http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
Bug ID: 60734
Summary: Undefined behavior in g++-v4/bits/stl_tree.h
Product: gcc
Version: 4.9.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: libstdc++
Assignee: unassigned at gcc dot gnu.org
Reporter: trippels at gcc dot gnu.org
While debugging a gold linker issue I came across the following
-fsanitize=undefined runtime error:
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.0/include/g++-v4/bits/stl_tree.h:741:25:
runtime error: downcast of address 0x7fff4c8e1d80 with insufficient space for
an object of type '_Rb_tree_node<std::pair<const std::basic_string<char>,
gold::Output_segment *> >'
0x7fff4c8e1d80: note: pointer points here
00 00 00 00 00 00 00 00 00 00 00 00 d0 2c 8d 02 00 00 00 00 10 2d 8d 02 00
00 00 00 50 2d 8d 02
^
iterator
end() _GLIBCXX_NOEXCEPT
{ return iterator(static_cast<_Link_type>(&this->_M_impl._M_header)); }
The following message:
http://lists.cs.uiuc.edu/pipermail/cfe-dev/2013-August/031213.html
also points to the issue.
Quote:
» _M_header is an _Rb_tree_node_base, which is smaller than an
_Rb_tree_node<_Tp>. Usually, this would be OK -- you can reinterpret_cast
between pointers of different types pretty much arbitrarily -- but because
_Rb_tree_node_base is a base class of _Rb_tree_node<_Tp>, this is a
static_cast, and the ruling wording is 5.2.9/11, which says " If the
prvalue of type “pointer to cv1 B” points
to a B that is actually a subobject of an object of type D, the resulting
pointer points to the enclosing object of type D. Otherwise, the behavior
is undefined."
We've managed to prove that the prvalue of type "pointer to
_Rb_tree_node_base" is not, in fact, a subobject of type
"_Rb_tree_node<_Tp>", because there's not enough room in the allocated
storage for an object of that type at that address. So we've determined
that the behavior is undefined.
This is a bug in libstdc++. The fix is to use reinterpret_cast instead of
static_cast in the definition of 'end'.«
And indeed this fixes the issue for me.
