From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 9781 invoked by alias); 17 Aug 2012 13:08:01 -0000 Received: (qmail 9747 invoked by uid 22791); 17 Aug 2012 13:08:00 -0000 X-SWARE-Spam-Status: No, hits=-3.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 X-Spam-Check-By: sourceware.org Received: from localhost (HELO gcc.gnu.org) (127.0.0.1) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Fri, 17 Aug 2012 13:07:47 +0000 From: "plasmahh at gmx dot net" To: gcc-bugs@gcc.gnu.org Subject: [Bug libstdc++/54296] New: using the object in the map to erase element from the map crashes Date: Fri, 17 Aug 2012 13:08:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: libstdc++ X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: plasmahh at gmx dot net X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-bugs-owner@gcc.gnu.org X-SW-Source: 2012-08/txt/msg01145.txt.bz2 http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54296 Bug #: 54296 Summary: using the object in the map to erase element from the map crashes Classification: Unclassified Product: gcc Version: 4.8.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: libstdc++ AssignedTo: unassigned@gcc.gnu.org ReportedBy: plasmahh@gmx.net I found a crash in my program, which boils down to the following code. (Note that this does usually not crash, but will be reported by valgrind with invalid read after free. Also note that depending no possible internals of the bucket hashing stuff, the value for i where it crashes might change, so you can use the random part multiple times to figure out a new one) #include #include #include #include #include #include struct A { int x; }; int main ( ) { srand(time(0)); std::unordered_map map; map.max_load_factor(2.0); for (size_t i = 0; i < 50; ++i) { A a; a.x = i; map.insert({i,a}); } // int i = rand() % map.size(); int i = 47; std::cout << "i = " << i << "\n"; const A& a = map[i]; map.erase(a.x); } // vim: tabstop=4 shiftwidth=4 noexpandtab ft=cpp This seems to be due to the while condition in hashtable.h:1526 accessing __k after the _M_deallocate_node(__p) of line 1517 while (__next_bkt == __bkt && this->_M_equals(__k, __code, __next_n)); I think it is better that after the erase of the node, __k should not be touched anymore as it migh be part of the object being erased.