[Bug libstdc++/102712] New: std::optional::operator* should assert on unset value

[Bug libstdc++/102712] New: std::optional::operator* should assert on unset value

[ott at fb dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102712

            Bug ID: 102712
           Summary: std::optional::operator* should assert on unset value
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: libstdc++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: ott at fb dot com
  Target Milestone: ---

It is UB to call operator* on an unset std::optional, and when doing so it is
easy to hit time-traveling UB, resulting in behavior that is very hard to
debug. 

For example, setting a field of an unset optional with operator-> may look like
it succeeded, and the rest of the program will behave as if the optional was
set, but it will silently leak memory because the destructor won't run. Another
plausible scenario is having an optional<X> where X has an operator bool(), and
spelling "if (*opt)" when the intention is to spell "if (opt)". The program
compiles and the optional is just assumed set around the condition.

Even UBSan with some of the strictest settings doesn't detect this.

All major implementations of the type have defined behavior in debug builds:

- libc++ asserts
https://github.com/llvm-mirror/libcxx/blob/master/include/optional#L905

- boost asserts
https://github.com/boostorg/optional/blob/develop/include/boost/optional/optional.hpp#L1213

- abseil asserts
https://github.com/abseil/abseil-cpp/blob/master/absl/types/optional.h#L428

- folly throws (in any compilation mode)
https://github.com/facebook/folly/blob/master/folly/Optional.h#L330
https://github.com/facebook/folly/blob/master/folly/Optional.h#L297

So anyone migrating from any of these is in for a world of hurt. 
Please consider adding an assertion in libstdc++.

[Bug libstdc++/102712] std::optional::operator* should assert on unset value

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102712

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |WORKSFORME

--- Comment #1 from Jonathan Wakely <redi at gcc dot gnu.org> ---
You mean like this one?

/usr/include/c++/11/optional:440: constexpr _Tp& std::_Optional_base_impl<_Tp,
_Dp>::_M_get() [with _Tp = int; _Dp = std::_Optional_base<int, true, true>]:
Assertion 'this->_M_is_engaged()' failed.
Aborted (core dumped)

It's been there since r248099 more than four years ago.

Just compile with -D_GLIBCXX_ASSERTIONS

[Bug libstdc++/102712] std::optional::operator* should assert on unset value

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102712

--- Comment #2 from Jonathan Wakely <redi at gcc dot gnu.org> ---
(In reply to Jonathan Wakely from comment #1)
> Just compile with -D_GLIBCXX_ASSERTIONS

Or the more heavyweight -D_GLIBCXX_DEBUG which implies _GLIBCXX_ASSERTIONS too.

[Bug libstdc++/102712] std::optional::operator* should assert on unset value

[ott at fb dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102712

--- Comment #3 from Giuseppe Ottaviano <ott at fb dot com> ---
Oh well this is embarrassing, I was looking at _Optional_payload_base::_M_get()
instead of _Optional_base_impl::_M_get() .

Sorry for the noise and thanks for fixing this 4 years ago!

[Bug libstdc++/102712] std::optional::operator* should assert on unset value

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102712

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tim at klingt dot org

--- Comment #4 from Jonathan Wakely <redi at gcc dot gnu.org> ---
*** Bug 107894 has been marked as a duplicate of this bug. ***