Strange glibc error from btConvexHullShape destructor

[physicist]

Hello,

I am having trouble running the following basic program:

Code: Select all

#include <BulletCollision/CollisionShapes/btConvexHullShape.h>

class foo
{
  public:
    foo(void)
    {
      const unsigned int VtxCount = 3;
      btScalar Vtx[] = { 1.0f, 0.0f, 0.0f, 0.0f, 1.0f, 0.0f, 0.0f, 0.0f, 1.0f };
      hull = btConvexHullShape(Vtx,VtxCount,3*sizeof(btScalar));
    }

    ~foo() {}

  private:
    btConvexHullShape hull;
};

int main(void)
{
  foo bar;
  return 0;
}

I am getting the error
*** glibc detected *** ./test: double free or corruption (fasttop): 0x092e7008 ***

When I run the program in gdb it reports the backtrace:
#0 0x0012d422 in __kernel_vsyscall ()
#1 0x00293651 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0x00296a82 in *__GI_abort () at abort.c:92
#3 0x002ca49d in __libc_message (do_abort=2, fmt=0x39ef98 "*** glibc detected *** %s: %s: 0x%s ***\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#4 0x002d4591 in malloc_printerr (action=<value optimized out>, str=0x6 <Address 0x6 out of bounds>,
ptr=0x806b008) at malloc.c:6266
#5 0x002d5de8 in _int_free (av=<value optimized out>, p=<value optimized out>) at malloc.c:4794
#6 0x002d8ecd in *__GI___libc_free (mem=0x806b008) at malloc.c:3738
#7 0x08048c1b in btAlignedAllocator<btVector3, 16u>::deallocate(btVector3*) ()
#8 0x08048bd4 in btAlignedObjectArray<btVector3>::deallocate() ()
#9 0x08048b59 in btAlignedObjectArray<btVector3>::clear() ()
#10 0x08048b23 in btAlignedObjectArray<btVector3>::~btAlignedObjectArray() ()
#11 0x08048841 in btConvexHullShape::~btConvexHullShape() ()
#12 0x08048b03 in foo::~foo() ()
#13 0x080487be in main ()

I'm confused about what I am doing wrong here. I haven't directly created any pointers, so I'm not sure why I should be having trouble with malloc trying to free things.

If anyone could help, I would really appreciate it!

Thanks!

[Bigpet]

well that's worth a bug report.
The default copy constructor seems to fail here or the allocator.
As you can see it actually shares one pointer to the data if you copy it.
I'm going to try to narrow it down but ironically you can circumvent this by just using new to allocate the btConvexHullShape

[Bigpet]

found the problem.

btAlignedObjectArray<T> is missing an assignment operator. The implicit one doesn't cut it since one of its members is T* and the pointer get simply copied with the assignment.

so

Code: Select all

btConvexHullShape hull; //default constructor called
hull = btConvexHullShape(Vtx,VtxCount,3*sizeof(btScalar));
// implicit assignment operator of btConvexHullShape and hece
// implicit assignment operator of btAlignedObjectArray<btVector3> called

causes duplicate deallocation of the underlying "btVector3 *"

whereas this:

Code: Select all

btConvexHullShape hull = btConvexHullShape(Vtx,VtxCount,3*sizeof(btScalar));
//copy copstructor gets called, no problem since btAlignedObjectArray has one

is fine

(edit: implicit not default)

[Bigpet]

I checked out the newest SVN and saw that the problem still exists so I filed a bug-report and attached a patch to fix it:

http://code.google.com/p/bullet/issues/detail?id=564

[physicist]

Hi Bigpet,

Thanks so much for the help and for looking into this.

Using new/delete to allocate a pointer did the trick for me in the code that I want to run.

Thanks again!