【问题标题】:Getting a 'double free or corruption' error with calls to a function within a recursive function调用递归函数中的函数时出现“双重释放或损坏”错误
【发布时间】:2020-11-10 00:06:10
【问题描述】:

我有一个递归函数solveCountdownProblem,它调用evaluateCountdown,它采用反向抛光符号格式的表达式。 evaluateCountdown 位于一系列嵌套的 for 循环中(在solveCountdownProblem 中),因此被调用了很多次。

double evaluateCountdown(string rpnIn) {
    vector<double> stack;
    double a = 0, b = 0;
    string token = "";
    char arithToken;
    
    for (int i = 0; i < rpnIn.size(); ++i) {
        if (rpnIn[i] == ' ') {
            if (token != "") {
                stack.push_back(stod(token)); // Push number to stack   
                token = "";
            }
        } else {
            if (find(arithOperators.begin(), arithOperators.end(), rpnIn[i]) != arithOperators.end()) { //if char is arithmetic operator
                // Pop two numbers of stack and perform operation
                // Push result back into stack
                arithToken = rpnIn[i];
                a = stack.back(); stack.pop_back(); // pops and removes elements
                b = stack.back(); stack.pop_back();
                if (arithToken == '+') {
                    stack.push_back(b+a);
                } else if (arithToken == '-'){
                    stack.push_back(b-a);
                } else if (arithToken == '/') {
                    stack.push_back(b/a);
                } else if (arithToken == '*') {
                    stack.push_back(b*a);
                }
            } else {
                token += rpnIn[i]; //add chars to string
            }
        }
    }

    return stack.back();
}

它在产生正确的计算一段时间后工作,但最终我出现内存错误“双重释放或损坏(out)”。我使用 gdb 进行调试,它会产生这个回溯。

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) backtrace
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7bee859 in __GI_abort () at abort.c:79
#2  0x00007ffff7c593ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7d83285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7c6147c in malloc_printerr (str=str@entry=0x7ffff7d85670 "double free or corruption (out)") at malloc.c:5347
#4  0x00007ffff7c63120 in _int_free (av=0x7ffff7db4b80 <main_arena>, p=0x5555555733d0, have_lock=<optimized out>) at malloc.c:4314
#5  0x000055555555a932 in __gnu_cxx::new_allocator<double>::deallocate (this=0x7fffffffd270, __p=0x5555555733e0) at /usr/include/c++/9/ext/new_allocator.h:128
#6  0x0000555555559dc0 in std::allocator_traits<std::allocator<double> >::deallocate (__a=..., __p=0x5555555733e0, __n=4) at /usr/include/c++/9/bits/alloc_traits.h:470
#7  0x000055555555932e in std::_Vector_base<double, std::allocator<double> >::_M_deallocate (this=0x7fffffffd270, __p=0x5555555733e0, __n=4) at /usr/include/c++/9/bits/stl_vector.h:351
#8  0x00005555555588fe in std::_Vector_base<double, std::allocator<double> >::~_Vector_base (this=0x7fffffffd270, __in_chrg=<optimized out>) at /usr/include/c++/9/bits/stl_vector.h:332
#9  0x0000555555558953 in std::vector<double, std::allocator<double> >::~vector (this=0x7fffffffd270, __in_chrg=<optimized out>) at /usr/include/c++/9/bits/stl_vector.h:680
#10 0x0000555555556a9a in evaluateCountdown (rpnIn="4 6 5 * + +") at Countdown.h:58
#11 0x0000555555557762 in solveCountdownProblem (operands=std::vector of length 3, capacity 4 = {...}, targetValue=21) at Countdown.h:172
#12 0x0000555555556d61 in solveCountdownProblem (operands=std::vector of length 4, capacity 5 = {...}, targetValue=21) at Countdown.h:113
#13 0x0000555555556d61 in solveCountdownProblem (operands=std::vector of length 5, capacity 6 = {...}, targetValue=21) at Countdown.h:113
#14 0x0000555555556d61 in solveCountdownProblem (operands=std::vector of length 6, capacity 6 = {...}, targetValue=21) at Countdown.h:113
#15 0x0000555555557e17 in main () at TestCountdown.cpp:19

它似乎指向'vector stack;'这一行但我不确定为什么会出现内存错误。一旦超出范围,析构函数不会自动释放“堆栈”吗?

【问题讨论】:

  • 创建该示例:godbolt.org/z/cPdcYW
  • 内存堆(内存分配器从中获取)损坏很棘手,因为在损坏发生时没有报告它。它会在下一次分配或解除分配操作期间报告。看起来你在 Linux/Unix 上(使用 gdb)所以学习使用 valgrind。它是发现内存损坏错误、线程错误、各种错误的绝佳工具。

标签: c++ c++11


【解决方案1】:

如果您查看评估字符串"4 6 5 * + +",您会发现最后一个操作+ 没有足够的操作数,并且在您的代码中,您在调用stack.pop_back() 两次之前没有检查stack 是否有足够的元素。您需要添加该检查并采取相应措施。可能最干净的方法是将弹出包装在一个函数中:

double pop( std::vector<double> &stack )
{
    if( stack.empty() ) { // throw exception, return NaN or whatever logic of your program requires
       ...
    }
    auto r = stack.back();
    stack.pop_back();
    return r;
}

那么你的代码会更短更干净:

            // Pop two numbers of stack and perform operation
            // Push result back into stack
            arithToken = rpnIn[i];
            double a = pop( stack ); // pops and removes elements
            double b = pop( stack );

(最好在需要时声明和初始化变量,而不是提前)

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 2021-12-26
    • 2012-04-23
    • 2014-06-26
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2016-11-06
    相关资源
    最近更新 更多