From 348bc2ba8d5556f4e655675b94e1b29e80b40fdc Mon Sep 17 00:00:00 2001
From: Ivan Maidanski <ivmai@mail.ru>
Date: Mon, 7 Aug 2017 11:37:30 +0300
Subject: [PATCH] Fix leak_test crash in print_callers if free() is redirected

* dbg_mlc.c [REDIRECT_MALLOC && (GC_LINUX_THREADS || GC_SOLARIS_THREADS
|| MSWIN32 || NEED_CALLINFO && GC_HAVE_BUILTIN_BACKTRACE)]
(GC_debug_free): If the object is not in the GC heap then just return
(instead of ABORT).
* malloc.c [REDIRECT_MALLOC && NEED_CALLINFO
&& GC_HAVE_BUILTIN_BACKTRACE] (GC_free): If hhdr is null (i.e. the
object is not in the GC heap) then return without the object
deallocation; add comment.
* os_dep.c [NEED_CALLINFO && GC_HAVE_BUILTIN_BACKTRACE
&& !GC_BACKTRACE_SYMBOLS_BROKEN] (GC_print_callers): Adjust comment
for free().
---
 dbg_mlc.c | 8 ++++++++
 malloc.c  | 5 ++++-
 os_dep.c  | 2 +-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/dbg_mlc.c b/dbg_mlc.c
index 21d423da..724d9cff 100644
--- a/dbg_mlc.c
+++ b/dbg_mlc.c
@@ -837,6 +837,14 @@ GC_API void GC_CALL GC_debug_free(void * p)
 
     base = GC_base(p);
     if (base == 0) {
+#     if defined(REDIRECT_MALLOC) \
+         && ((defined(NEED_CALLINFO) && defined(GC_HAVE_BUILTIN_BACKTRACE)) \
+             || defined(GC_LINUX_THREADS) || defined(GC_SOLARIS_THREADS) \
+             || defined(MSWIN32))
+        /* In some cases, we should ignore objects that do not belong   */
+        /* to the GC heap.  See the comment in GC_free.                 */
+        if (!GC_is_heap_ptr(p)) return;
+#     endif
       ABORT_ARG1("Invalid pointer passed to free()", ": %p", p);
     }
     if ((ptr_t)p - (ptr_t)base != sizeof(oh)) {
diff --git a/malloc.c b/malloc.c
index 28b2ac6c..502b3e3b 100644
--- a/malloc.c
+++ b/malloc.c
@@ -520,8 +520,11 @@ GC_API void GC_CALL GC_free(void * p)
     h = HBLKPTR(p);
     hhdr = HDR(h);
 #   if defined(REDIRECT_MALLOC) && \
-        (defined(GC_SOLARIS_THREADS) || defined(GC_LINUX_THREADS) \
+        ((defined(NEED_CALLINFO) && defined(GC_HAVE_BUILTIN_BACKTRACE)) \
+         || defined(GC_SOLARIS_THREADS) || defined(GC_LINUX_THREADS) \
          || defined(MSWIN32))
+        /* This might be called indirectly by GC_print_callers to free  */
+        /* the result of backtrace_symbols.                             */
         /* For Solaris, we have to redirect malloc calls during         */
         /* initialization.  For the others, this seems to happen        */
         /* implicitly.                                                  */
diff --git a/os_dep.c b/os_dep.c
index a2afb1e7..62e42040 100644
--- a/os_dep.c
+++ b/os_dep.c
@@ -4723,7 +4723,7 @@ GC_INNER void GC_print_callers(struct callinfo info[NFRAMES])
           GC_err_printf("\t\t%s\n", name);
 #         if defined(GC_HAVE_BUILTIN_BACKTRACE) \
              && !defined(GC_BACKTRACE_SYMBOLS_BROKEN)
-            free(sym_name);  /* May call GC_free; that's OK */
+            free(sym_name);  /* May call GC_[debug_]free; that's OK */
 #         endif
         }
     }
-- 
2.40.0