+0x9c)[0x7f28a530d47c]
/home/robn/bin/rust/lib/rustc/x86_64-unknown-linux-gnu/lib/libcore-c3ca5d77d81b46c1-0.6.so(_ZN8unstable14exchange_alloc4free16_339db5318526f133_06E+0x53)[0x7f28a5676553]
./test[0x401a4d]
./test[0x4019cf]
./test[0x401790]
./test[0x404fa0]
./test(_rust_main+0x2e)[0x4017ee]
/home/robn/bin/rust/lib/rustc/x86_64-unknown-linux-gnu/lib/librustrt.so(_Z18task_start_wrapperP10spawn_args+0x24)[0x7f28a530c474]
======= Memory map: ========
00400000-00407000 r-xp 00000000 08:01 2114174                            /home/robn/test
00606000-00607000 rw-p 00006000 08:01 2114174                            /home/robn/test
0081e000-0083f000 rw-p 00000000 00:00 0                                  [heap]
7f289c000000-7f289c021000 rw-p 00000000 00:00 0 
7f289c021000-7f28a0000000 ---p 00000000 00:00 0 
7f28a3f76000-7f28a417b000 rw-p 00000000 00:00 0                          [stack:22298]
7f28a417b000-7f28a4263000 r-xp 00000000 08:01 12756139                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17
7f28a4263000-7f28a4463000 ---p 000e8000 08:01 12756139                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17
7f28a4463000-7f28a446b000 r--p 000e8000 08:01 12756139                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17
7f28a446b000-7f28a446d000 rw-p 000f0000 08:01 12756139                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17
7f28a446d000-7f28a4482000 rw-p 00000000 00:00 0 
7f28a4482000-7f28a4602000 r-xp 00000000 08:01 7604731                    /lib/x86_64-linux-gnu/libc-2.13.so
7f28a4602000-7f28a4802000 ---p 00180000 08:01 7604731                    /lib/x86_64-linux-gnu/libc-2.13.so
7f28a4802000-7f28a4806000 r--p 00180000 08:01 7604731                    /lib/x86_64-linux-gnu/libc-2.13.so
7f28a4806000-7f28a4807000 rw-p 00184000 08:01 7604731                    /lib/x86_64-linux-gnu/libc-2.13.so
7f28a4807000-7f28a480c000 rw-p 00000000 00:00 0 
7f28a480c000-7f28a4821000 r-xp 00000000 08:01 7604730                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f28a4821000-7f28a4a21000 ---p 00015000 08:01 7604730                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f28a4a21000-7f28a4a22000 rw-p 00015000 08:01 7604730                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f28a4a22000-7f28a4aa3000 r-xp 00000000 08:01 7604726                    /lib/x86_64-linux-gnu/libm-2.13.so
7f28a4aa3000-7f28a4ca2000 ---p 00081000 08:01 7604726                    /lib/x86_64-linux-gnu/libm-2.13.so
7f28a4ca2000-7f28a4ca3000 r--p 00080000 08:01 7604726                    /lib/x86_64-linux-gnu/libm-2.13.so
7f28a4ca3000-7f28a4ca4000 rw-p 00081000 08:01 7604726                    /lib/x86_64-linux-gnu/libm-2.13.so
7f28a4ca4000-7f28a4ca6000 r-xp 00000000 08:01 7604722                    /lib/x86_64-linux-gnu/libdl-2.13.so
7f28a4ca6000-7f28a4ea6000 ---p 00002000 08:01 7604722                    /lib/x86_64-linux-gnu/libdl-2.13.so
7f28a4ea6000-7f28a4ea7000 r--p 00002000 08:01 7604722                    /lib/x86_64-linux-gnu/libdl-2.13.so
7f28a4ea7000-7f28a4ea8000 rw-p 00003000 08:01 7604722                    /lib/x86_64-linux-gnu/libdl-2.13.so
7f28a4ea8000-7f28a4ebf000 r-xp 00000000 08:01 7604693                    /lib/x86_64-linux-gnu/libpthread-2.13.so
7f28a4ebf000-7f28a50be000 ---p 00017000 08:01 7604693                    /lib/x86_64-linux-gnu/libpthread-2.13.so
7f28a50be000-7f28a50bf000 r--p 00016000 08:01 7604693                    /lib/x86_64-linux-gnu/libpthread-2.13.so
7f28a50bf000-7f28a50c0000 rw-p 00017000 08:01 7604693                    /lib/x86_64-linux-gnu/libpthread-2.13.so
7f28a50c0000-7f28a50c4000 rw-p 00000000 00:00 0 
7f28a50c4000-7f28a50cb000 r-xp 00000000 08:01 7604724                    /lib/x86_64-linux-gnu/librt-2.13.so
7f28a50cb000-7f28a52ca000 ---p 00007000 08:01 7604724                    /lib/x86_64-linux-gnu/librt-2.13.so
7f28a52ca000-7f28a52cb000 r--p 00006000 08:01 7604724                    /lib/x86_64-linux-gnu/librt-2.13.so
7f28a52cb000-7f28a52cc000 rw-p 00007000 08:01 7604724                    /lib/x86_64-linux-gnu/librt-2.13.so
7f28a52d2000-7f28a52d3000 ---p 00000000 00:00 0 
7f28a52d3000-7f28a52d7000 rw-p 00000000 00:00 0                          [stack:22299]
7f28a52d7000-7f28a52d8000 ---p 00000000 00:00 0 
7f28a52d8000-7f28a52f0000 rw-p 00000000 00:00 0 
7f28a52f0000-7f28a534c000 r-xp 00000000 08:01 5380389                    /home/robn/bin/rust/lib/rustc/x86_64-unknown-linux-gnu/lib/librustrt.so
7f28a534c000-7f28a554b000 ---p 0005c000 08:01 5380389                    /home/robn/bin/rust/lib/rustc/x86_64-unknown-linux-gnu/lib/librustrt.so
7f28a554b000-7f28a554d000 rw-p 0005b000 08:01 5380389                    /home/robn/bin/rust/lib/rustc/x86_64-unknown-linux-gnu/lib/librustrt.so
7f28a554d000-7f28a56dd000 r-xp 00000000 08:01 5380390                    /home/robn/bin/rust/lib/rustc/x86_64-unknown-linux-gnu/lib/libcore-c3ca5d77d81b46c1-0.6.so
7f28a56dd000-7f28a58dc000 ---p 00190000 08:01 5380390                    /home/robn/bin/rust/lib/rustc/x86_64-unknown-linux-gnu/lib/libcore-c3ca5d77d81b46c1-0.6.so
7f28a58dc000-7f28a5a58000 rw-p 0018f000 08:01 5380390                    /home/robn/bin/rust/lib/rustc/x86_64-unknown-linux-gnu/lib/libcore-c3ca5d77d81b46c1-0.6.so
7f28a5a58000-7f28a5a78000 r-xp 00000000 08:01 7604737                    /lib/x86_64-linux-gnu/ld-2.13.so
7f28a5c72000-7f28a5c77000 rw-p 00000000 00:00 0 
7f28a5c77000-7f28a5c78000 r--p 0001f000 08:01 7604737                    /lib/x86_64-linux-gnu/ld-2.13.so
7f28a5c78000-7f28a5c79000 rw-p 00020000 08:01 7604737                    /lib/x86_64-linux-gnu/ld-2.13.so
7f28a5c79000-7f28a5c7a000 rw-p 00000000 00:00 0 
7fff5d48d000-7fff5d604000 rw-p 00000000 00:00 0                          [stack]
7fff5d70c000-7fff5d70d000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

[huonw]

A slightly smaller testcase:

fn main() {
    let mut split = ~[~"a"];

    match vec::shift(&mut split) {
        _x => {}
    }
}

Changing the _x to a _ stops the double free, as does changing the match to a let (or just calling vec::shift with no let or match), or the ~str to a &'static str.

Also, removing the element of the vector (so that it is let mut split = ~[]) causes:

issue-5885.rs:4:21: 4:31 error: internal compiler error: 0'th deref is of a non-deref'able type `[type error]`
issue-5885.rs:4     match vec::shift(&mut split) {
                                     ^~~~~~~~~~

[Aatch]

This is fixed.