dwarf_cfi_addrframe regression in elfutils 0.145 and 0.146

[Josh Stone <jistone at redhat dot com>]

Hi,

I'm getting a glibc double-free crash on Fedora i686, and I think it may
be an elfutils regression.  With 0.145 and 0.146 I get a crash, but
0.144 seems fine.  I see this on i686 F12, F13, and F14.  x86_64 is fine.

I'm about to try a git-bisect on elfutils, but here's the crash info in
the mean time:

$ rpm -qa systemtap\* elfutils\* | sort
elfutils-0.146-1.fc12.i686
elfutils-debuginfo-0.146-1.fc12.i686
elfutils-devel-0.146-1.fc12.i686
elfutils-libelf-0.146-1.fc12.i686
elfutils-libelf-devel-0.146-1.fc12.i686
elfutils-libs-0.146-1.fc12.i686
systemtap-1.2-1.fc12.i686
systemtap-debuginfo-1.2-1.fc12.i686
systemtap-runtime-1.2-1.fc12.i686
systemtap-sdt-devel-1.2-1.fc12.i686
systemtap-testsuite-1.2-1.fc12.i686

$ stap -p2 /usr/share/systemtap/testsuite/semok/thirtysix.stp
*** glibc detected *** stap: double free or corruption (!prev):
0x05e97560 ***
======= Backtrace: =========
/lib/libc.so.6(-0xff53280f)[0xa6d7f1]
/usr/lib/libdw.so.1(+0x11d9e)[0x7f7d9e]
/usr/lib/libdw.so.1(dwarf_cfi_addrframe+0x68)[0x7f8428]
stap(+0x1142a5)[0xd4e2a5]
[...]

With valgrind:
[...]
==5136== Invalid free() / delete / delete[]
==5136==    at 0x48057F6: free (vg_replace_malloc.c:325)
==5136==    by 0x4890D9D: __libdw_frame_at_address (cfi.c:495)
==5136==    by 0x4891427: dwarf_cfi_addrframe (dwarf_cfi_addrframe.c:70)
==5136==    by 0x21C2A4: dwflpp::get_cfa_ops(unsigned long long)
(dwflpp.cxx:2816)
[...]
==5136==  Address 0x82fbf10 is 0 bytes inside a block of size 432 free'd
==5136==    at 0x48057F6: free (vg_replace_malloc.c:325)
==5136==    by 0x488F41D: execute_cfi (cfi.c:395)
==5136==    by 0x4890C0B: __libdw_frame_at_address (cfi.c:491)
==5136==    by 0x4891427: dwarf_cfi_addrframe (dwarf_cfi_addrframe.c:70)
==5136==    by 0x21C2A4: dwflpp::get_cfa_ops(unsigned long long)
(dwflpp.cxx:2816)
[...]