public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h
[not found] <bug-60734-4@http.gcc.gnu.org/bugzilla/>
@ 2014-04-02 11:03 ` redi at gcc dot gnu.org
2014-04-02 11:12 ` mpolacek at gcc dot gnu.org
` (11 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: redi at gcc dot gnu.org @ 2014-04-02 11:03 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
Jonathan Wakely <redi at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2014-04-02
Assignee|unassigned at gcc dot gnu.org |redi at gcc dot gnu.org
Ever confirmed|0 |1
--- Comment #1 from Jonathan Wakely <redi at gcc dot gnu.org> ---
The analysis looks right. The static_cast is definitely undefined. You can't
dereference the end() iterator so we don't need a valid pointer, so the
reinterpret_cast is OK.
I'd like to be able to reproduce it though, the toy examples I've tried don't
get the ubsan error.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h
[not found] <bug-60734-4@http.gcc.gnu.org/bugzilla/>
2014-04-02 11:03 ` [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h redi at gcc dot gnu.org
@ 2014-04-02 11:12 ` mpolacek at gcc dot gnu.org
2014-04-02 11:14 ` redi at gcc dot gnu.org
` (10 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: mpolacek at gcc dot gnu.org @ 2014-04-02 11:12 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
Marek Polacek <mpolacek at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mpolacek at gcc dot gnu.org
--- Comment #2 from Marek Polacek <mpolacek at gcc dot gnu.org> ---
Our ubsan does not yet detect the "downcast of address..." error. Maybe in
next stage1.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h
[not found] <bug-60734-4@http.gcc.gnu.org/bugzilla/>
2014-04-02 11:03 ` [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h redi at gcc dot gnu.org
2014-04-02 11:12 ` mpolacek at gcc dot gnu.org
@ 2014-04-02 11:14 ` redi at gcc dot gnu.org
2014-04-15 10:52 ` redi at gcc dot gnu.org
` (9 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: redi at gcc dot gnu.org @ 2014-04-02 11:14 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
--- Comment #3 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Thanks Marek, in that case this is less high priority IMHO
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h
[not found] <bug-60734-4@http.gcc.gnu.org/bugzilla/>
` (2 preceding siblings ...)
2014-04-02 11:14 ` redi at gcc dot gnu.org
@ 2014-04-15 10:52 ` redi at gcc dot gnu.org
2014-04-15 11:19 ` redi at gcc dot gnu.org
` (8 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: redi at gcc dot gnu.org @ 2014-04-15 10:52 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
--- Comment #4 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Author: redi
Date: Tue Apr 15 10:52:06 2014
New Revision: 209414
URL: http://gcc.gnu.org/viewcvs?rev=209414&root=gcc&view=rev
Log:
PR libstdc++/60734
* include/bits/stl_tree.h (_Rb_tree::_M_end): Fix invalid cast.
Modified:
trunk/libstdc++-v3/ChangeLog
trunk/libstdc++-v3/include/bits/stl_tree.h
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h
[not found] <bug-60734-4@http.gcc.gnu.org/bugzilla/>
` (3 preceding siblings ...)
2014-04-15 10:52 ` redi at gcc dot gnu.org
@ 2014-04-15 11:19 ` redi at gcc dot gnu.org
2014-06-03 17:26 ` redi at gcc dot gnu.org
` (7 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: redi at gcc dot gnu.org @ 2014-04-15 11:19 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
--- Comment #5 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Fixed on trunk so far
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h
[not found] <bug-60734-4@http.gcc.gnu.org/bugzilla/>
` (4 preceding siblings ...)
2014-04-15 11:19 ` redi at gcc dot gnu.org
@ 2014-06-03 17:26 ` redi at gcc dot gnu.org
2014-06-03 17:59 ` redi at gcc dot gnu.org
` (6 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: redi at gcc dot gnu.org @ 2014-06-03 17:26 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
--- Comment #6 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Author: redi
Date: Tue Jun 3 17:26:05 2014
New Revision: 211190
URL: http://gcc.gnu.org/viewcvs?rev=211190&root=gcc&view=rev
Log:
Backport from mainline
2014-04-15 Jonathan Wakely <jwakely@redhat.com>
PR libstdc++/60734
* include/bits/stl_tree.h (_Rb_tree::_M_end): Fix invalid cast.
Modified:
branches/gcc-4_9-branch/libstdc++-v3/ChangeLog
branches/gcc-4_9-branch/libstdc++-v3/include/bits/stl_tree.h
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h
[not found] <bug-60734-4@http.gcc.gnu.org/bugzilla/>
` (5 preceding siblings ...)
2014-06-03 17:26 ` redi at gcc dot gnu.org
@ 2014-06-03 17:59 ` redi at gcc dot gnu.org
2014-06-03 18:00 ` redi at gcc dot gnu.org
` (5 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: redi at gcc dot gnu.org @ 2014-06-03 17:59 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
--- Comment #7 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Author: redi
Date: Tue Jun 3 17:58:51 2014
New Revision: 211197
URL: http://gcc.gnu.org/viewcvs?rev=211197&root=gcc&view=rev
Log:
Backport from mainline
2014-04-15 Jonathan Wakely <jwakely@redhat.com>
PR libstdc++/60734
* include/bits/stl_tree.h (_Rb_tree::_M_end): Fix invalid cast.
Modified:
branches/gcc-4_8-branch/libstdc++-v3/ChangeLog
branches/gcc-4_8-branch/libstdc++-v3/include/bits/stl_tree.h
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h
[not found] <bug-60734-4@http.gcc.gnu.org/bugzilla/>
` (6 preceding siblings ...)
2014-06-03 17:59 ` redi at gcc dot gnu.org
@ 2014-06-03 18:00 ` redi at gcc dot gnu.org
2015-08-27 12:13 ` bshastry at sec dot t-labs.tu-berlin.de
` (4 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: redi at gcc dot gnu.org @ 2014-06-03 18:00 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
Jonathan Wakely <redi at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
Target Milestone|--- |4.8.4
--- Comment #8 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Fixed for 4.8.4 and 4.9.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h
[not found] <bug-60734-4@http.gcc.gnu.org/bugzilla/>
` (7 preceding siblings ...)
2014-06-03 18:00 ` redi at gcc dot gnu.org
@ 2015-08-27 12:13 ` bshastry at sec dot t-labs.tu-berlin.de
2015-08-27 12:30 ` redi at gcc dot gnu.org
` (3 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: bshastry at sec dot t-labs.tu-berlin.de @ 2015-08-27 12:13 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
Bhargava Shastry <bshastry at sec dot t-labs.tu-berlin.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bshastry at sec dot t-labs.tu-berl
| |in.de
--- Comment #9 from Bhargava Shastry <bshastry at sec dot t-labs.tu-berlin.de> ---
Hi. I just noticed that there are two more instances of the undefined downcast
via static_cast that are not fixed by the said patch.
### Lines borrowed from bits/stl_tree.h [gcc 5.1.0]
883. iterator
884. end() _GLIBCXX_NOEXCEPT
885. { return iterator(static_cast<_Link_type>(&this->_M_impl._M_header));
}
886.
887. const_iterator
888. end() const _GLIBCXX_NOEXCEPT
889. {
890. return const_iterator(static_cast<_Const_Link_type>
891. (&this->_M_impl._M_header));
892. }
The undefined casts happen on line 885 and 890--891.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h
[not found] <bug-60734-4@http.gcc.gnu.org/bugzilla/>
` (8 preceding siblings ...)
2015-08-27 12:13 ` bshastry at sec dot t-labs.tu-berlin.de
@ 2015-08-27 12:30 ` redi at gcc dot gnu.org
2015-08-27 12:33 ` redi at gcc dot gnu.org
` (2 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: redi at gcc dot gnu.org @ 2015-08-27 12:30 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
Jonathan Wakely <redi at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #10 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Yes, there are a few remaining. I changed the code on trunk to avoid all those
casts completely.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h
[not found] <bug-60734-4@http.gcc.gnu.org/bugzilla/>
` (9 preceding siblings ...)
2015-08-27 12:30 ` redi at gcc dot gnu.org
@ 2015-08-27 12:33 ` redi at gcc dot gnu.org
2015-08-27 12:50 ` bshastry at sec dot t-labs.tu-berlin.de
2015-08-27 13:25 ` redi at gcc dot gnu.org
12 siblings, 0 replies; 13+ messages in thread
From: redi at gcc dot gnu.org @ 2015-08-27 12:33 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
Jonathan Wakely <redi at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED
--- Comment #11 from Jonathan Wakely <redi at gcc dot gnu.org> ---
In fact I also already fixed it on the gcc-5 branch, see r223811. The 5.1.0
sources are not current.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h
[not found] <bug-60734-4@http.gcc.gnu.org/bugzilla/>
` (10 preceding siblings ...)
2015-08-27 12:33 ` redi at gcc dot gnu.org
@ 2015-08-27 12:50 ` bshastry at sec dot t-labs.tu-berlin.de
2015-08-27 13:25 ` redi at gcc dot gnu.org
12 siblings, 0 replies; 13+ messages in thread
From: bshastry at sec dot t-labs.tu-berlin.de @ 2015-08-27 12:50 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
--- Comment #12 from Bhargava Shastry <bshastry at sec dot t-labs.tu-berlin.de> ---
Also, I noticed a couple of potentially suspicious casts not fixed upstream.
They are in _S_right [1] and elsewhere.
The problem I see is this:
a. _M_right is a pointer to an object of type _Rb_tree_node_base
b. _Link_type is a pointer to an object of type _Rb_tree_node<_Val> that is
derived from _Rb_tree_node_base
b. _M_right points to an object of type _Rb_tree_node_base in init() [2] and
reset() [3]
a) and b) together imply that it is possible that _M_right points to an object
of type _Rb_tree_node_base when cast to _Link_type in [1]. Is this a matter for
concern?
[1]:
https://gcc.gnu.org/viewcvs/gcc/branches/gcc-5-branch/libstdc%2B%2B-v3/include/bits/stl_tree.h?view=markup&pathrev=223811#l685
[2]:
https://gcc.gnu.org/viewcvs/gcc/branches/gcc-5-branch/libstdc%2B%2B-v3/include/bits/stl_tree.h?view=markup&pathrev=223811#l614
[3]:
https://gcc.gnu.org/viewcvs/gcc/branches/gcc-5-branch/libstdc%2B%2B-v3/include/bits/stl_tree.h?view=markup&pathrev=223811#l604
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h
[not found] <bug-60734-4@http.gcc.gnu.org/bugzilla/>
` (11 preceding siblings ...)
2015-08-27 12:50 ` bshastry at sec dot t-labs.tu-berlin.de
@ 2015-08-27 13:25 ` redi at gcc dot gnu.org
12 siblings, 0 replies; 13+ messages in thread
From: redi at gcc dot gnu.org @ 2015-08-27 13:25 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
--- Comment #13 from Jonathan Wakely <redi at gcc dot gnu.org> ---
(In reply to Bhargava Shastry from comment #12)
> a) and b) together imply that it is possible that _M_right points to an
> object of type _Rb_tree_node_base when cast to _Link_type in [1]. Is this a
> matter for concern?
Not especially, because we never dereference it except when it really does
point to the derived type.
We might be able to replace those with reinterpret_cast, or just return the
base pointer and delay the cast until needed.
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2015-08-27 13:25 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <bug-60734-4@http.gcc.gnu.org/bugzilla/>
2014-04-02 11:03 ` [Bug libstdc++/60734] Undefined behavior in g++-v4/bits/stl_tree.h redi at gcc dot gnu.org
2014-04-02 11:12 ` mpolacek at gcc dot gnu.org
2014-04-02 11:14 ` redi at gcc dot gnu.org
2014-04-15 10:52 ` redi at gcc dot gnu.org
2014-04-15 11:19 ` redi at gcc dot gnu.org
2014-06-03 17:26 ` redi at gcc dot gnu.org
2014-06-03 17:59 ` redi at gcc dot gnu.org
2014-06-03 18:00 ` redi at gcc dot gnu.org
2015-08-27 12:13 ` bshastry at sec dot t-labs.tu-berlin.de
2015-08-27 12:30 ` redi at gcc dot gnu.org
2015-08-27 12:33 ` redi at gcc dot gnu.org
2015-08-27 12:50 ` bshastry at sec dot t-labs.tu-berlin.de
2015-08-27 13:25 ` redi at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).