This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
Re: Bounds checking for TREE_VEC_ELT and related bugs (PR c++/8511)
Graham Stott <graham.stott@btinternet.com> writes:
| Zack Weinberg wrote:
| > Gabriel Dos Reis <gdr@integrable-solutions.net> writes:
| >
| >
| >>Zack Weinberg <zack@codesourcery.com> writes:
| >>| Index: cp/search.c
| >>| --- cp/search.c 4 Nov 2002 01:45:55 -0000 1.240
| >>| +++ cp/search.c 14 Nov 2002 19:54:51 -0000
| >>| @@ -2544,7 +2544,8 @@ dfs_push_decls (binfo, data)
| >>|
| >>| method_vec = (CLASS_TYPE_P (type)
| >>| ? CLASSTYPE_METHOD_VEC (type) : NULL_TREE);
| >>| - if (method_vec)
| >>| +
| >>| + if (method_vec && TREE_VEC_LENGTH (method_vec) >= 3)
| >>
| >>I would probably put an assert here is if we have a method_vec then it
| >>size ought to be at least 3.
|
| I can see how we get a method_vec with only 2 entries although we always
| allocate a min of 8 and expand it as necessary when adding methods.
You're absolutely correct.
I sent another message to correct my misconception (I can't tell where
I got the idea that we always have at least 3 slots, whereas in
reality it is at least 2).
However, what is worrying me in Zack's message is the following:
/home/zack/src/gcc/vanilla/build/i686-pc-linux-gnu/libstdc++-v3/include/bits/stl_alloc.h:381: internal compiler error: tree
check: accessed elt 3 of tree_vec with 2 elts in dfs_push_decls, at
cp/search.c:2556
That is, in libstdc++, we're accessing one element behond the limit!
-- Gaby