From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) by sourceware.org (Postfix) with ESMTPS id E088D3858D37; Wed, 17 Aug 2022 06:45:17 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org E088D3858D37 Received: by mail-ed1-x52d.google.com with SMTP id f22so16249038edc.7; Tue, 16 Aug 2022 23:45:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=czSLK7w0x88Ql5gWs24Uk/Ubg2upux/IopMBSWZKHg8=; b=GB0fTqtmdWgnpO2/FSZNVxEtCu7utuMQCDw+JXQQZ9CH+B5/s9em9G1NTyYM2EUL/B kHuFn0Ke8ilSzaepeXCPpI/5oTgk2YIYjqPprlW7yipRKiXqfuH4yMs3uDdSWNvI77EF qlEpCT3USWIqLHwjYrRqTkCm1/5W4oGeOpDeg1f2iE/RLRpD10CGem7cfM6qnVqFBEWH omLC4bUNbY65+vWvNK5C4tT376LYbXRD5jvDqbO8T1DXj0dFKZXoSz/ap065isH/Zmtc iw5ufZZylVh62mP1X5PWJ+D77utjS0wGoKDRyV9AwgJS9iaMHqbin3uGNdUhUNxnGAw8 /unw== X-Gm-Message-State: ACgBeo3J+Zle5ccV2MmoSx0FvjLHaJulwvum8XxWvMMJMfGw8EAIZEpk EZEDmDEqh956P/iLh1Gfqlc/2ovXUK34bNRCw6Y= X-Google-Smtp-Source: AA6agR6QNlpyRAixMEK1nk6AjL6/9QPQfZOl+Yk6F7/DNQjrcreugVppOvxhhORjqbkF/pBcz2NPCVDo7kh/fo34UJY= X-Received: by 2002:aa7:d6da:0:b0:43f:99fb:f3aa with SMTP id x26-20020aa7d6da000000b0043f99fbf3aamr21192295edr.370.1660718716135; Tue, 16 Aug 2022 23:45:16 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Richard Biener Date: Wed, 17 Aug 2022 08:45:04 +0200 Message-ID: Subject: Re: [PATCH] bug in emergency cxa pool free() To: Keef Aragon Cc: "libstdc++" , GCC Patches , Jonathan Wakely Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-8.0 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libstdc++@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libstdc++ mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2022 06:45:19 -0000 On Tue, Aug 16, 2022 at 9:15 PM Keef Aragon wrote: > > This probably has never actually affected anyone in practice. The normal > ABI implementation just uses malloc and only falls back to the pool on > malloc failure. But if that happens a bunch of times the freelist gets out > of order which violates some of the invariants of the freelist (as well as > the comments that follow the bug). The bug is just a comparison reversal > when traversing the freelist in the case where the pointer being returned > to the pool is after the existing freelist. > > I'm not sure what to do as far as the test suite is concerned. It's a > private part of the implementation of the exception handling ABI and it can > only ever be triggered if malloc fails (repeatedly). So it seems like > reproducing it from the external interface will require hooking malloc to > forcibly return NULL. > > But I'm a newb on these lists, so will obediently do as instructed. Oops, that's my fault. For consistency it's probably best written as reinterpret_cast (e) + sz > reinterpret_cast ((*fe)) thus diff --git a/libstdc++-v3/libsupc++/eh_alloc.cc b/libstdc++-v3/libsupc++/eh_alloc.cc index c85b9aed40b..68f319869f9 100644 --- a/libstdc++-v3/libsupc++/eh_alloc.cc +++ b/libstdc++-v3/libsupc++/eh_alloc.cc @@ -224,8 +224,8 @@ namespace free_entry **fe; for (fe = &first_free_entry; (*fe)->next - && (reinterpret_cast ((*fe)->next) - > reinterpret_cast (e) + sz); + && (reinterpret_cast (e) + sz + > reinterpret_cast ((*fe)->next)); fe = &(*fe)->next) ; // If we can merge the next block into us do so and continue The change is OK with that adjustment. I see you do not have write access so I'll test & push it for you. I'm curious how you noticed? Thanks, Richard.