[llvm-bugs] [Bug 31376] New: Segmentation fault at _tree:1098 with -O2 in Mac OS X clang++

via llvm-bugs llvm-bugs at lists.llvm.org
Wed Dec 14 13:50:45 PST 2016 

https://llvm.org/bugs/show_bug.cgi?id=31376

            Bug ID: 31376
           Summary: Segmentation fault at _tree:1098 with -O2 in Mac OS X
                    clang++
           Product: libc++
           Version: 3.7
          Hardware: Macintosh
                OS: MacOS X
            Status: NEW
          Severity: normal
          Priority: P
         Component: All Bugs
          Assignee: unassignedclangbugs at nondot.org
          Reporter: i at yoichihirai.com
                CC: llvm-bugs at lists.llvm.org, mclow.lists at gmail.com
    Classification: Unclassified

When I assign a temporary std::map<u256, int> object into an already existing
map, the executable compiled with -O2 causes a segmentation fault.  The same
problem happens with std::map<int, u256>.  Here u256 denotes a class in
boost::multiprecision.


The OS and the compiler versions:

$ uname -a
Darwin Yoichis-Air.local 15.6.0 Darwin Kernel Version 15.6.0: Thu Sep  1
15:01:16 PDT 2016; root:xnu-3248.60.11~2/RELEASE_X86_64 x86_64
$ clang++ --version
Apple LLVM version 8.0.0 (clang-800.0.42.1)
Target: x86_64-apple-darwin15.6.0
Thread model: posix
InstalledDir:
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin


The program that causes the problem:

$ cat main.cpp
#include <boost/multiprecision/cpp_int.hpp>
#include <map>
#include <iostream>

int main()
{
    using namespace::std;

    using u256 = 
boost::multiprecision::number<boost::multiprecision::cpp_int_backend<256, 256,
boost::multiprecision::unsigned_magnitude, boost::multiprecision::unchecked,
void>>;

    map<u256, int> k = {{1, 131264}};
    k = {};

    cout << "passed" << endl << flush;

    return 0;
}

I can observe a segmentation fault with -O2.

$ clang++ -O2 -std=c++11 -stdlib=libc++ main.cpp && ./a.out
Segmentation fault: 11
$ clang++ -O1 -std=c++11 -stdlib=libc++ main.cpp && ./a.out
passed
$ clang++ -O3 -std=c++11 -stdlib=libc++ main.cpp && ./a.out
passed

When I add debugging information and try valgrind, it says the access happens
in __tree:1098.

$ clang++ -g -O2 -std=c++11 -stdlib=libc++ main.cpp
$ valgrind ./a.out
<snip>
==23530== Process terminating with default action of signal 11 (SIGSEGV)
==23530==  General Protection Fault
==23530==    at 0x100001788: void
std::__1::__tree<std::__1::__value_type<boost::multiprecision::number<boost::multiprecision::backends::cpp_int_backend<256u,
256u, (boost::multiprecision::cpp_integer_type)0,
(boost::multiprecision::cpp_int_check_type)0, void>,
(boost::multiprecision::expression_template_option)0>, int>,
std::__1::__map_value_compare<boost::multiprecision::number<boost::multiprecision::backends::cpp_int_backend<256u,
256u, (boost::multiprecision::cpp_integer_type)0,
(boost::multiprecision::cpp_int_check_type)0, void>,
(boost::multiprecision::expression_template_option)0>,
std::__1::__value_type<boost::multiprecision::number<boost::multiprecision::backends::cpp_int_backend<256u,
256u, (boost::multiprecision::cpp_integer_type)0,
(boost::multiprecision::cpp_int_check_type)0, void>,
(boost::multiprecision::expression_template_option)0>, int>,
std::__1::less<boost::multiprecision::number<boost::multiprecision::backends::cpp_int_backend<256u,
256u, (boost::multiprecision::cpp_integer_type)0,
(boost::multiprecision::cpp_int_check_type)0, void>,
(boost::multiprecision::expression_template_option)0> >, true>,
std::__1::allocator<std::__1::__value_type<boost::multiprecision::number<boost::multiprecision::backends::cpp_int_backend<256u,
256u, (boost::multiprecision::cpp_integer_type)0,
(boost::multiprecision::cpp_int_check_type)0, void>,
(boost::multiprecision::expression_template_option)0>, int> >
>::__assign_unique<std::__1::pair<boost::multiprecision::number<boost::multiprecision::backends::cpp_int_backend<256u,
256u, (boost::multiprecision::cpp_integer_type)0,
(boost::multiprecision::cpp_int_check_type)0, void>,
(boost::multiprecision::expression_template_option)0> const, int>
const*>(std::__1::pair<boost::multiprecision::number<boost::multiprecision::backends::cpp_int_backend<256u,
256u, (boost::multiprecision::cpp_integer_type)0,
(boost::multiprecision::cpp_int_check_type)0, void>,
(boost::multiprecision::expression_template_option)0> const, int> const*,
std::__1::pair<boost::multiprecision::number<boost::multiprecision::backends::cpp_int_backend<256u,
256u, (boost::multiprecision::cpp_integer_type)0,
(boost::multiprecision::cpp_int_check_type)0, void>,
(boost::multiprecision::expression_template_option)0> const, int> const*)
(__tree:1098)
==23530==    by 0x1000010F3: main (map:986)

The libc++ version is 3.7 when I see _LIBCPP_VERSION.
The Boost version is 1.62.00 when I see BOOST_VERSION.

The same problem can still be observed with the key and the value types
swapped.

$ cat variant.cpp
#include <boost/multiprecision/cpp_int.hpp>
#include <map>
#include <iostream>

int main()
{
    using namespace::std;

    using u256 = 
boost::multiprecision::number<boost::multiprecision::cpp_int_backend<256, 256,
boost::multiprecision::unsigned_magnitude, boost::multiprecision::unchecked,
void>>;

    map<int, u256> k = {{1, 131264}};
    k = {};

    cout << "passed" << endl << flush;

    return 0;
}
$ clang++ -O1 -std=c++11 -stdlib=libc++ variant.cpp && ./a.out
passed
$ clang++ -O2 -std=c++11 -stdlib=libc++ variant.cpp && ./a.out
Segmentation fault: 11
$ clang++ -O3 -std=c++11 -stdlib=libc++ variant.cpp && ./a.out
Segmentation fault: 11

Valgrind points to the same line for these cases as well.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20161214/94547a1e/attachment.html>

More information about the llvm-bugs mailing list