[Bug libstdc++/63345] Multiple undefined behaviors (static_cast<>) in libstdc++-v3/include/bits

[Bug libstdc++/63345] Multiple undefined behaviors (static_cast<>) in libstdc++-v3/include/bits

[blee at gatech dot edu]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63345

--- Comment #1 from Byoungyoung Lee <blee at gatech dot edu> ---
Created attachment 33541
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=33541&action=edit
Error reports in running Chromium browsers.

[Bug libstdc++/63345] New: Multiple undefined behaviors (static_cast<>) in libstdc++-v3/include/bits

[blee at gatech dot edu]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63345

            Bug ID: 63345
           Summary: Multiple undefined behaviors (static_cast<>) in
                    libstdc++-v3/include/bits
           Product: gcc
           Version: 4.8.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: libstdc++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: blee at gatech dot edu

Created attachment 33540
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=33540&action=edit
Patching undefined behaviors.

Hi all,

We have recently developed a runtime detection tool to identify undefined
behaviors in static_cast<> (similar to -fsanitize=object-size/-fsanitize=vptr
in Clang, but we generalized these functions and coverages), and found several
undefined behaviors in libstdc++ (tested on 4.8, but also applicable to trunk
version).

This bug is related to the undefined behavior described in 5.2.9/11;
down-casting is undefined if the object that the pointer to be casted points to
is not a suboject of down-casting type. We also found that
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734 already fixed two cases that
we are reporting here, but our tool reported 28 more cases.

By manually looking up the error report we got from running chromium (attached
the part of error reports: chromium_bits_errors.txt), we believe those are
truly undefined behaviors as specified in 5.2.9/11.  We also tried to fix this
issues based on the report (attachment: undef_static_cast_in_bits.patch).

Thanks,
Byoungyoung

[Bug libstdc++/63345] Multiple undefined behaviors (static_cast<>) in libstdc++-v3/include/bits

[glisse at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63345

--- Comment #3 from Marc Glisse <glisse at gcc dot gnu.org> ---
Hello,

thanks for the report. I don't think we should blindly replace static_cast with
reinterpret_cast but rather try and understand what is going on. For instance,
for std::list, I believe the only case where the cast is wrong is for the
sentinel, and we should find a way not to cast at all in that case (it might be
enough to move the cast inside the loop).

[Bug libstdc++/63345] Multiple undefined behaviors (static_cast<>) in libstdc++-v3/include/bits

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63345

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2014-09-23
     Ever confirmed|0                           |1

--- Comment #2 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Thanks for the report, I'll go through the fixes and apply them (some of them
conflict with changes I'm working on in stl_list.h and stl_tree.h)

[Bug libstdc++/63345] Multiple undefined behaviors (static_cast<>) in libstdc++-v3/include/bits

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63345

--- Comment #4 from Jonathan Wakely <redi at gcc dot gnu.org> ---
(In reply to Marc Glisse from comment #3)
> thanks for the report. I don't think we should blindly replace static_cast
> with reinterpret_cast but rather try and understand what is going on.

Yes, I strongly agree.

[Bug libstdc++/63345] Multiple undefined behaviors (static_cast<>) in libstdc++-v3/include/bits

[blee at gatech dot edu]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63345

--- Comment #5 from Byoungyoung Lee <blee at gatech dot edu> ---
Thank you for the quick response! The patch I've uploaded is simply the results
by replacing all static_cast in the error reports with reinterpret_cast, so
that the tool stops complaining and it servers as more like a pointer where the
undefined happens. Please let me know if there's anything that I can help out
(i.e., regression testing).

Thanks!

[Bug libstdc++/63345] Multiple undefined behaviors (static_cast<>) in libstdc++-v3/include/bits

[glisse at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63345

--- Comment #6 from Marc Glisse <glisse at gcc dot gnu.org> ---
Author: glisse
Date: Mon Oct 13 10:00:27 2014
New Revision: 216142

URL: https://gcc.gnu.org/viewcvs?rev=216142&root=gcc&view=rev
Log:
2014-10-13  Marc Glisse  <marc.glisse@inria.fr>

    PR libstdc++/61347
    PR libstdc++/63345
    * include/bits/list.tcc (_List_base::_M_clear()): Delay cast so it
    isn't done for the sentinel.
    * include/bits/stl_list.h (_List_base::_M_size): Move...
    (_List_base::_List_impl::_M_node): ... here.
    (_List_base::_M_get_size(), _List_base::_M_set_size(size_t),
    _List_base::_M_inc_size(size_t), _List_base::_M_dec_size(size_t),
    _List_base::_M_node_count): Adapt to the move.
    * 23_containers/list/requirements/dr438/assign_neg.cc: Update
    line number.
    * 23_containers/list/requirements/dr438/constructor_1_neg.cc: Likewise.
    * 23_containers/list/requirements/dr438/constructor_2_neg.cc: Likewise.
    * 23_containers/list/requirements/dr438/insert_neg.cc: Likewise.


Modified:
    trunk/libstdc++-v3/ChangeLog
    trunk/libstdc++-v3/include/bits/list.tcc
    trunk/libstdc++-v3/include/bits/stl_list.h
   
trunk/libstdc++-v3/testsuite/23_containers/list/requirements/dr438/assign_neg.cc
   
trunk/libstdc++-v3/testsuite/23_containers/list/requirements/dr438/constructor_1_neg.cc
   
trunk/libstdc++-v3/testsuite/23_containers/list/requirements/dr438/constructor_2_neg.cc
   
trunk/libstdc++-v3/testsuite/23_containers/list/requirements/dr438/insert_neg.cc

[Bug libstdc++/63345] Multiple undefined behaviors (static_cast<>) in libstdc++-v3/include/bits

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63345

--- Comment #7 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Why does your patch need to touch operator* or operator-> for any of the
iterators? For any dereferenceable iterator the cast should be valid, so if
you're seeing invalid casts it suggests that you are dereferencing invalid
iterators.

[Bug libstdc++/63345] Multiple undefined behaviors (static_cast<>) in libstdc++-v3/include/bits

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63345

--- Comment #8 from Jonathan Wakely <redi at gcc dot gnu.org> ---
I believe all the real problems are fixed now.