[Bug c++/109731] New: g++ eveluates delete's expressio more than once

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug c++/109731] New: g++ eveluates delete's expressio more than once
@ 2023-05-04 10:51 gjl at gcc dot gnu.org
  2023-05-04 11:06 ` [Bug c++/109731] g++ evaluates delete expressions " redi at gcc dot gnu.org
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: gjl at gcc dot gnu.org @ 2023-05-04 10:51 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109731

            Bug ID: 109731
           Summary: g++ eveluates delete's expressio more than once
           Product: gcc
           Version: 11.3.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: gjl at gcc dot gnu.org
  Target Milestone: ---

Created attachment 54992
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54992&action=edit
C++ test case

The attached test case evaluates the last delete expression more than once,
which leads to a segmentation fault when the code is executed:

> g++ main-3.cpp -O2 && ./a.out

but it also occurs with -O0. Seen on:

g++ (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0

g++ (GCC) 14.0.0 20230420 (experimental)

https://eel.is/c++draft/expr.delete#4

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug c++/109731] g++ evaluates delete expressions more than once
  2023-05-04 10:51 [Bug c++/109731] New: g++ eveluates delete's expressio more than once gjl at gcc dot gnu.org
@ 2023-05-04 11:06 ` redi at gcc dot gnu.org
  2023-05-04 11:10 ` redi at gcc dot gnu.org
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: redi at gcc dot gnu.org @ 2023-05-04 11:06 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109731

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2023-05-04
             Status|UNCONFIRMED                 |NEW
     Ever confirmed|0                           |1
      Known to fail|                            |13.1.0, 14.0, 4.1.0

--- Comment #1 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Confirmed. GCC does not follow [expr.delete] p4:

 "The cast-expression in a delete-expression shall be evaluated exactly once."

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug c++/109731] g++ evaluates delete expressions more than once
  2023-05-04 10:51 [Bug c++/109731] New: g++ eveluates delete's expressio more than once gjl at gcc dot gnu.org
  2023-05-04 11:06 ` [Bug c++/109731] g++ evaluates delete expressions " redi at gcc dot gnu.org
@ 2023-05-04 11:10 ` redi at gcc dot gnu.org
  2023-05-04 11:12 ` redi at gcc dot gnu.org
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: redi at gcc dot gnu.org @ 2023-05-04 11:10 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109731

--- Comment #2 from Jonathan Wakely <redi at gcc dot gnu.org> ---
ASan shows the use-after-free:

=================================================================
==46643==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000000010
at pc 0x0000004010c4 bp 0x7ffff0f09830 sp 0x7ffff0f09828
READ of size 8 at 0x602000000010 thread T0
    #0 0x4010c3 in main /tmp/del.cc:33
    #1 0x7fc85844a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
(BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)
    #2 0x7fc85844a5c8 in __libc_start_main@GLIBC_2.2.5
(/lib64/libc.so.6+0x275c8) (BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)
    #3 0x401114 in _start (/tmp/a.out+0x401114)

0x602000000010 is located 0 bytes inside of 8-byte region
[0x602000000010,0x602000000018)
freed by thread T0 here:
    #0 0x7fc858addd48 in operator delete(void*, unsigned long)
/home/jwakely/src/gcc/gcc/libsanitizer/asan/asan_new_delete.cpp:164
    #1 0x40109a in Lexer::~Lexer() /tmp/del.cc:20
    #2 0x40109a in main /tmp/del.cc:33

previously allocated by thread T0 here:
    #0 0x7fc858adce48 in operator new(unsigned long)
/home/jwakely/src/gcc/gcc/libsanitizer/asan/asan_new_delete.cpp:95
    #1 0x40108a in main /tmp/del.cc:31

SUMMARY: AddressSanitizer: heap-use-after-free /tmp/del.cc:33 in main


valgrind agrees:

==46706== Invalid read of size 8
==46706==    at 0x40106B: main (del.cc:33)
==46706==  Address 0x4dca080 is 0 bytes inside a block of size 8 free'd
==46706==    at 0x48468DD: operator delete(void*, unsigned long)
(vg_replace_malloc.c:947)
==46706==    by 0x40106A: ~Lexer (del.cc:20)
==46706==    by 0x40106A: main (del.cc:33)
==46706==  Block was alloc'd at
==46706==    at 0x4843FF5: operator new(unsigned long)
(vg_replace_malloc.c:434)
==46706==    by 0x40105A: main (del.cc:31)



Marc Glisse pointed out that we're not using a SAVE_EXPR for the operand of the
delete-expression: https://gcc.gnu.org/pipermail/gcc-help/2023-May/142512.html

"""
It normally uses a SAVE_EXPR, but seems to consider token->lexer_ as "safe".

         try
           {
             Lexer::~Lexer ((struct Lexer *) token->lexer_);
           }
         finally
           {
             operator delete ((void *) token->lexer_, 8);
           }

whereas if I write delete (token->lexer_ + i); where i is 0, I get

         try
           {
             Lexer::~Lexer (SAVE_EXPR <(struct Lexer *) token->lexer_ + 
(sizetype) (i * 8)>);
           }
         finally
           {
             operator delete ((void *) (SAVE_EXPR <(struct Lexer *) 
token->lexer_ + (sizetype) (i * 8)>), 8);
           }

which works.
"""

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug c++/109731] g++ evaluates delete expressions more than once
  2023-05-04 10:51 [Bug c++/109731] New: g++ eveluates delete's expressio more than once gjl at gcc dot gnu.org
  2023-05-04 11:06 ` [Bug c++/109731] g++ evaluates delete expressions " redi at gcc dot gnu.org
  2023-05-04 11:10 ` redi at gcc dot gnu.org
@ 2023-05-04 11:12 ` redi at gcc dot gnu.org
  2023-05-04 11:21 ` pinskia at gcc dot gnu.org
  2023-05-04 11:34 ` redi at gcc dot gnu.org
  4 siblings, 0 replies; 6+ messages in thread
From: redi at gcc dot gnu.org @ 2023-05-04 11:12 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109731

--- Comment #3 from Jonathan Wakely <redi at gcc dot gnu.org> ---
It seems that it's considered safe because Token::lexer_ is const, so GCC
thinks the value of token->lexer_ can't be changed by the ~Lexer() destructor.
That's true, but 'token' can become an invalid pointer.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug c++/109731] g++ evaluates delete expressions more than once
  2023-05-04 10:51 [Bug c++/109731] New: g++ eveluates delete's expressio more than once gjl at gcc dot gnu.org
                   ` (2 preceding siblings ...)
  2023-05-04 11:12 ` redi at gcc dot gnu.org
@ 2023-05-04 11:21 ` pinskia at gcc dot gnu.org
  2023-05-04 11:34 ` redi at gcc dot gnu.org
  4 siblings, 0 replies; 6+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-05-04 11:21 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109731

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://gcc.gnu.org/bugzill
                   |                            |a/show_bug.cgi?id=52339

--- Comment #4 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
I think this is a dup of bug 52339 .

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug c++/109731] g++ evaluates delete expressions more than once
  2023-05-04 10:51 [Bug c++/109731] New: g++ eveluates delete's expressio more than once gjl at gcc dot gnu.org
                   ` (3 preceding siblings ...)
  2023-05-04 11:21 ` pinskia at gcc dot gnu.org
@ 2023-05-04 11:34 ` redi at gcc dot gnu.org
  4 siblings, 0 replies; 6+ messages in thread
From: redi at gcc dot gnu.org @ 2023-05-04 11:34 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109731

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |DUPLICATE
             Status|NEW                         |RESOLVED

--- Comment #5 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Ah yes, it's exactly the same, even noting that it works without a const
variable. Let's close this one.

*** This bug has been marked as a duplicate of bug 52339 ***

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2023-05-04 11:34 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-04 10:51 [Bug c++/109731] New: g++ eveluates delete's expressio more than once gjl at gcc dot gnu.org
2023-05-04 11:06 ` [Bug c++/109731] g++ evaluates delete expressions " redi at gcc dot gnu.org
2023-05-04 11:10 ` redi at gcc dot gnu.org
2023-05-04 11:12 ` redi at gcc dot gnu.org
2023-05-04 11:21 ` pinskia at gcc dot gnu.org
2023-05-04 11:34 ` redi at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).