[Bug libstdc++/11352] New: crash while internal padding numeric 0

[Bug libstdc++/11352] New: crash while internal padding numeric 0

[david dot asher at cavium dot com]

PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352

           Summary: crash while internal padding numeric 0
           Product: gcc
           Version: 3.2.2
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libstdc++
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: david dot asher at cavium dot com
                CC: gcc-bugs at gcc dot gnu dot org
 GCC build triplet: i686-pc-linux
  GCC host triplet: i686-pc-linux
GCC target triplet: i686-pc-linux

When padding a numeric 0 in _S_pad, the code in locale_facets.tcc checks to see 
if the old string starts with a "0x".  Unfortunately, the code which produces 
the unpadded string DOES NOT zero terminate: the code is relying upon passing 
the length around with the string

Later, the code in _S_pad which determines whether the leading "0X" or "0x" is 
present DOES NOT check whether the "x" is beyond the end of the string.  In my 
case I was outputting a 0 AFTER a non-zero value w/showbase on, so the __olds 
string had a "x" lying around on the stack -- fooling the code into thinking it 
needs to place the pad after a non-existant "0x".  Because of the 
inconsistancies in the length fields after this decision it caused the final 
copy to use a length of -1.

In my case it was internal padding a 0 to a width of 5.  __oldlen=1, 
__newlen=5.  Therefore __plen=4.  __testhex is incorrectly evaluated to true 
because an "x" just happens to be at __olds[1] -- even though __oldlen=1.  This 
causes:

__mod = 2
__beglen = __plen = 4
__newlen = 5

So the end copy length is calculated: 5 - 4 - 2 = -1 !!  Horrible death ensues.

The following patch fixes the problem (I checked out the gcc/libstdc++-v3 
sources 27-Jun-2003 9pm-ish EDT to create the patch, hopefully linewrap won't 
screw this up too bad):

*** locale_facets.tcc.old	Tue May 27 17:14:49 2003
--- locale_facets.tcc	Thu Jun 26 20:48:07 2003
*************** namespace std
*** 2188,2195 ****
  	    		    || _Traits::eq(__olds[0], __plus);
  
  	  bool __testhex = _Traits::eq(__ctype.widen('0'), __olds[0]) 
! 	    		   && (_Traits::eq(__ctype.widen('x'), __olds[1]) 
! 			       || _Traits::eq(__ctype.widen('X'), __olds[1]));
  	  if (__testhex)
  	    {
  	      __news[0] = __olds[0]; 
--- 2188,2195 ----
  	    		    || _Traits::eq(__olds[0], __plus);
  
  	  bool __testhex = _Traits::eq(__ctype.widen('0'), __olds[0]) 
! 	    		   && ((__oldlen > 1) && (_Traits::eq(__ctype.widen
('x'), __olds[1]) 
!                                                   || _Traits::eq(__ctype.widen
('X'), __olds[1])));
  	  if (__testhex)
  	    {
  	      __news[0] = __olds[0];

[Bug libstdc++/11352] crash while internal padding numeric 0

[david dot asher at cavium dot com]

PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352



------- Additional Comments From david dot asher at cavium dot com  2003-06-27 13:50 -------
Created an attachment (id=4294)
 --> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=4294&action=view)
patch to locale_facets.tcc to fix bug 11352

I didn't know I could add patches later...  So here it is

[Bug libstdc++/11352] crash while internal padding numeric 0

[paolo at gcc dot gnu dot org]

PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352


paolo at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |WAITING


------- Additional Comments From paolo at gcc dot gnu dot org  2003-06-27 21:49 -------
Could you possibly provide also a self-contained testcase?
If so, I will test and commit both ASAP (your only name in the Changelog ;)
Thanks, Paolo.

[Bug libstdc++/11352] crash while internal padding numeric 0

[pinskia at physics dot uc dot edu]

PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352


pinskia at physics dot uc dot edu changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |NEW
     Ever Confirmed|                            |1
   Last reconfirmed|0000-00-00 00:00:00         |2003-07-20 20:48:02
               date|                            |


------- Additional Comments From pinskia at physics dot uc dot edu  2003-07-20 20:48 -------
Test case recieved.

[Bug libstdc++/11352] crash while internal padding numeric 0

[neroden at gcc dot gnu dot org]

PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352


neroden at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|unassigned at gcc dot gnu   |paolo at gcc dot gnu dot org
                   |dot org                     |
             Status|NEW                         |ASSIGNED


------- Additional Comments From neroden at gcc dot gnu dot org  2003-08-03 19:00 -------
You claimed you'd take care of it.  :-)

[Bug libstdc++/11352] crash while internal padding numeric 0

[pinskia at gcc dot gnu dot org]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|3.4.0                       |---


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352

[Bug libstdc++/11352] crash while internal padding numeric 0

[paolo at gcc dot gnu dot org]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |3.4.0


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352

[Bug libstdc++/11352] crash while internal padding numeric 0

[pinskia at gcc dot gnu dot org]

------- Additional Comments From pinskia at gcc dot gnu dot org  2004-01-14 03:17 -------
Is this a regression, if not please move the target then.

-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352

[Bug libstdc++/11352] crash while internal padding numeric 0

[ian at wasabisystems dot com]

------- Additional Comments From ian at wasabisystems dot com  2004-02-14 04:02 -------
I don't think it's possible to recreate this problem amy more, but I think that
it still exists.  __pad<_CharT, _Traits>::_S_pad in locale_facets.tcc looks at
the contents of __olds without checking __oldlen.  This is called from
num_put<_CharT, _OutIter>::_M_pad, which is called from, among other places,
num_put<_CharT, _OutIter>::_M_insert_int.  _M_insert_int calls alloca(), and
formats an integer into the returned buffer.  The integer is formatted
right-justified in the buffer.  It is possible for this buffer to hold "0". 
When _S_pad is called via this call path, if the first character in the argument
is "0", it will look at the second character without checking whether __oldlen
is greater than 1.  That means that it will look at the character past the end
of the buffer, which is some random value on the stack.  Everything will be fine
unless that random value happens to be 'x' or 'X'.  This is a very difficult bug
to recreate, since there is no real way to control the contents of the stack at
that point.  But it does appear to be a real bug.

It might be possible to recreate the bug on the tree-ssa branch by building
libstdc++-v3 with -fmudflap.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ian at wasabisystems dot com


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352

[Bug libstdc++/11352] crash while internal padding numeric 0

[pcarlini at suse dot de]

------- Additional Comments From pcarlini at suse dot de  2004-02-14 08:03 -------
Ian, I agree completely with your analysis.

Next week will apply the fix to both 3_4 and mainline (and perhaps 3_3 too, as
soon as the branch reopens).

Too bad that it's really difficult to create a testcase :(

-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352

[Bug libstdc++/11352] crash while internal padding numeric 0

[cvs-commit at gcc dot gnu dot org]

------- Additional Comments From cvs-commit at gcc dot gnu dot org  2004-02-15 17:19 -------
Subject: Bug 11352

CVSROOT:	/cvs/gcc
Module name:	gcc
Changes by:	paolo@gcc.gnu.org	2004-02-15 17:19:03

Modified files:
	libstdc++-v3   : ChangeLog 
	libstdc++-v3/include/bits: locale_facets.tcc 

Log message:
	2004-02-15  David Asher  <david.asher@cavium.com>
	
	PR libstdc++/11352
	* include/bits/locale_facets.tcc (__pad<>::_S_pad): Don't
	access __olds beyond __oldlen.

Patches:
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libstdc++-v3/ChangeLog.diff?cvsroot=gcc&r1=1.2331&r2=1.2332
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libstdc++-v3/include/bits/locale_facets.tcc.diff?cvsroot=gcc&r1=1.169&r2=1.170



-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352

[Bug libstdc++/11352] crash while internal padding numeric 0

[cvs-commit at gcc dot gnu dot org]

------- Additional Comments From cvs-commit at gcc dot gnu dot org  2004-02-15 17:33 -------
Subject: Bug 11352

CVSROOT:	/cvs/gcc
Module name:	gcc
Branch: 	gcc-3_4-branch
Changes by:	paolo@gcc.gnu.org	2004-02-15 17:33:20

Modified files:
	libstdc++-v3   : ChangeLog 
	libstdc++-v3/include/bits: locale_facets.tcc 

Log message:
	2004-02-15  David Asher  <david.asher@cavium.com>
	
	PR libstdc++/11352
	* include/bits/locale_facets.tcc (__pad<>::_S_pad): Don't
	access __olds beyond __oldlen.

Patches:
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libstdc++-v3/ChangeLog.diff?cvsroot=gcc&only_with_tag=gcc-3_4-branch&r1=1.2224.2.36&r2=1.2224.2.37
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libstdc++-v3/include/bits/locale_facets.tcc.diff?cvsroot=gcc&only_with_tag=gcc-3_4-branch&r1=1.166.2.3&r2=1.166.2.4



-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352

[Bug libstdc++/11352] crash while internal padding numeric 0

[pcarlini at suse dot de]

------- Additional Comments From pcarlini at suse dot de  2004-02-15 17:34 -------
Fixed for 3.4.0.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352

[Bug libstdc++/11352] crash while internal padding numeric 0

[cvs-commit at gcc dot gnu dot org]

------- Additional Comments From cvs-commit at gcc dot gnu dot org  2004-05-25 17:04 -------
Subject: Bug 11352

CVSROOT:	/cvs/gcc
Module name:	gcc
Branch: 	hammer-3_3-branch
Changes by:	paolo@gcc.gnu.org	2004-05-25 17:03:58

Modified files:
	libstdc++-v3   : ChangeLog.hammer 
	libstdc++-v3/include/bits: locale_facets.tcc 
	libstdc++-v3/src: misc-inst.cc 

Log message:
	2004-05-25  David Asher  <david.asher@cavium.com>
	
	PR libstdc++/11352
	* include/bits/locale_facets.tcc (__pad<>::_S_pad): Don't
	access __olds beyond __oldlen.
	
	2004-05-25  Michael Matz  <matz@suse.de>
	Paolo Carlini  <pcarlini@suse.de>
	
	* src/misc-inst.cc: Instantiate istreambuf_iterator<>::_M_get.

Patches:
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libstdc++-v3/ChangeLog.hammer.diff?cvsroot=gcc&only_with_tag=hammer-3_3-branch&r1=1.1.2.14&r2=1.1.2.15
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libstdc++-v3/include/bits/locale_facets.tcc.diff?cvsroot=gcc&only_with_tag=hammer-3_3-branch&r1=1.82.2.16&r2=1.82.2.17
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libstdc++-v3/src/misc-inst.cc.diff?cvsroot=gcc&only_with_tag=hammer-3_3-branch&r1=1.20.2.1&r2=1.20.2.2



-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352

[Bug libstdc++/11352] crash while internal padding numeric 0

[cvs-commit at gcc dot gnu dot org]

------- Additional Comments From cvs-commit at gcc dot gnu dot org  2004-06-28 20:16 -------
Subject: Bug 11352

CVSROOT:	/cvs/gcc
Module name:	gcc
Branch: 	gcc-3_3-branch
Changes by:	paolo@gcc.gnu.org	2004-06-28 20:16:22

Modified files:
	libstdc++-v3   : ChangeLog 
	libstdc++-v3/include/bits: locale_facets.tcc 

Log message:
	2004-06-28  David Asher  <david.asher@cavium.com>
	
	PR libstdc++/11352
	* include/bits/locale_facets.tcc (__pad<>::_S_pad): Don't
	access __olds beyond __oldlen.

Patches:
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libstdc++-v3/ChangeLog.diff?cvsroot=gcc&only_with_tag=gcc-3_3-branch&r1=1.1464.2.186&r2=1.1464.2.187
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libstdc++-v3/include/bits/locale_facets.tcc.diff?cvsroot=gcc&only_with_tag=gcc-3_3-branch&r1=1.82.4.19&r2=1.82.4.20



-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352

[Bug libstdc++/11352] crash while internal padding numeric 0

[pinskia at gcc dot gnu dot org]

------- Additional Comments From pinskia at gcc dot gnu dot org  2004-06-28 20:21 -------
Fixed also in 3.3.5.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|3.4.0                       |3.3.5


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352