follow code happens segmentation fault by dangling deference. #include <iostream> #include <valarray> #include <numeric> int main() { std::valarray<int> v(15); std::iota(std::begin(v), std::end(v), 0); const std::size_t start = 1u; const std::valarray<std::size_t> lengths = {3u, 2u}; const std::valarray<std::size_t> strides = {5u, 1u}; // here std::gslice_array<int> result = v[std::gslice(start, lengths, strides)]; result = 99; for (int x : v) { std::cout << x << std::endl; } } gslice_array.h private: const valarray<size_t>& _M_index; template<typename _Tp> inline gslice_array<_Tp>::gslice_array(const gslice_array<_Tp>& __a) : _M_array(__a._M_array), _M_index(__a._M_index) {}
expected output: 0 99 99 3 4 5 99 99 8 9 10 99 99 13 14
I can't reproduce a segfault but ASan shows the problem: ================================================================= ==12423==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000000b0 at pc 0x00000040276f bp 0x7fff6678eb50 sp 0x7fff6678eb48 READ of size 8 at 0x6060000000b0 thread T0 #0 0x40276e in std::valarray<unsigned long>::size() const /home/jwakely/gcc/9/include/c++/9.0.0/valarray:938 #1 0x40232f in std::gslice_array<int>::operator=(int const&) const /home/jwakely/gcc/9/include/c++/9.0.0/bits/gslice_array.h:165 #2 0x401616 in main /tmp/gs.cc:17 #3 0x7f01d4f65f29 in __libc_start_main ../csu/libc-start.c:308 #4 0x401159 in _start (/tmp/a.out+0x401159) 0x6060000000b0 is located 48 bytes inside of 64-byte region [0x606000000080,0x6060000000c0) freed by thread T0 here: #0 0x7f01d5ccbe78 in operator delete(void*, unsigned long) /home/jwakely/src/gcc/gcc/libsanitizer/asan/asan_new_delete.cc:151 #1 0x401b65 in std::gslice::~gslice() /home/jwakely/gcc/9/include/c++/9.0.0/bits/gslice.h:166 #2 0x40159c in main /tmp/gs.cc:15 #3 0x7f01d4f65f29 in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7f01d5ccaa80 in operator new(unsigned long) /home/jwakely/src/gcc/gcc/libsanitizer/asan/asan_new_delete.cc:90 #1 0x401a18 in std::gslice::gslice(unsigned long, std::valarray<unsigned long> const&, std::valarray<unsigned long> const&) /home/jwakely/gcc/9/include/c++/9.0.0/bits/gslice.h:155 #2 0x40154e in main /tmp/gs.cc:15 #3 0x7f01d4f65f29 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free /home/jwakely/gcc/9/include/c++/9.0.0/valarray:938 in std::valarray<unsigned long>::size() const Shadow bytes around the buggy address: 0x0c0c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00 00 04 fa fa fa fa =>0x0c0c7fff8010: fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa 0x0c0c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==12423==ABORTING
*** Bug 63314 has been marked as a duplicate of this bug. ***
PR 63314 points out the same problem exists in mask_array and indirect_array.