SEGV following NULL pointer in SLL_PopRange() related to std::ostringstream memory

[GoogleCodeExporter]

What steps will reproduce the problem?
1. I don't have a simple testcase, but my large multi-threaded application 
consistently shows this bug.
2. To cause it, I just add a std::stringstream member variable to one class and 
call str("") on that variable a few times.  If I omit the call to str(""), I 
can make it go away.
3. Somehow the std::ostringstream memory is getting corrupted.

What is the expected output? What do you see instead?

I get a SEGV, should not happen.

What version of the product are you using? On what operating system?

v2.1 of gperftools on Centos4 32 bit system.

Please provide any additional information below.

#0  SLL_PopRange (this=0x85f48d8, src=0x85f4a38, cl=27, N=9) at 
src/linked_list.h:80
#1  PopRange (this=0x85f48d8, src=0x85f4a38, cl=27, N=9) at 
src/thread_cache.h:228
#2  tcmalloc::ThreadCache::ReleaseToCentralCache (this=0x85f48d8, 
src=0x85f4a38, cl=27, N=9) at src/thread_cache.cc:229
#3  0x08425650 in tcmalloc::ThreadCache::ListTooLong (this=0x85f48d8, 
list=0x85f4a38, cl=27) at src/thread_cache.cc:191
#4  0x0841acd3 in do_free_helper (ptr=0x8d9d400, invalid_free_fn=0x84177b0 
<(anonymous namespace)::InvalidFree(void*)>) at src/thread_cache.h:389
#5  (anonymous namespace)::do_free_with_callback (ptr=0x8d9d400, 
invalid_free_fn=0x84177b0 <(anonymous namespace)::InvalidFree(void*)>) at 
src/tcmalloc.cc:1210
#6  0x0843add1 in do_free (p=0x8d9d400) at src/tcmalloc.cc:1219
#7  tc_delete (p=0x8d9d400) at src/tcmalloc.cc:1619
#8  0x00181d6f in std::basic_string<char, std::char_traits<char>, 
std::allocator<char> >::_Rep::_M_destroy(std::allocator<char> const&) () from 
/usr/lib/libstdc++.so.6
#9  0x00181ff2 in std::basic_string<char, std::char_traits<char>, 
std::allocator<char> >::~basic_string() () from /usr/lib/libstdc++.so.6
#10 0x0017bb8f in std::basic_stringbuf<char, std::char_traits<char>, 
std::allocator<char> >::~basic_stringbuf() () from /usr/lib/libstdc++.so.6
#11 0x0017d5da in std::basic_stringstream<char, std::char_traits<char>, 
std::allocator<char> >::~basic_stringstream() () from /usr/lib/libstdc++.so.6
#12 0x08120ce1 in (anonymous namespace)::finalMessage::~finalMessage 
(this=0xbfffec6c, __in_chrg=<value optimized out>, __vtt_parm=<value optimized 
out>) at opApplication.cpp:564
#13 0x0811d68e in mainApplicationClient (logStream=..., argc=19, 
argv=0xbffff0e4, envp=0x8d84000) at opApplication.cpp:3737
#14 0x0811d70d in opApplication (argc=19, argv=0xbffff0e4, envp=0x8d84000) at 
opApplication.cpp:3612
#15 0x08115cbb in main (argc=19, argv=0xbffff0e4, envp=0x8d84000) at 
application.cpp:96
#16 0x00ab4eb3 in __libc_start_main () from /lib/tls/libc.so.6
#17 0x08115a21 in _start ()

I have a member variable of type std::ostringstream called log.  If I call 

std::ostringstream log; // This is member variable of one of my classes.

log.str("");  // Commenting this line out makes the bug go away, the log member 
is only used here.

I ran Valgrind and did not find any memory corruption other than the NULL 
pointer traversal that is causing the SEGV.

Original issue reported on code.google.com by Willia...@gmail.com on 11 Sep 2013 at 10:15

[GoogleCodeExporter]

I can also avoid this bug by making the call conditional:

if (!log.str().empty()) {
  log.str("");
}

Original comment by Willia...@gmail.com on 12 Sep 2013 at 1:33

[GoogleCodeExporter]

I saw a similar issue as reported in my comment on Bugzilla #400.

Original comment by Willia...@gmail.com on 12 Sep 2013 at 1:37

[GoogleCodeExporter]

Have you tried valgrind _while disabling tcmalloc_ ?

Original comment by alkondratenko on 13 Sep 2013 at 8:38