[Bug libstdc++/110549] New: Undefined behavior sanitizer triggered in basic_string::_M_construct that uses iterator overload with input iterator tag

vaibhavawale3 at gmail dot com via Gcc-bugs Tue, 04 Jul 2023 09:25:08 -0700

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110549


            Bug ID: 110549
           Summary: Undefined behavior sanitizer triggered in
                    basic_string::_M_construct that uses iterator overload
                    with input iterator tag
           Product: gcc
           Version: 13.1.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: libstdc++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: vaibhavawale3 at gmail dot com
  Target Milestone: ---

Created attachment 55467
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=55467&action=edit
Source code to reproduce bug. Writes a string to file and reads from file using
istreambuf_iterator.

With upgrade to gcc-13, I am running into undefined behavior when reading from
text file using `std::istreambuf_iterator`. The bad behavior is caused by the
check:

```
if (_M_string_length > _S_local_capacity)
    __builtin_unreachable();
```
made in commit
https://github.com/gcc-mirror/gcc/commit/bf78b43873b0b7e8f9a430df38749b8b61f9c9b8

The source code (full file attached) that triggers this __builtin_unreachable()
path is:
```
std::ifstream istream{tempFile};
std::string contents = std::string{std::istreambuf_iterator<char>{istream},
std::istreambuf_iterator<char>{}};

```

In `std::__cxx11::basic_string::_M_construct(_InIterator __beg, _InIterator
__end, std::input_iterator_tag)`, `_M_string_length` is initialized at the end,
but it is used in function `_M_is_local` before its initialized. This leads to
the undefined behavior complaint.

To reproduce the issue, compile with sanitizer enabled:
```
g++ -g -O2 -Wall -Wextra -fsanitize=undefined  string_make.cpp -o string_make
./string_make
```

Output from sanitizer enabled binary:
```
/usr/include/c++/13.1.1/bits/basic_string.h:280:29: runtime error: execution
reached an unreachable program point
    #0 0x55e5315ee19b in std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >::_M_is_local() const
/usr/include/c++/13.1.1/bits/basic_string.h:280
    #1 0x55e5315ee19b in std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >::_M_is_local() const
/usr/include/c++/13.1.1/bits/basic_string.h:275
    #2 0x55e5315ee19b in std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >::_M_dispose()
/usr/include/c++/13.1.1/bits/basic_string.h:295
    #3 0x55e5315ee19b in void std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char>
>::_M_construct<std::istreambuf_iterator<char, std::char_traits<char> >
>(std::istreambuf_iterator<char, std::char_traits<char> >,
std::istreambuf_iterator<char, std::char_traits<char> >,
std::input_iterator_tag) /usr/include/c++/13.1.1/bits/basic_string.tcc:200
    #4 0x55e5315ee19b in std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char>
>::basic_string<std::istreambuf_iterator<char, std::char_traits<char> >,
void>(std::istreambuf_iterator<char, std::char_traits<char> >,
std::istreambuf_iterator<char, std::char_traits<char> >, std::allocator<char>
const&) /usr/include/c++/13.1.1/bits/basic_string.h:766
    #5 0x55e5315ee19b in main /host_dir/string_make.cpp:21
    #6 0x7f148356e84f  (/usr/lib/libc.so.6+0x2384f) (BuildId:
2f005a79cd1a8e385972f5a102f16adba414d75e)
    #7 0x7f148356e909 in __libc_start_main (/usr/lib/libc.so.6+0x23909)
(BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
    #8 0x55e5315efd24 in _start (/host_dir/string_make+0x6d24) (BuildId:
84a1c6cd0213d688554e0a44d2cf01327b106fba)
```

--------------------------------------------------------------------------
GCC version info:
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/13.1.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /build/gcc/src/gcc/configure
--enable-languages=ada,c,c++,d,fortran,go,lto,objc,obj-c++ --enable-bootstrap
--prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man
--infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/
--with-build-config=bootstrap-lto --with-linker-hash-style=gnu
--with-system-zlib --enable-__cxa_atexit --enable-cet=auto
--enable-checking=release --enable-clocale=gnu --enable-default-pie
--enable-default-ssp --enable-gnu-indirect-function --enable-gnu-unique-object
--enable-libstdcxx-backtrace --enable-link-serialization=1
--enable-linker-build-id --enable-lto --enable-multilib --enable-plugin
--enable-shared --enable-threads=posix --disable-libssp --disable-libstdcxx-pch
--disable-werror
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 13.1.1 20230429 (GCC) 

--------------------------------------------------------------------------
System info:

NAME="Arch Linux"
PRETTY_NAME="Arch Linux"
ID=arch
BUILD_ID=rolling
VERSION_ID=20230611.0.157136
ANSI_COLOR="38;2;23;147;209"
HOME_URL="https://archlinux.org/";
DOCUMENTATION_URL="https://wiki.archlinux.org/";
SUPPORT_URL="https://bbs.archlinux.org/";
BUG_REPORT_URL="https://bugs.archlinux.org/";
PRIVACY_POLICY_URL="https://terms.archlinux.org/docs/privacy-policy/";
LOGO=archlinux-logo

[Bug libstdc++/110549] New: Undefined behavior sanitizer triggered in basic_string::_M_construct that uses iterator overload with input iterator tag

Reply via email to