<div class="__aliyun_email_body_block"><div style="">>Can you point out what in the C99 specification makes you believe that the pointer is actually dereferenced in the expression "&(pos)->member" ?<br data-mce-bogus="1"></div><div style="">>AFAIK, this only evaluates to the address of field "member" within "pos". The compiler should not dereference the pointer "pos" at all.<br></div><div style=""><br data-mce-bogus="1"></div><div style="">Yes,you are right.<br data-mce-bogus="1"></div><div class="__aliyun_signature_wrap"><br><br></div><div class="__aliyun_signature_wrap">> Probably that getting it with a lttng-sessiond compiled with "-g -O0" (no optimisations, with debug symbols) would help us make more sense out of the free() error output.<br data-mce-bogus="1"></div><div class="__aliyun_signature_wrap"><br data-mce-bogus="1"></div><div class="__aliyun_signature_wrap"> Everything is ok f lttng-sessiond compiled with "-O0",so it looks like a compiler issue.<br data-mce-bogus="1"></div><div class="__aliyun_signature_wrap"><br data-mce-bogus="1"></div><div class="__aliyun_signature_wrap">with -O2 disassemble ust_app_list_events()<br data-mce-bogus="1"></div><div class="__aliyun_signature_wrap">0x0000000000418821 <ust_app_list_events+49>:    callq  0x403f60 <rcu_read_lock_memb@plt><br>0x0000000000418826 <ust_app_list_events+54>:    mov    0x2441ab(%rip),%rax        # 0x65c9d8 <ust_app_ht><br>0x000000000041882d <ust_app_list_events+61>:    lea    0x230(%rsp),%rsi<br>0x0000000000418835 <ust_app_list_events+69>:    mov    (%rax),%rdi<br>0x0000000000418838 <ust_app_list_events+72>:    callq  0x403ba0 <lttng_cds_lfht_first@plt><br>0x000000000041883d <ust_app_list_events+77>:    mov    $0xffffffffffffffc8,%rax<br>0x0000000000418844 <ust_app_list_events+84>:    add    %fs:0x0,%rax<br>0x000000000041884d <ust_app_list_events+93>:    mov    0x230(%rsp),%rbp         //app->pid_n.node<br>0x0000000000418855 <ust_app_list_events+101>:   movq   $0x20,0x28(%rsp)<br>0x000000000041885e <ust_app_list_events+110>:   movq   $0x0,0x30(%rsp)<br>0x0000000000418867 <ust_app_list_events+119>:   movq   $0x0,0x18(%rsp)<br>0x0000000000418870 <ust_app_list_events+128>:   add    $0x18,%rax<br>0x0000000000418874 <ust_app_list_events+132>:   sub    $0x78,%rbp               //app<br>0x0000000000418878 <ust_app_list_events+136>:   mov    %rax,0x38(%rsp)          //inside loop<br>0x000000000041887d <ust_app_list_events+141>:   nopl   (%rax)<br>0x0000000000418880 <ust_app_list_events+144>:   mov    0x38(%rsp),%rax<br>0x0000000000418885 <ust_app_list_events+149>:   lock addq $0x2,(%rax)<br>0x000000000041888a <ust_app_list_events+154>:   mov    0x34(%rbp),%eax          //app->compatible<br>0x000000000041888d <ust_app_list_events+157>:   test   %eax,%eax<br>0x000000000041888f <ust_app_list_events+159>:   je     0x418a00 <ust_app_list_events+528><br>0x0000000000418895 <ust_app_list_events+165>:   mov    0x0(%rbp),%edi<br>0x0000000000418898 <ust_app_list_events+168>:   callq  0x4036f0 <ustctl_tracepoint_list@plt><br>0x000000000041889d <ust_app_list_events+173>:   test   %eax,%eax<br></div><div class="__aliyun_previous_quote"><br class="__aliyun_previous_quote"></div><div class="__aliyun_previous_quote">  As you may see,nothing can prevent cpu from walking inside loop even if app is an invalid pointer.It seems the  compiler（GCC 4.1.2 20080704） always think &(pos)->member!=NULL. <br data-mce-bogus="1"></div><div class="__aliyun_previous_quote"><br data-mce-bogus="1"></div><div class="__aliyun_previous_quote">with -O0 disassemble ust_app_list_events()</div><div class="__aliyun_previous_quote">0x000000000041c649 <ust_app_list_events+180>:   callq  0x404018 <rcu_read_lock_memb@plt><br>0x000000000041c64e <ust_app_list_events+185>:   mov    0x243ee3(%rip),%rax        # 0x660538 <ust_app_ht><br>0x000000000041c655 <ust_app_list_events+192>:   mov    (%rax),%rdi<br>0x000000000041c658 <ust_app_list_events+195>:   lea    -0x70(%rbp),%rsi<br>0x000000000041c65c <ust_app_list_events+199>:   callq  0x403c48 <lttng_cds_lfht_first@plt><br>0x000000000041c661 <ust_app_list_events+204>:   lea    -0x70(%rbp),%rdi<br>0x000000000041c665 <ust_app_list_events+208>:   callq  0x41701e <cds_lfht_iter_get_node><br>0x000000000041c66a <ust_app_list_events+213>:   mov    %rax,-0x30(%rbp)         //app->pid_n.node<br>0x000000000041c66e <ust_app_list_events+217>:   mov    -0x30(%rbp),%rax<br>0x000000000041c672 <ust_app_list_events+221>:   sub    $0x78,%rax               //app<br>0x000000000041c676 <ust_app_list_events+225>:   mov    %rax,-0x48(%rbp)<br>0x000000000041c67a <ust_app_list_events+229>:   jmpq   0x41c9db <ust_app_list_events+1094>      //&(app)->pid_n.node!=NULL<br>0x000000000041c67f <ust_app_list_events+234>:   callq  0x418582 <health_code_update>            //inside loop<br>0x000000000041c684 <ust_app_list_events+239>:   mov    -0x48(%rbp),%rax<br>0x000000000041c688 <ust_app_list_events+243>:   mov    0x34(%rax),%eax<br>0x000000000041c68b <ust_app_list_events+246>:   test   %eax,%eax<br>0x000000000041c68d <ust_app_list_events+248>:   je     0x41c9af <ust_app_list_events+1050><br>0x000000000041c693 <ust_app_list_events+254>:   mov    -0x48(%rbp),%rax<br>0x000000000041c697 <ust_app_list_events+258>:   mov    (%rax),%edi<br>...<br>0x000000000041c9db <ust_app_list_events+1094>:  mov    -0x48(%rbp),%rax   //app--(pos)<br>0x000000000041c9df <ust_app_list_events+1098>:  add    $0x78,%rax                //app->pid_n.node --(pos->member)<br>0x000000000041c9e3 <ust_app_list_events+1102>:  test   %rax,%rax<br>0x000000000041c9e6 <ust_app_list_events+1105>:  jne    0x41c67f <ust_app_list_events+234><br></div><div class="__aliyun_previous_quote"><br data-mce-bogus="1"></div><div class="__aliyun_previous_quote">In this case,the compiler will do checking at 0x000000000041c9e3 that is missed in the previous case.<br data-mce-bogus="1"></div><div class="__aliyun_previous_quote"><br data-mce-bogus="1"></div><div class="__aliyun_previous_quote">Thanks<br data-mce-bogus="1"></div><div class="__aliyun_previous_quote">zhenyu.ren<br data-mce-bogus="1"></div><div class="__aliyun_previous_quote"><br data-mce-bogus="1"></div><div class="__aliyun_previous_quote"><br data-mce-bogus="1"></div></div>