This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug libstdc++/11352] crash while internal padding numeric 0
- From: "ian at wasabisystems dot com" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: 14 Feb 2004 04:02:56 -0000
- Subject: [Bug libstdc++/11352] crash while internal padding numeric 0
- References: <20030627134827.11352.david.asher@cavium.com>
- Reply-to: gcc-bugzilla at gcc dot gnu dot org
------- Additional Comments From ian at wasabisystems dot com 2004-02-14 04:02 -------
I don't think it's possible to recreate this problem amy more, but I think that
it still exists. __pad<_CharT, _Traits>::_S_pad in locale_facets.tcc looks at
the contents of __olds without checking __oldlen. This is called from
num_put<_CharT, _OutIter>::_M_pad, which is called from, among other places,
num_put<_CharT, _OutIter>::_M_insert_int. _M_insert_int calls alloca(), and
formats an integer into the returned buffer. The integer is formatted
right-justified in the buffer. It is possible for this buffer to hold "0".
When _S_pad is called via this call path, if the first character in the argument
is "0", it will look at the second character without checking whether __oldlen
is greater than 1. That means that it will look at the character past the end
of the buffer, which is some random value on the stack. Everything will be fine
unless that random value happens to be 'x' or 'X'. This is a very difficult bug
to recreate, since there is no real way to control the contents of the stack at
that point. But it does appear to be a real bug.
It might be possible to recreate the bug on the tree-ssa branch by building
libstdc++-v3 with -fmudflap.
--
What |Removed |Added
----------------------------------------------------------------------------
CC| |ian at wasabisystems dot com
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11352