Bug 62119 - dangling reference : gslice_array's copy constructor
Summary: dangling reference : gslice_array's copy constructor
Status: NEW
Alias: None
Product: gcc
Classification: Unclassified
Component: libstdc++ (show other bugs)
Version: 4.9.0
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
: 63314 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-08-13 07:47 UTC by Akira Takahashi
Modified: 2018-05-14 16:20 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed: 2018-05-14 00:00:00


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Akira Takahashi 2014-08-13 07:47:36 UTC
follow code happens segmentation fault by dangling deference.

#include <iostream>
#include <valarray>
#include <numeric>

int main()
{
  std::valarray<int> v(15);
  std::iota(std::begin(v), std::end(v), 0);

  const std::size_t start = 1u;
  const std::valarray<std::size_t> lengths = {3u, 2u};
  const std::valarray<std::size_t> strides = {5u, 1u};

  // here
  std::gslice_array<int> result = v[std::gslice(start, lengths, strides)];

  result = 99;

  for (int x : v) {
    std::cout << x << std::endl;
  }
}


gslice_array.h

private:
  const valarray<size_t>& _M_index;


template<typename _Tp>
  inline
  gslice_array<_Tp>::gslice_array(const gslice_array<_Tp>& __a)
  : _M_array(__a._M_array), _M_index(__a._M_index) {}
Comment 1 Akira Takahashi 2014-08-13 07:58:45 UTC
expected output:

0
99
99
3
4
5
99
99
8
9
10
99
99
13
14
Comment 2 Jonathan Wakely 2018-05-14 11:50:47 UTC
I can't reproduce a segfault but ASan shows the problem:

=================================================================
==12423==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000000b0 at pc 0x00000040276f bp 0x7fff6678eb50 sp 0x7fff6678eb48
READ of size 8 at 0x6060000000b0 thread T0
    #0 0x40276e in std::valarray<unsigned long>::size() const /home/jwakely/gcc/9/include/c++/9.0.0/valarray:938
    #1 0x40232f in std::gslice_array<int>::operator=(int const&) const /home/jwakely/gcc/9/include/c++/9.0.0/bits/gslice_array.h:165
    #2 0x401616 in main /tmp/gs.cc:17
    #3 0x7f01d4f65f29 in __libc_start_main ../csu/libc-start.c:308
    #4 0x401159 in _start (/tmp/a.out+0x401159)

0x6060000000b0 is located 48 bytes inside of 64-byte region [0x606000000080,0x6060000000c0)
freed by thread T0 here:
    #0 0x7f01d5ccbe78 in operator delete(void*, unsigned long) /home/jwakely/src/gcc/gcc/libsanitizer/asan/asan_new_delete.cc:151
    #1 0x401b65 in std::gslice::~gslice() /home/jwakely/gcc/9/include/c++/9.0.0/bits/gslice.h:166
    #2 0x40159c in main /tmp/gs.cc:15
    #3 0x7f01d4f65f29 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7f01d5ccaa80 in operator new(unsigned long) /home/jwakely/src/gcc/gcc/libsanitizer/asan/asan_new_delete.cc:90
    #1 0x401a18 in std::gslice::gslice(unsigned long, std::valarray<unsigned long> const&, std::valarray<unsigned long> const&) /home/jwakely/gcc/9/include/c++/9.0.0/bits/gslice.h:155
    #2 0x40154e in main /tmp/gs.cc:15
    #3 0x7f01d4f65f29 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /home/jwakely/gcc/9/include/c++/9.0.0/valarray:938 in std::valarray<unsigned long>::size() const
Shadow bytes around the buggy address:
  0x0c0c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00 00 04 fa fa fa fa
=>0x0c0c7fff8010: fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa
  0x0c0c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12423==ABORTING
Comment 3 Jonathan Wakely 2018-05-14 13:04:49 UTC
*** Bug 63314 has been marked as a duplicate of this bug. ***
Comment 4 Jonathan Wakely 2018-05-14 13:05:21 UTC
PR 63314 points out the same problem exists in mask_array and indirect_array.