MC_(eq_Error) doesn't handle Err_ReallocSizeZero which causes a crash when detecting multiple realloc zero errors in the same place. Take the following program: $ cat /tmp/t.c #include <stdlib.h> int main () { char *p = malloc (1024); for (int i = 3; i >= 0; i--) for (int j = 0; j <= 3; j++) { char *q = realloc (p, i * j * 512); p = q; } free (p); } $ gcc -g -o t t.c $ valgrind ./t ==442517== Memcheck, a memory error detector ==442517== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==442517== Using Valgrind-3.21.0 and LibVEX; rerun with -h for copyright info ==442517== Command: ./t ==442517== ==442517== realloc() with size 0 ==442517== at 0x4846A40: realloc (vg_replace_malloc.c:1649) ==442517== by 0x401189: main (t.c:10) ==442517== Address 0x4a4a040 is 0 bytes inside a block of size 1,024 alloc'd ==442517== at 0x484182F: malloc (vg_replace_malloc.c:431) ==442517== by 0x401157: main (t.c:6) ==442517== Error: unknown error code 14 Memcheck: the 'impossible' happened: unknown error code in mc_eq_Error host stacktrace: ==442517== at 0x580439FA: show_sched_status_wrk (m_libcassert.c:406) ==442517== by 0x58043B2F: report_and_quit (m_libcassert.c:477) ==442517== by 0x58043E18: panic (m_libcassert.c:553) ==442517== by 0x58043E18: vgPlain_tool_panic (m_libcassert.c:568) ==442517== by 0x5803A278: vgMemCheck_eq_Error (mc_errors.c:1067) ==442517== by 0x5803EDCF: eq_Error (m_errormgr.c:307) ==442517== by 0x5803EDCF: vgPlain_maybe_record_error (m_errormgr.c:765) ==442517== by 0x58039AB9: vgMemCheck_record_realloc_size_zero (mc_errors.c:896) ==442517== by 0x58005B2A: vgMemCheck_realloc (mc_malloc_wrappers.c:583) ==442517== by 0x580A2426: do_client_request (scheduler.c:1987) ==442517== by 0x580A2426: vgPlain_scheduler (scheduler.c:1542) ==442517== by 0x580E9437: thread_wrapper (syswrap-linux.c:102) ==442517== by 0x580E9437: run_a_thread_NORETURN (syswrap-linux.c:155) sched status: running_tid=1 Thread 1: status = VgTs_Runnable (lwpid 442517) ==442517== at 0x4846A40: realloc (vg_replace_malloc.c:1649) ==442517== by 0x401189: main (t.c:10) client stack range: [0x1FFEFFD000 0x1FFF000FFF] client SP: 0x1FFEFFF8A0 valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 10144 of 1048576 Note: see also the FAQ in the source distribution. It contains workarounds to several common problems. In particular, if Valgrind aborted or crashed after identifying problems in your program, there's a good chance that fixing those problems will prevent Valgrind aborting or crashing, especially if it happened in m_mallocfree.c. If that doesn't help, please report this bug to: www.valgrind.org In the bug report, send all the above text, the valgrind version, and what OS and version you are using. Thanks.
Created attachment 159393 [details] memcheck: Handle Err_ReallocSizeZero in MC_(eq_Error) Proposed patch and new testcases
LGTM except that memcheck/tests/realloc_size_zero_again needs to be in .gitignore (and add this item to NEWS)
(In reply to Paul Floyd from comment #2) > LGTM except that memcheck/tests/realloc_size_zero_again needs to be in > .gitignore (and add this item to NEWS) Thanks, pushed with those changes. commit 453c7111133ce9dc5dce043e03b7b58efdbf46cd Author: Mark Wielaard <mark@klomp.org> Date: Thu Jun 1 16:10:56 2023 +0200 memcheck: Handle Err_ReallocSizeZero in MC_(eq_Error) When an realloc size zero error is emitted MC_(eq_Error) is called to see if the errors can be deduplicated. This crashed since Err_ReallocSizeZero wasn't handled. Handle it like Err_Free. Also add a testcase for this case and test with both --realloc-zero-bytes-frees=yes and --realloc-zero-bytes-frees=no. Which will report a different number of errors. https://bugs.kde.org/show_bug.cgi?id=470520