[Bug libstdc++/109889] [13/14 Regression] Segfault in __run_exit_handlers since r13-5309-gc3c6c307792026

["redi at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109889

--- Comment #11 from Jonathan Wakely <redi at gcc dot gnu.org> ---
The test looks like this:

#include <ext/throw_allocator.h>
#include <testsuite_allocator.h>

int main()
{ 
  typedef int value_type;
  typedef __gnu_cxx::throw_allocator_random<value_type> allocator_type;

  try { __gnu_test::check_deallocate_null<allocator_type>(); }
  catch (std::logic_error&)
    {
      // Should throw logic_error to catch null erase.
    }

  return 0;
}


Where check_deallocate_null does:

  template<typename Alloc>
    bool
    check_deallocate_null()
    {
      // Let's not core here...
      Alloc a;
      a.deallocate(0, 1);
      a.deallocate(0, 10);
      return true;
    }


The first call to deallocate results in a call to:

    // See if a particular address and allocation size has been saved.
    inline map_alloc_type::iterator
    check_allocated(void* p, size_t size)
    {
      map_alloc_type::iterator found = map_alloc().find(p);
      if (found == map_alloc().end())
        {
          std::string error("annotate_base::check_allocated by value "
                            "null erase!\n");
          log_to_string(error, make_entry(p, size));
          std::__throw_logic_error(error.c_str());
        }


This creates a debug mode iterator (found) and attaches it to the list of
iterators for the  static map created here:

    static map_alloc_type&
    map_alloc()
    {
      static map_alloc_type _S_map;
      return _S_map;
    }

The call to map_alloc().end() then creates a second iterator, which is attached
to the list, and then detached when it goes out of scope.

Then we throw an exception, which is caught in main() and we return from
main().

The first iterator, found, was not destroyed, and so was not detached from the
list of active iterators. When the map gets destroyed it detaches the iterator
and calls its _M_reset() member to note that the iterator is now invalid
(because the map it refers to no logner exists). But that iterator only existed
on the stack of check_allocated, and calling _M_reset() on that stack address
corrupts the stack.

The found iterator should have been destroyed when the exception was thrown and
the stack was unwound.