public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libstdc++/94747] New: Undefined behavior: integer overflow in libsupc++/dyncast.cc
@ 2020-04-24 15:23 hiraditya at msn dot com
2020-04-24 16:33 ` [Bug libstdc++/94747] " jakub at gcc dot gnu.org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: hiraditya at msn dot com @ 2020-04-24 15:23 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94747
Bug ID: 94747
Summary: Undefined behavior: integer overflow in
libsupc++/dyncast.cc
Product: gcc
Version: 7.5.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: libstdc++
Assignee: unassigned at gcc dot gnu.org
Reporter: hiraditya at msn dot com
Target Milestone: ---
Integer overflow reported by asan with the following stack trace. If this is
not
sufficient I can try to provide a repro
gcc/7.x/libstdc++-v3/libsupc++/dyncast.cc:53:11: runtime error: negation of 16
cannot be represented in type 'unsigned long'
> #0 in __dynamic_cast gcc/7.x/libstdc++-v3/libsupc++/dyncast.cc:53
> #1 in bool std::has_facet<std::ctype<char> >(std::locale const&) gcc/7.x/.../bits/locale_classes.tcc:110
> #2 in std::basic_ios<char, std::char_traits<char> >::_M_cache_locale(std::locale const&) gcc/7.x/.../bits/basic_ios.tcc:159
> #3 in std::basic_ios<char, std::char_traits<char> >::init(std::basic_streambuf<char, std::char_traits<char> >*) gcc/7.x/.../bits/basic_ios.tcc:132
> #4 in std::basic_ostream<char, std::char_traits<char> >::basic_ostream(std::basic_streambuf<char, std::char_traits<char> >*) gcc/7.x/.../ostream:85
> #5 in std::ios_base::Init::Init() gcc/7.x/libstdc++-v3/src/c++98/ios_init.cc:91
> #6 in __cxx_global_var_init gcc/7.x/.../iostream:74
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libstdc++/94747] Undefined behavior: integer overflow in libsupc++/dyncast.cc
2020-04-24 15:23 [Bug libstdc++/94747] New: Undefined behavior: integer overflow in libsupc++/dyncast.cc hiraditya at msn dot com
@ 2020-04-24 16:33 ` jakub at gcc dot gnu.org
2020-04-24 18:14 ` redi at gcc dot gnu.org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: jakub at gcc dot gnu.org @ 2020-04-24 16:33 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94747
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jakub at gcc dot gnu.org
--- Comment #1 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Negation of unsigned long value is well defined for all possible values,
including 16.
Is that with the flawed clang -fsanitize=unsigned-integer-overflow ?
GCC doesn't implement that for a reason.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libstdc++/94747] Undefined behavior: integer overflow in libsupc++/dyncast.cc
2020-04-24 15:23 [Bug libstdc++/94747] New: Undefined behavior: integer overflow in libsupc++/dyncast.cc hiraditya at msn dot com
2020-04-24 16:33 ` [Bug libstdc++/94747] " jakub at gcc dot gnu.org
@ 2020-04-24 18:14 ` redi at gcc dot gnu.org
2020-04-24 19:59 ` [Bug libstdc++/94747] Confusing code " nathan at gcc dot gnu.org
2020-05-04 17:26 ` nathan at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: redi at gcc dot gnu.org @ 2020-04-24 18:14 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94747
Jonathan Wakely <redi at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|UNCONFIRMED |RESOLVED
--- Comment #2 from Jonathan Wakely <redi at gcc dot gnu.org> ---
(In reply to AK from comment #0)
> Integer overflow reported by asan with the following stack trace.
asan?! Are you sure?
As Jakub says, this is probably the dumb "unsigned-integer-overflow" sanitizer,
which is dumb because unsigned integers can't overflow by definition (they
wrap) and because that wrapping is never undefined.
The code is fine.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libstdc++/94747] Confusing code in libsupc++/dyncast.cc
2020-04-24 15:23 [Bug libstdc++/94747] New: Undefined behavior: integer overflow in libsupc++/dyncast.cc hiraditya at msn dot com
2020-04-24 16:33 ` [Bug libstdc++/94747] " jakub at gcc dot gnu.org
2020-04-24 18:14 ` redi at gcc dot gnu.org
@ 2020-04-24 19:59 ` nathan at gcc dot gnu.org
2020-05-04 17:26 ` nathan at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: nathan at gcc dot gnu.org @ 2020-04-24 19:59 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94747
Nathan Sidwell <nathan at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Last reconfirmed| |2020-04-24
Summary|Undefined behavior: integer |Confusing code in
|overflow in |libsupc++/dyncast.cc
|libsupc++/dyncast.cc |
CC| |nathan at gcc dot gnu.org
Status|RESOLVED |ASSIGNED
Assignee|unassigned at gcc dot gnu.org |nathan at gcc dot gnu.org
Resolution|INVALID |---
Ever confirmed|0 |1
--- Comment #3 from Nathan Sidwell <nathan at gcc dot gnu.org> ---
While the code is well formed, it does not convey intent well. I wrote that
code, and probably even considered spelling as -ptrdiff_t (offsetof ...). but
didn't because it causes a line wrap and has no semantic difference.
negating unsigned numbers often shows programmer confusion, and can cause bugs
on I32LP64 systems, where the negation happens at a lower precision than
expected.
That's not the case here. If size_t has fewer bits than a pointer, there cannot
be overflow from the top size_t bit to the pointer arithmetic -- that breaks C
& C++ semantics.
Something for stage 1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libstdc++/94747] Confusing code in libsupc++/dyncast.cc
2020-04-24 15:23 [Bug libstdc++/94747] New: Undefined behavior: integer overflow in libsupc++/dyncast.cc hiraditya at msn dot com
` (2 preceding siblings ...)
2020-04-24 19:59 ` [Bug libstdc++/94747] Confusing code " nathan at gcc dot gnu.org
@ 2020-05-04 17:26 ` nathan at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: nathan at gcc dot gnu.org @ 2020-05-04 17:26 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94747
Nathan Sidwell <nathan at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Nathan Sidwell <nathan at gcc dot gnu.org> ---
Fixed e6b31fc7172
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-05-04 17:26 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-24 15:23 [Bug libstdc++/94747] New: Undefined behavior: integer overflow in libsupc++/dyncast.cc hiraditya at msn dot com
2020-04-24 16:33 ` [Bug libstdc++/94747] " jakub at gcc dot gnu.org
2020-04-24 18:14 ` redi at gcc dot gnu.org
2020-04-24 19:59 ` [Bug libstdc++/94747] Confusing code " nathan at gcc dot gnu.org
2020-05-04 17:26 ` nathan at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).