public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "redi at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug libstdc++/109889] [13/14 Regression] Segfault in __run_exit_handlers since r13-5309-gc3c6c307792026 Date: Fri, 19 May 2023 12:49:43 +0000 [thread overview] Message-ID: <bug-109889-4-2YNOHn5ItD@http.gcc.gnu.org/bugzilla/> (raw) In-Reply-To: <bug-109889-4@http.gcc.gnu.org/bugzilla/> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109889 --- Comment #11 from Jonathan Wakely <redi at gcc dot gnu.org> --- The test looks like this: #include <ext/throw_allocator.h> #include <testsuite_allocator.h> int main() { typedef int value_type; typedef __gnu_cxx::throw_allocator_random<value_type> allocator_type; try { __gnu_test::check_deallocate_null<allocator_type>(); } catch (std::logic_error&) { // Should throw logic_error to catch null erase. } return 0; } Where check_deallocate_null does: template<typename Alloc> bool check_deallocate_null() { // Let's not core here... Alloc a; a.deallocate(0, 1); a.deallocate(0, 10); return true; } The first call to deallocate results in a call to: // See if a particular address and allocation size has been saved. inline map_alloc_type::iterator check_allocated(void* p, size_t size) { map_alloc_type::iterator found = map_alloc().find(p); if (found == map_alloc().end()) { std::string error("annotate_base::check_allocated by value " "null erase!\n"); log_to_string(error, make_entry(p, size)); std::__throw_logic_error(error.c_str()); } This creates a debug mode iterator (found) and attaches it to the list of iterators for the static map created here: static map_alloc_type& map_alloc() { static map_alloc_type _S_map; return _S_map; } The call to map_alloc().end() then creates a second iterator, which is attached to the list, and then detached when it goes out of scope. Then we throw an exception, which is caught in main() and we return from main(). The first iterator, found, was not destroyed, and so was not detached from the list of active iterators. When the map gets destroyed it detaches the iterator and calls its _M_reset() member to note that the iterator is now invalid (because the map it refers to no logner exists). But that iterator only existed on the stack of check_allocated, and calling _M_reset() on that stack address corrupts the stack. The found iterator should have been destroyed when the exception was thrown and the stack was unwound.
next prev parent reply other threads:[~2023-05-19 12:49 UTC|newest] Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-05-17 11:10 [Bug libstdc++/109889] New: " redi at gcc dot gnu.org 2023-05-17 11:17 ` [Bug libstdc++/109889] " redi at gcc dot gnu.org 2023-05-17 11:25 ` jakub at gcc dot gnu.org 2023-05-17 11:26 ` redi at gcc dot gnu.org 2023-05-17 11:30 ` redi at gcc dot gnu.org 2023-05-17 15:04 ` tuliom at ascii dot art.br 2023-05-17 15:10 ` tuliom at ascii dot art.br 2023-05-17 15:50 ` redi at gcc dot gnu.org 2023-05-17 15:57 ` redi at gcc dot gnu.org 2023-05-17 15:58 ` redi at gcc dot gnu.org 2023-05-17 15:59 ` redi at gcc dot gnu.org 2023-05-17 19:38 ` rguenth at gcc dot gnu.org 2023-05-19 12:49 ` redi at gcc dot gnu.org [this message] 2023-05-24 12:04 ` redi at gcc dot gnu.org 2023-07-27 9:26 ` rguenth at gcc dot gnu.org 2024-05-21 9:15 ` [Bug libstdc++/109889] [13/14/15 " jakub at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-109889-4-2YNOHn5ItD@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).