[Bug c++/70035] [5 Regression] Calling a non-virtual member in base-class constructor call with ubsan causes segfault when superclass has virtual member with same name

[bernd.edlinger at hotmail dot de]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70035

Bernd Edlinger <bernd.edlinger at hotmail dot de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bernd.edlinger at hotmail dot de

--- Comment #9 from Bernd Edlinger <bernd.edlinger at hotmail dot de> ---
(In reply to Jakub Jelinek from comment #8)
> Fixed for g++ 6+ so far.

no. this creates a new problem.
I see now crashes in valid code that uses the std::stringstream
when -fsanitize=undefined is used.
Unfortunately I was not able to reduce the test case.

But what is wrong can be seen with this simple test case:

cat test.cc
#include <sstream>

main(int argc, char** argv)
{
  std::stringstream ss;
  ss << "test";
  for (int i=0; i<argc; i++)
    ss << argv[i];
  __builtin_printf("%s\n", ss.str().c_str());
}

gcc -O3 -fsanitize=undefined -fdump-tree-gimple

look at std::basic_iostream<_CharT, _Traits>::basic_iostream():
  UBSAN_NULL (this, 2B, 8);
  MEM[(struct  &)this] = {CLOBBER};
  this->D.34679._vptr.basic_istream = 0B;      <= set _vptr to zero
  D.40658 = this->D.34679._vptr.basic_istream; <= D.40658 is null
  D.40659 = D.40658 + 18446744073709551592;    <= D.40659 is 0 + -24
  D.40660 = MEM[(long int *)D.40659];          <= will crash if executed
  D.40661 = (sizetype) D.40660;
  D.40662 = this + D.40661;
  D.40662->D.31841._vptr.ios_base = 0B;
  this->D.34680._vptr.basic_ostream = 0B;


However in most of the cases this garbage is removed by optimization.