http://gcc.gnu.org/bugzilla/show_bug.cgi?id=52604
Bug #: 52604 Summary: mt allocator crashes on multi-threaded Classification: Unclassified Product: gcc Version: 4.8.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: libstdc++ AssignedTo: unassig...@gcc.gnu.org ReportedBy: laurent.alfo...@st.com Created attachment 26904 --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=26904 Testcase to reproduce There's a problem with mt_allocator when using multi-threads. see example attached (g++ -lpthread). At exit time, - the __freelist destructor is called. which does a __gthread_key_delete(_M_key). - and then afterwards, the std::list<> destructor is called. This finally have for effect to use that thread key with gthread_setspecific. Valgrind reports : ================================= ==5212== Invalid read of size 8 ==5212== at 0x4CA009D: __gnu_cxx::__pool<true>::_M_get_thread_id() (in ../gcc-4.6.3/lib64/libstdc++.so.6.0.16) ==5212== by 0x4CA0173: __gnu_cxx::__pool<true>::_M_reclaim_block(char*, unsigned long) (in ../gcc-4.6.3/lib64/libstdc++.so.6.0.16) ==5212== by 0x401989: __gnu_cxx::__mt_alloc<std::_List_node<std::string>, __gnu_cxx::__common_pool_policy<__gnu_cxx::__pool, true> >::deallocate(std::_List_node<std::string>*, unsigned long) (in /tmp/a.out) ==5212== by 0x401847: std::_List_base<std::string, __gnu_cxx::__mt_alloc<std::string, __gnu_cxx::__common_pool_policy<__gnu_cxx::__pool, true> > >::_M_put_node(std::_List_node<std::string>*) (in /tmp/a.out) ==5212== by 0x40168C: std::_List_base<std::string, __gnu_cxx::__mt_alloc<std::string, __gnu_cxx::__common_pool_policy<__gnu_cxx::__pool, true> > >::_M_clear() (in /tmp/a.out) ==5212== by 0x40151A: std::_List_base<std::string, __gnu_cxx::__mt_alloc<std::string, __gnu_cxx::__common_pool_policy<__gnu_cxx::__pool, true> > >::~_List_base() (in /tmp/a.out) ==5212== by 0x401BB1: std::list<std::string, __gnu_cxx::__mt_alloc<std::string, __gnu_cxx::__common_pool_policy<__gnu_cxx::__pool, true> > >::~list() (in /tmp/a.out) ==5212== by 0x3814E30C94: exit (in /lib64/tls/libc-2.3.4.so) ==5212== by 0x3814E1C411: (below main) (in /lib64/tls/libc-2.3.4.so) ==5212== Address 0x5b5ce88 is 24 bytes inside a block of size 65,536 free'd ==5212== at 0x4A077EC: operator delete(void*) (vg_replace_malloc.c:457) ==5212== by 0x3814E30C94: exit (in /lib64/tls/libc-2.3.4.so) ==5212== by 0x3814E1C411: (below main) (in /lib64/tls/libc-2.3.4.so) ================================= I ve seen a quite close bug report (http://gcc.gnu.org/bugzilla/show_bug.cgi?id=22309), that is already fixed in 4.0.0. This apparently leaded to re-write a part of mt_allocate (Jakub Jelinek). But this was not sufficient for the current bug report i m reporting. Thanks in advance. Laurent Alfonsi