Incorrect double free behavior

[ChAoSUnItY]

Using the code below to initialize buckets for hashmap and frees hashmap:

#include <stdlib.h>

typedef struct hashmap_node {
    char *key;
    void *val;
    struct hashmap_node *next;
} hashmap_node_t;

typedef struct {
    int size;
    hashmap_node_t **buckets;
} hashmap_t;

hashmap_t *hashmap_create(int size)
{
    hashmap_t *map = malloc(sizeof(hashmap_t));
    map->size = size;
    map->buckets = malloc(size * sizeof(hashmap_node_t *));

    for (int i = 0; i < map->size; i++)
        map->buckets[i] = 0;

    return map;
}

void hashmap_free(hashmap_t *map)
{
    for (int i = 0; i < map->size; i++) {
        for (hashmap_node_t *cur = map->buckets[i], *next; cur; cur = next) {
            next = cur->next;
            free(cur->key);
            free(cur->val);
            free(cur);
            cur = next;
        }
    }

    free(map->buckets);
    free(map);
}

int main()
{
    hashmap_t *map = hashmap_create(16);
    map->buckets[0] = malloc(sizeof(hashmap_node_t)); // Simulates put at first bucket
    map->buckets[0]->key = calloc(1, sizeof(char));
    map->buckets[0]->val = malloc(sizeof(int));
    map->buckets[0]->next = NULL;
    hashmap_free(map);
    return 0;
}

Compile with gcc will exit normally, while compile with shecc will cause double free, which is abnormal.

[DrXiao]

I think the main function contains a typo and it should be fixed as follows:

int main()
{
    hashmap_t *map = hashmap_create(16);
    map->buckets[0] = malloc(sizeof(hashmap_node_t)); // Simulates put at first bucket
    map->buckets[0]->key = calloc(1, sizeof(char));
-   map->buckets[0]->key = malloc(sizeof(int));
+   map->buckets[0]->val = malloc(sizeof(int));
    map->buckets[0]->next = NULL;
    hashmap_free(map);
    return 0;
}

[ChAoSUnItY]

Thanks for the correction. I've edited the code.

[DrXiao]

void hashmap_free(hashmap_t *map)
{
    for (int i = 0; i < map->size; i++) {
        for (hashmap_node_t *cur = map->buckets[i], *next; cur; cur = next) {
            next = cur->next;
+           printf("cur: %x, cur->key: %x, cur->val: %x\n", cur, cur->key, cur->val);
            free(cur->key);
            free(cur->val);
            free(cur);
            cur = next;
        }
    }
+   printf("map: %x, map->buckets: %x\n", map, map->buckets);
    free(map->buckets);
    free(map);
}

After adding printf() calls, compiling and executing the code by GCC and shecc, I obtained the following results.

• GCC

$ gcc -o test test.c
$ ./test
cur: 71808350, cur->key: 71808370, cur->val: 71808390
map: 718082a0, map->buckets: 718082c0

• shecc

$ qemu-arm out/shecc-stage2.elf -o test test.c
$ qemu-arm test
cur: 4080600c, cur->key: 4080700c, cur->val: 4080800c
map: 4080400c, map->buckets: 4080600c
free(): double free detected
Abnormal program termination

Notice that map->buckets and cur point to the same address.

Therefore, the likely cause is that shecc handles pointer assignments incorrectly.

[DrXiao]

void hashmap_free(hashmap_t *map)
{
    for (int i = 0; i < map->size; i++) {
        for (hashmap_node_t *cur = map->buckets[i], *next; cur; cur = next) {
            next = cur->next;
+           printf("cur: %x, cur->key: %x, cur->val: %x\n", cur, cur->key, cur->val);
            free(cur->key);
            free(cur->val);
            free(cur);
            cur = next;
        }
    }
+   printf("map: %x, map->buckets: %x, map->buckets[0]\n", map, map->buckets, map->buckets[0]);
    free(map->buckets);
    free(map);
}

$ qemu-arm out/shecc-stage2.elf -o test test.c
$ qemu-arm test
cur: 4080600c, cur->key: 4080700c, cur->val: 4080800c
map: 4080400c, map->buckets: 4080600c, map->buckets[0] = 4080600c
free(): double free detected
Abnormal program termination

After further observation, I notice that map->buckets is equivalent to map->buckets[0].

Consider the issue #165, I think that the real bug is that using arrow operator and subscripting operator (-> and [ ]) simultaneously may obtain an incorrect object.

reference: my comment in the issue #165