[C++-sig] Memory corruption in exception translation on OS X 10.7

[Jakob van Santen]

Hi all,

I've run across what I think is a strange memory corruption bug affecting C++/Python exception translation on OS X 10.7. A short program that reproduces the bug follows:

#include <boost/python.hpp>

static void
throwme() { throw std::invalid_argument("Bork!"); }

struct Bork {
        void throwy() { throwme(); }
};

#ifdef BORKED
BOOST_PYTHON_MODULE(borked)
{
        boost::python::class_<Bork>("Bork")
            .def("throwy", &Bork::throwy)
        ;
#else
BOOST_PYTHON_MODULE(good)
{
#endif
        boost::python::def("throwy", &throwme);
}

When compiled without the call to class_<Bork>::def(), the exception is caught in handle_exception_impl() and presented to Python as ValueError, as expected:

[jakob at i3-dhcp-172-16-55-176:tmp/pybork]$ python -c "import good; good.throwy()"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
ValueError: Bork!

When compiled with -DBORKED, however, I get a bad free() inside the std::logic_error destructor:

[jakob at i3-dhcp-172-16-55-176:tmp/pybork]$ python -c "import borked; borked.throwy()"
python(77633) malloc: *** error for object 0x7fec22c735a4: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug

I first encountered this bug in a private fork of 1.38, but I can reproduce it with a freshly build copy of 1.47. It occurs when building with both llvm-gcc and gcc-gcc, regardless of the optimization level. I built the two test libraries like so:

g++ bork.cxx -g -bundle -flat_namespace -undefined dynamic_lookup -Iboost/include -I/System/Library/Frameworks/Python.framework/Headers/ -Lboost/lib -lboost_python -DBORKED -o borked.so
g++ bork.cxx -g -bundle -flat_namespace -undefined dynamic_lookup -Iboost/include -I/System/Library/Frameworks/Python.framework/Headers/ -Lboost/lib -lboost_python -o good.so

Can anyone reproduce this?

Cheers,
Jakob