[Bug c++/61015] New: Stack corruption with templates and pass-by-reference
andreas.c.weber at gmail dot com
gcc-bugzilla@gcc.gnu.org
Wed Apr 30 13:48:00 GMT 2014
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61015
Bug ID: 61015
Summary: Stack corruption with templates and pass-by-reference
Product: gcc
Version: 4.8.2
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: andreas.c.weber at gmail dot com
Created attachment 32714
--> http://gcc.gnu.org/bugzilla/attachment.cgi?id=32714&action=edit
preprocessed source
Summary: Stack corruption with templates and pass-by-reference
Hi,
The following program compiles without warnings and works fine when compiled
with g++-4.6, g++-4.7 and clang-3.4, but segfaults when compiled with g++-4.8
with switched-off optimizations (g++-4.8 -O0 -Wall -Wextra -o gcc_bug
gcc_bug.cpp).
The sample defines the template ArrayRef. Usually this template provides a
vector-like interface (operator[], begin(), end(), etc.) and a bunch of
constructors so clients can access different types of data (single object,
std::vector, C-Array) in a uniform way. The template does not own the
underlying data but just holds a pointer and a length.
The problem:
Putting an Obj* (Obj is just a simple class) into an ArrayRef<Obj*> and then
retrieving the pointer again using arrayRef[0] returns the same pointer. But
putting a SpecialObj* into an ArrayRef<Obj*> and then retrieving with
arrayRef[0] returns garbage (class SpecialObj is derived from class Obj).
Code (stripped down, so it only provides the single-element constructor and
operator[]):
extern "C" int printf( const char *, ... );
extern "C" void* memset( void *s, int c, unsigned int n );
template<typename T>
class ArrayRef
{
private:
const T* data;
public:
ArrayRef( const T& oneElt )
{
this->data = &oneElt;
printf( "ArrayRef's data: %p\n", this->data );
}
const T &operator[]( unsigned int index ) const { return data[index]; }
};
class Obj { public: int val; };
class SpecialObj : public Obj {};
int main()
{
SpecialObj specialObj;
printf( "&specialObj: %p\n", &specialObj );
SpecialObj* pSpecialObj = &specialObj; //Triggers the bug.
//Obj* pSpecialObj = &specialObj; //Shows expected behaviour.
printf( "&pSpecialObj: %p\n", &pSpecialObj );
ArrayRef<Obj*> arrayRef( pSpecialObj );
int someStackArray[500];
memset( someStackArray, 0xDD, sizeof(someStackArray) );
Obj* basePtr = arrayRef[0];
printf( "basePtr: %p\n", basePtr );
if( basePtr == pSpecialObj ) //Do we got what we put into arrayRef?
{
printf( "Pointer is valid: OK.\n" );
}
else
{
printf( "Pointer (%p) is corrupt, program will crash!!!! GCC Bug?\n",
basePtr );
}
basePtr->val = 42;
return 0;
}
Program's output I would expect
(&specialObj == basePtr && &pSpecialObj == ArrayRef.data is true):
&specialObj: 0x7fff05e5c190
&pSpecialObj: 0x7fff05e5c1b0
ArrayRef.data: 0x7fff05e5c1b0
basePtr: 0x7fff05e5c190
Pointer is valid: OK.
Program's output when compiled with g++-4.8:
&specialObj: 0x7fff693d07a0
&pSpecialObj: 0x7fff693d07c0
ArrayRef.data: 0x7fff693d07d0
basePtr: 0xdddddddddddddddd
Pointer (0xdddddddddddddddd) is corrupt, program will crash!!!! GCC Bug?
Segmentation fault (core dumped)
Program's output when compiled with g++-4.7:
&specialObj: 0x7fff0646e2f0
&pSpecialObj: 0x7fff0646e308
ArrayRef.data: 0x7fff0646e310
basePtr: 0x7fff0646e2f0
Pointer is valid: OK.
System:
Ubuntu 14.04 LTS x86_64
Build:
gcc -v -save-temps -O0 -Wall -Wextra -o gcc_bug gcc_bug.cpp
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.8/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 4.8.2-19ubuntu1'
--with-bugurl=file:///usr/share/doc/gcc-4.8/README.Bugs
--enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr
--program-suffix=-4.8 --enable-shared --enable-linker-build-id
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix
--with-gxx-include-dir=/usr/include/c++/4.8 --libdir=/usr/lib --enable-nls
--with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug
--enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-libmudflap
--enable-plugin --with-system-zlib --disable-browser-plugin
--enable-java-awt=gtk --enable-gtk-cairo
--with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64/jre --enable-java-home
--with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64
--with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.8-amd64
--with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar
--enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686
--with-abi=m64 --with-multilib-list=m32,m64,mx32 --with-tune=generic
--enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu
--target=x86_64-linux-gnu
Thread model: posix
gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1)
COLLECT_GCC_OPTIONS='-v' '-save-temps' '-O0' '-Wall' '-Wextra' '-o' 'gcc_bug'
'-mtune=generic' '-march=x86-64'
/usr/lib/gcc/x86_64-linux-gnu/4.8/cc1plus -E -quiet -v -imultiarch
x86_64-linux-gnu -D_GNU_SOURCE gcc_bug.cpp -mtune=generic -march=x86-64 -Wall
-Wextra -O0 -fpch-preprocess -fstack-protector -Wformat -Wformat-security -o
gcc_bug.ii
ignoring duplicate directory "/usr/include/x86_64-linux-gnu/c++/4.8"
ignoring nonexistent directory "/usr/local/include/x86_64-linux-gnu"
ignoring nonexistent directory
"/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../x86_64-linux-gnu/include"
#include "..." search starts here:
#include <...> search starts here:
/usr/include/c++/4.8
/usr/include/x86_64-linux-gnu/c++/4.8
/usr/include/c++/4.8/backward
/usr/lib/gcc/x86_64-linux-gnu/4.8/include
/usr/local/include
/usr/lib/gcc/x86_64-linux-gnu/4.8/include-fixed
/usr/include/x86_64-linux-gnu
/usr/include
End of search list.
COLLECT_GCC_OPTIONS='-v' '-save-temps' '-O0' '-Wall' '-Wextra' '-o' 'gcc_bug'
'-mtune=generic' '-march=x86-64'
/usr/lib/gcc/x86_64-linux-gnu/4.8/cc1plus -fpreprocessed gcc_bug.ii -quiet
-dumpbase gcc_bug.cpp -mtune=generic -march=x86-64 -auxbase gcc_bug -O0 -Wall
-Wextra -version -fstack-protector -Wformat -Wformat-security -o gcc_bug.s
GNU C++ (Ubuntu 4.8.2-19ubuntu1) version 4.8.2 (x86_64-linux-gnu)
compiled by GNU C version 4.8.2, GMP version 5.1.3, MPFR version
3.1.2-p3, MPC version 1.0.1
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
GNU C++ (Ubuntu 4.8.2-19ubuntu1) version 4.8.2 (x86_64-linux-gnu)
compiled by GNU C version 4.8.2, GMP version 5.1.3, MPFR version
3.1.2-p3, MPC version 1.0.1
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Compiler executable checksum: 26a7c0bd346d04102f6aea776e0cccc5
COLLECT_GCC_OPTIONS='-v' '-save-temps' '-O0' '-Wall' '-Wextra' '-o' 'gcc_bug'
'-mtune=generic' '-march=x86-64'
as -v --64 -o gcc_bug.o gcc_bug.s
GNU assembler version 2.24 (x86_64-linux-gnu) using BFD version (GNU Binutils
for Ubuntu) 2.24
COMPILER_PATH=/usr/lib/gcc/x86_64-linux-gnu/4.8/:/usr/lib/gcc/x86_64-linux-gnu/4.8/:/usr/lib/gcc/x86_64-linux-gnu/:/usr/lib/gcc/x86_64-linux-gnu/4.8/:/usr/lib/gcc/x86_64-linux-gnu/
LIBRARY_PATH=/usr/lib/gcc/x86_64-linux-gnu/4.8/:/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/:/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../lib/:/lib/x86_64-linux-gnu/:/lib/../lib/:/usr/lib/x86_64-linux-gnu/:/usr/lib/../lib/:/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../:/lib/:/usr/lib/
COLLECT_GCC_OPTIONS='-v' '-save-temps' '-O0' '-Wall' '-Wextra' '-o' 'gcc_bug'
'-mtune=generic' '-march=x86-64'
/usr/lib/gcc/x86_64-linux-gnu/4.8/collect2 --sysroot=/ --build-id
--eh-frame-hdr -m elf_x86_64 --hash-style=gnu --as-needed -dynamic-linker
/lib64/ld-linux-x86-64.so.2 -z relro -o gcc_bug
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/crt1.o
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/crti.o
/usr/lib/gcc/x86_64-linux-gnu/4.8/crtbegin.o
-L/usr/lib/gcc/x86_64-linux-gnu/4.8
-L/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu
-L/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../lib -L/lib/x86_64-linux-gnu
-L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib
-L/usr/lib/gcc/x86_64-linux-gnu/4.8/../../.. gcc_bug.o -lgcc --as-needed
-lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed
/usr/lib/gcc/x86_64-linux-gnu/4.8/crtend.o
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/crtn.o
Best regards,
Andy
More information about the Gcc-bugs
mailing list