std::string::assign() causes segfault

Question

The situation:

I have a std::vector that contains strings at specific offsets. Here's a shortened dump:

...
@128    00 00 00 00 00 00 00 00 73 6F 6D 65 74 68 69 33 ........somethin
@144    38 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ng..............
@160    00 00 00 00 00 00 00 00 31 2E 32 2E 33 00 00 00 ........1.2.3...
@176    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
...

I am trying to extract the data at offset 136 and put it into a std::string:

std::string x;
x.assign(vec.begin()+136, vec.begin()+168);

This however, causes my application to segfault. Now I'm pretty new at software development under linux, but I do know how to start my app in gdb and get a backtrace, and tracked the problem down here:

(gdb) backtrace
#0  0xb7536d78 in ?? () from /lib/i686/cmov/libc.so.6
#1  0xb7538cd5 in malloc () from /lib/i686/cmov/libc.so.6
#2  0xb7708957 in operator new(unsigned int) () from /usr/lib/libstdc++.so.6
#3  0xb76e4146 in std::string::_Rep::_S_create(unsigned int, unsigned int, std::allocator<char> const&) () from /usr/lib/libstdc++.so.6
#4  0xb76e63b0 in std::string::_M_mutate(unsigned int, unsigned int, unsigned int) () from /usr/lib/libstdc++.so.6
#5  0xb76e654a in std::string::_M_replace_safe(unsigned int, unsigned int, char const*, unsigned int) () from /usr/lib/libstdc++.so.6
#6  0x0806d651 in std::string::_M_replace_dispatch<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > > > (this=0xbfffe464, __i1=..., __i2=..., __k1=..., __k2=...) at /usr/include/c++/4.3/bits/basic_string.tcc:637
#7  0x0806d26e in std::string::replace<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > > > (this=0x811c730, vec=...) at /usr/include/c++/4.3/bits/basic_string.h:1390
#8  std::string::assign<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > > > (
    this=0x811c730, vec=...) at /usr/include/c++/4.3/bits/basic_string.h:958
#9  myclass::somemethod (this=0x811c730, vec=...) at myclass.cpp:135

Printing vec.size() returns 200 and even looping over the vector and printing the data causes me no problems (exactly above the crashing snippet!).

I am compiling in debian with g++ 4.3.4... Any pointers on what this problem could be?

Answer 1

There is likely a mismatched free/delete somewhere else in your code that is delaying the symptom until now. When you use freed memory, the operating system is free to continue as long as it sees fit.

Try running the program in valgrind. valgrind uses its own malloc and free so it can alert you to incorrect news and deletes. Make sure to compile without optimisations and with -g:

g++ -g main.cc -o binary
valgrind --leak-check=full ./binary

Make sure you to do not create a pointer from a stack variable that goes out of scope. For example, this is a common mistake among newer developers:

int *foo() {
    int a = 0;
    // do something to a here
    return &a;
}

As a has gone out of scope, you are returning a pointer to freed memory.