Segmentation violation with ROOT 6.16


ROOT Version: 6.16
Platform: Linux
Compiler: gcc


Hello, I develop a program that uses Qt and ROOT libraries.
I discover that my program ends with segmentation violation when I link it against ROOT 6.16 libraries while it exits normally with previous version of ROOT (6.14.04)

Here is the backtrace from gdb

The lines below might hint at the cause of the crash.
You may get help by asking at the ROOT forum http://root.cern.ch/forum
Only if you are really convinced it is a bug in ROOT then please submit a
report at http://root.cern.ch/bugs Please post the ENTIRE stack trace
from above as an attachment in addition to anything else
that might help us fixing this issue.
===========================================================
#6  0x00007f08459307de in TString::operator= (this=this
entry=0x3e85e08, cs=0xc <error: Cannot access memory at address 0xc>) at /home/pamputt/root-6-16-00-patches/core/base/src/TString.cxx:270
#7  0x00007f08459126bd in TNamed::SetTitle (this=0x3e85de0, title=<optimized out>) at /home/pamputt/root-6-16-00-patches/core/base/src/TNamed.cxx:166
#8  0x000000000041c418 in Analyse::fitSpectrum (this=0x35e7370, h=0x3e85c90) at analyse.cpp:220
#9  0x000000000041dcdc in Analyse::analyse2Dspectrum (this=0x35e7370, m=...) at analyse.cpp:417
#10 0x000000000041088a in main (argc=1, argv=0x7fff21d43868) at main.cpp:38
===========================================================

The line 220 of analyse.cpp is simply

TH1 *hbkg = h->ShowBackground(12,opt.toStdString().c_str());

And opt is simply define as “QString opt = “”;” few lines above.

So I suspect the crash comes from ROOT itself and not my program. I do not know how I can help you more so please ask me if needed.

Hi,
can you compile with -fsanitize=address and/or run it with valgrind --suppressions=$ROOTSYS/etc/valgrind-root.supp and run again and post the outputs?

opt.toStdString().c_str() looks fishy: the char* returned by c_str() will point to the data of a temporary std::string created by toStdString().

Cheers,
Enrico

Here is what I get with “-fsanitize=address” using gdb

Thread 1 "Gammalysis" received signal SIGSEGV, Segmentation fault.
0x00007ffff6a607de in TString::operator= (this=this@entry=0x619000c3f6f8, cs=0xc <error: Cannot access memory at address 0xc>)
    at /home/pamputt/root-6-16-00-patches/core/base/src/TString.cxx:270
270        if (!cs || !*cs) {
(gdb) bt
#0  0x00007ffff6a607de in TString::operator= (this=this@entry=0x619000c3f6f8, cs=0xc <error: Cannot access memory at address 0xc>)
    at /home/pamputt/root-6-16-00-patches/core/base/src/TString.cxx:270
#1  0x00007ffff6a426bd in TNamed::SetTitle (this=0x619000c3f6d0, title=<optimized out>)
    at /home/pamputt/root-6-16-00-patches/core/base/src/TNamed.cxx:166
#2  0x000000000041c468 in Analyse::fitSpectrum (this=0x603000034870, h=0x619000c3f580) at analyse.cpp:219
#3  0x000000000041dd2c in Analyse::analyse2Dspectrum (this=0x603000034870, m=...) at analyse.cpp:416
#4  0x00000000004108da in main (argc=1, argv=0x7fffffffd548) at main.cpp:38

And here is the valgrind output

valgrind --suppressions=$ROOTSYS/etc/valgrind-root.supp --leak-check=full --show-leak-kinds=all --log-file=valgrind.log Gammalysis

==28173== Memcheck, a memory error detector
==28173== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==28173== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==28173== Command: Gammalysis
==28173== Parent PID: 13696
==28173== 
==28173== 
==28173== HEAP SUMMARY:
==28173==     in use at exit: 32 bytes in 1 blocks
==28173==   total heap usage: 1 allocs, 0 frees, 32 bytes allocated
==28173== 
==28173== 32 bytes in 1 blocks are still reachable in loss record 1 of 1
==28173==    at 0x4C29CF8: calloc (vg_replace_malloc.c:711)
==28173==    by 0x9CFF6F6: ??? (in /usr/lib64/libdl-2.22.so)
==28173==    by 0x9CFF147: dlsym (in /usr/lib64/libdl-2.22.so)
==28173==    by 0x4EE7A3B: ??? (in /usr/lib64/libasan.so.2.0.0)
==28173==    by 0x4EBD29E: ??? (in /usr/lib64/libasan.so.2.0.0)
==28173==    by 0x4ED0F67: ??? (in /usr/lib64/libasan.so.2.0.0)
==28173==    by 0x400F611: _dl_init (in /usr/lib64/ld-2.22.so)
==28173==    by 0x4000BF9: ??? (in /usr/lib64/ld-2.22.so)
==28173== 
==28173== LEAK SUMMARY:
==28173==    definitely lost: 0 bytes in 0 blocks
==28173==    indirectly lost: 0 bytes in 0 blocks
==28173==      possibly lost: 0 bytes in 0 blocks
==28173==    still reachable: 32 bytes in 1 blocks
==28173==         suppressed: 0 bytes in 0 blocks
==28173== 
==28173== For counts of detected and suppressed errors, rerun with: -v
==28173== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

About the opt.toStdString().c_str(), I have no choice because the ShowBackground method takes only char* as input. I tried to replace by TH1 *hbkg = h->ShowBackground(12) but I still get exactly the same segfault with ROOT 6.16.

FYI, this is what I get linking againt ROOT 6.14.06 with gdb

=================================================================
==4779==ERROR: AddressSanitizer: alloc-dealloc-mismatch (malloc vs operator delete) on 0x611000166380
    #0 0x7ffff6f0a87a in operator delete(void*) (/usr/lib64/libasan.so.2+0x9587a)
    #1 0x7ffff34e600e in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/5.5.0/bits/shared_ptr_base.h:150
    #2 0x7ffff34e600e in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/5.5.0/bits/shared_ptr_base.h:659
    #3 0x7ffff34e600e in std::__shared_ptr<ROOT::Math::Minimizer, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/5.5.0/bits/shared_ptr_base.h:925
    #4 0x7ffff34e600e in std::shared_ptr<ROOT::Math::Minimizer>::~shared_ptr() /usr/include/c++/5.5.0/bits/shared_ptr.h:93
    #5 0x7ffff34e600e in ROOT::Fit::FitResult::~FitResult() /home/pamputt/root-6.14.06/math/mathcore/src/FitResult.cxx:236
    #6 0x7ffff591570a in TFitResult::~TFitResult() /home/pamputt/root-6.14.06/builddir/include/TFitResult.h:49
    #7 0x7ffff591570a in TFitResult::~TFitResult() /home/pamputt/root-6.14.06/builddir/include/TFitResult.h:49
    #8 0x7ffff591570a in std::_Sp_counted_ptr<TFitResult*, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/include/c++/5.5.0/bits/shared_ptr_base.h:374
    #9 0x7ffff6a39235 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/5.5.0/bits/shared_ptr_base.h:150
    #10 0x7ffff591f005 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/5.5.0/bits/shared_ptr_base.h:659
    #11 0x7ffff591f005 in std::__shared_ptr<TFitResult, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/5.5.0/bits/shared_ptr_base.h:925
    #12 0x7ffff591f005 in std::shared_ptr<TFitResult>::~shared_ptr() /usr/include/c++/5.5.0/bits/shared_ptr.h:93
    #13 0x7ffff591f005 in TFitResultPtr HFit::Fit<TH1>(TH1*, TF1*, Foption_t&, ROOT::Math::MinimizerOptions const&, char const*, ROOT::Fit::DataRange&) /home/pamputt/root-6.14.06/hist/hist/src/HFitImpl.cxx:167
    #14 0x7ffff5914d64 in ROOT::Fit::FitObject(TH1*, TF1*, Foption_t&, ROOT::Math::MinimizerOptions const&, char const*, ROOT::Fit::DataRange&) /home/pamputt/root-6.14.06/hist/hist/src/HFitImpl.cxx:973
    #15 0x7ffff59cfa5d in TH1::Fit(TF1*, char const*, char const*, double, double) /home/pamputt/root-6.14.06/hist/hist/src/TH1.cxx:4040
    #16 0x7ffff59cf008 in TH1::Fit(char const*, char const*, char const*, double, double) /home/pamputt/root-6.14.06/hist/hist/src/TH1.cxx:3723
    #17 0x41c126 in Analyse::findPeaks(TH1*, int&, int) /home/pamputt/dev/STAGE/Valentin2018/OO/code/analyse.cpp:186
    #18 0x41c4d1 in Analyse::fitSpectrum(TH1*) /home/pamputt/dev/STAGE/Valentin2018/OO/code/analyse.cpp:223
    #19 0x41dd2b in Analyse::analyse2Dspectrum(QMainCanvas&) /home/pamputt/dev/STAGE/Valentin2018/OO/code/analyse.cpp:416
    #20 0x4108d9 in main /home/pamputt/dev/STAGE/Valentin2018/OO/code/main.cpp:38
    #21 0x7ffff0e775ff in __libc_start_main (/usr/lib64/libc.so.6+0x205ff)
    #22 0x4106d8 in _start (/home/pamputt/dev/STAGE/Valentin2018/OO/code/Gammalysis+0x4106d8)

0x611000166380 is located 0 bytes inside of 232-byte region [0x611000166380,0x611000166468)
allocated by thread T0 here:
    #0 0x7ffff6f0958a in malloc (/usr/lib64/libasan.so.2+0x9458a)
    #1 0x7ffff1597ed7 in operator new(unsigned long) (/usr/lib64/libstdc++.so.6+0x8ded7)
    #2 0x7fffe5c3733a in TClingCallFunc::exec(void*, void*) /home/pamputt/root-6.14.06/core/metacling/src/TClingCallFunc.cxx:1776
    #3 0x7fffffffc28f  (<unknown module>)
    #4 0x0  (<unknown module>)
    #5 0x62d0000df01f  (<unknown module>)

SUMMARY: AddressSanitizer: alloc-dealloc-mismatch ??:0 operator delete(void*)
==4779==HINT: if you don't care about these warnings you may set ASAN_OPTIONS=alloc_dealloc_mismatch=0
==4779==ABORTING
[Thread 0x7fffcb570700 (LWP 4825) exited]
[Thread 0x7fffcb98e700 (LWP 4824) exited]
[Thread 0x7fffcbdbe700 (LWP 4823) exited]
[Thread 0x7fffcca2a700 (LWP 4821) exited]
[Thread 0x7fffcc603700 (LWP 4820) exited]
[Thread 0x7fffcce48700 (LWP 4819) exited]
[Thread 0x7fffcdf86700 (LWP 4816) exited]
[Thread 0x7fffd2e59700 (LWP 4812) exited]
[Thread 0x7ffff7f9bb80 (LWP 4779) exited]
[Inferior 1 (process 4779) exited with code 01]

I do not know how to understand that. For reminder, with ROOT 6.14.06, the same code exits successfully.

Hi,
can you try

const auto str = opt.toStdString();
TH1 *hbkg = h->ShowBackground(12,str.c_str());

instead of

TH1 *hbkg = h->ShowBackground(12,opt.toStdString().c_str());

and see if that fixes it?

Oops, actually the problem came from a mixing between ROOT librairies (6.14.06 and 6.16). After I have fixed it, the problem vanished. Sorry for wasting your time.

1 Like

Consider using -soversion=ON to avoid such problems.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.