From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id C70733857C55; Sun,  1 Nov 2020 11:33:38 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C70733857C55
From: "redi at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug libstdc++/97659] Invalid pointer subtraction in
 vector::insert() (reported by pointer-subtract AddressSanitizer)
Date: Sun, 01 Nov 2020 11:33:38 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: libstdc++
X-Bugzilla-Version: 10.2.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: redi at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-97659-4-ESFWoUK0Xm@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-97659-4@http.gcc.gnu.org/bugzilla/>
References: <bug-97659-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Nov 2020 11:33:38 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D97659

--- Comment #5 from Jonathan Wakely <redi at gcc dot gnu.org> ---
(In reply to Jakub Jelinek from comment #3)
> That sanitizer diagnoses
> http://eel.is/c++draft/expr.add#5.3
> which still seems UB.

Not since http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2020/p0593r6.h=
tml
said that an array of T[n] can be implicitly created in the storage returne=
d by
the allocator.

> Of course there can be bugs on the sanitizer side too; the sanitizer
> generally works by scanning the shadow memory in between the two pointers
> and if it finds an unaccessible byte in there (memory not part of an obje=
ct,
> e.g. the inter-object redzone), it shall diagnose it.

I think the problem is that the unused capacity at the end of the vector is
marked as inaccessible. We need to flip it to accessible again before doing
that subtraction, then flip it back to inaccessible. Similarly in the
vector::capacity() member function. Maybe it would be simpler to add the
instrumentation in capacity() and then in the _M_range_insert function show=
n in
comment 0, use (capacity() - size()) >=3D n=