public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug c++/98419] New: wrong code when destructor of local variable modifies returned object
@ 2020-12-22 12:16 leni536 at gmail dot com
2020-12-22 12:36 ` [Bug c++/98419] " marxin at gcc dot gnu.org
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: leni536 at gmail dot com @ 2020-12-22 12:16 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98419
Bug ID: 98419
Summary: wrong code when destructor of local variable modifies
returned object
Product: gcc
Version: 10.2.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: leni536 at gmail dot com
Target Milestone: ---
Version:
g++ (Compiler-Explorer-Build) 10.2.0
Command line options:
-std=c++17 -O2 -pedantic-errors
```
struct A {
int i;
A(int ** iptrptr): i(1) {
*iptrptr = &i;
}
};
struct B {
int* iptr;
B(): iptr(0) {}
~B() {
*iptr = 2;
}
};
A foo() {
B b;
return A(&b.iptr);
}
```
Observed behavior:
foo() returns an object with its `i` member having the value 1.
https://godbolt.org/z/Yhcjo9
Expected behavior:
foo() to return an object with its `i` member having the value 2.
The destruction of `b` is sequenced before the initialization of the returned
object. The constructor of A sets the int* contained in `b` to point within the
returned object (there is no temporary created with type A, C++17's mandatory
copy elision is assumed here). ~B() then sets the `i` member of the returned
object to 2.
Other observations:
With command line options `-std=c++17 -O0 -pedantic-errors -fsanitize=address`
~B() tramples the stack:
https://godbolt.org/z/M5ETa9
When A has a user-defined copy-constructor or destructor then I get the
expected behavior:
https://godbolt.org/z/osqbfz
https://godbolt.org/z/ozzPaf
Presumably when the returned type is trivially copyable then the copy isn't
elided, with the assumption that it's not observable. In C++17 the copy elision
is mandatory, and it is observable even for trivially copyable types, as shown
in this example.
^ permalink raw reply [flat|nested] 4+ messages in thread* [Bug c++/98419] wrong code when destructor of local variable modifies returned object
2020-12-22 12:16 [Bug c++/98419] New: wrong code when destructor of local variable modifies returned object leni536 at gmail dot com
@ 2020-12-22 12:36 ` marxin at gcc dot gnu.org
2020-12-22 21:05 ` leni536 at gmail dot com
2020-12-23 10:59 ` marxin at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: marxin at gcc dot gnu.org @ 2020-12-22 12:36 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98419
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |marxin at gcc dot gnu.org
--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
It seems you invoke a use-after-scope:
g++ pr98419.C -fsanitize=address,undefined && ./a.out
=================================================================
==31013==ERROR: AddressSanitizer: stack-use-after-scope on address
0x7fffffffdf30 at pc 0x000000401532 bp 0x7fffffffdec0 sp 0x7fffffffdeb8
WRITE of size 4 at 0x7fffffffdf30 thread T0
#0 0x401531 in B::~B() (/home/marxin/Programming/testcases/a.out+0x401531)
#1 0x401293 in foo() (/home/marxin/Programming/testcases/a.out+0x401293)
#2 0x4012fb in main (/home/marxin/Programming/testcases/a.out+0x4012fb)
#3 0x7ffff676e151 in __libc_start_main (/lib64/libc.so.6+0x28151)
#4 0x4010fd in _start (/home/marxin/Programming/testcases/a.out+0x4010fd)
Address 0x7fffffffdf30 is located in stack of thread T0 at offset 48 in frame
#0 0x4011b5 in foo() (/home/marxin/Programming/testcases/a.out+0x4011b5)
This frame has 2 object(s):
[48, 52) '<unknown>' <== Memory access at offset 48 is inside this variable
[64, 72) 'b' (line 17)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope
(/home/marxin/Programming/testcases/a.out+0x401531) in B::~B()
Shadow bytes around the buggy address:
0x10007fff7b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7be0: f1 f1 f1 f1 f1 f1[f8]f2 00 f3 f3 f3 00 00 00 00
0x10007fff7bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==31013==ABORTING
^ permalink raw reply [flat|nested] 4+ messages in thread* [Bug c++/98419] wrong code when destructor of local variable modifies returned object
2020-12-22 12:16 [Bug c++/98419] New: wrong code when destructor of local variable modifies returned object leni536 at gmail dot com
2020-12-22 12:36 ` [Bug c++/98419] " marxin at gcc dot gnu.org
@ 2020-12-22 21:05 ` leni536 at gmail dot com
2020-12-23 10:59 ` marxin at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: leni536 at gmail dot com @ 2020-12-22 21:05 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98419
--- Comment #2 from Lénárd Szolnoki <leni536 at gmail dot com> ---
This is probably invalid, I wasn't aware of
http://eel.is/c++draft/class.temporary#3
> When an object of class type X is passed to or returned from a function, if X has at least one eligible copy or move constructor ([special]), each such constructor is trivial, and the destructor of X is either trivial or deleted, implementations are permitted to create a temporary object to hold the function parameter or result object.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug c++/98419] wrong code when destructor of local variable modifies returned object
2020-12-22 12:16 [Bug c++/98419] New: wrong code when destructor of local variable modifies returned object leni536 at gmail dot com
2020-12-22 12:36 ` [Bug c++/98419] " marxin at gcc dot gnu.org
2020-12-22 21:05 ` leni536 at gmail dot com
@ 2020-12-23 10:59 ` marxin at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: marxin at gcc dot gnu.org @ 2020-12-23 10:59 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98419
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|UNCONFIRMED |RESOLVED
--- Comment #3 from Martin Liška <marxin at gcc dot gnu.org> ---
Closing as invalid then.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-12-23 10:59 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-22 12:16 [Bug c++/98419] New: wrong code when destructor of local variable modifies returned object leni536 at gmail dot com
2020-12-22 12:36 ` [Bug c++/98419] " marxin at gcc dot gnu.org
2020-12-22 21:05 ` leni536 at gmail dot com
2020-12-23 10:59 ` marxin at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).