<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - [MSVC compatibility] Compiled executable crashes when using multiple virtual bases"
href="https://bugs.llvm.org/show_bug.cgi?id=36921">36921</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[MSVC compatibility] Compiled executable crashes when using multiple virtual bases
</td>
</tr>
<tr>
<th>Product</th>
<td>clang
</td>
</tr>
<tr>
<th>Version</th>
<td>6.0
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Windows XP
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>-New Bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedclangbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>budai@tresorit.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=20135" name="attach_20135" title="Minimal C++ source that produces the bug">attachment 20135</a> <a href="attachment.cgi?id=20135&action=edit" title="Minimal C++ source that produces the bug">[details]</a></span>
Minimal C++ source that produces the bug
Clang for Windows with MSVC 2017.
Consider the following source code:
struct A {
virtual ~A() {}
};
struct B {
virtual ~B() {}
};
struct C : virtual B {};
struct D : virtual A, C {};
int main()
{
delete new D;
}
Running:
$ clang source.cpp
from x64 Native Command Prompt for VS 2017 results in an executable that
crashes upon startup.
We've examined the generated output and found that, when the compiler generates
code for the destructors of `D` and its virtual base classes, the compiler
miscalculates the base offset of the `this` pointer for the virtual base class
`A`, it sets 16 instead of 8.
Here is the constructor of D:
"??0D@@QEAA@XZ": # @"\01??0D@@QEAA@XZ"
.LBB1_2:
xor edx, edx
mov rax, qword ptr [rsp + 56] # 8-byte Reload
mov rcx, rax
call "??0C@@QEAA@XZ"
lea rcx, [rip + "??_7D@@6BC@@@"]
lea r8, [rip + "??_7D@@6BA@@@"]
mov r9, qword ptr [rsp + 56] # 8-byte Reload
mov r10, qword ptr [r9]
movsxd r10, dword ptr [r10 + 8]
add r10, 0
mov qword ptr [r9 + r10], r8 # sets A's vtable to ??_7D@@6BA@@@
mov r8, qword ptr [r9]
movsxd r8, dword ptr [r8 + 4]
add r8, 0
mov qword ptr [r9 + r8], rcx
mov rcx, qword ptr [rsp + 80]
mov qword ptr [rsp + 32], rax # 8-byte Spill
# sets B/C's vtable to ??_7D@@6BC@@@
mov rax, rcx
add rsp, 88
ret
Vtable:
.globl "??_7D@@6BA@@@"
"??_7D@@6BA@@@" = .L__unnamed_1+8
.L__unnamed_1:
.quad "??_R4D@@6BA@@@"
.quad "??_GD@@UEAAPEAXI@Z"
Generated destructor for A:
"??_GD@@UEAAPEAXI@Z": # @"\01??_GD@@UEAAPEAXI@Z"
.seh_proc "??_GD@@UEAAPEAXI@Z"
# %bb.0:
sub rsp, 72
.seh_stackalloc 72
.seh_endprologue
mov dword ptr [rsp + 60], edx
mov qword ptr [rsp + 48], rcx
mov rcx, qword ptr [rsp + 48]
add rcx, -16 # note offset is 16 here
mov rax, rcx
mov qword ptr [rsp + 64], rax
mov edx, dword ptr [rsp + 60]
mov qword ptr [rsp + 40], rcx # 8-byte Spill
mov dword ptr [rsp + 36], edx # 4-byte Spill
call "??_DD@@QEAAXXZ"
mov edx, dword ptr [rsp + 36] # 4-byte Reload
cmp edx, 0
je .LBB5_2
But in the dumped record layout, A is at offset 8:
*** Dumping AST Record Layout
0 | struct A
0 | (A vftable pointer)
| [sizeof=8, align=8,
| nvsize=8, nvalign=8]
*** Dumping AST Record Layout
0 | struct B
0 | (B vftable pointer)
| [sizeof=8, align=8,
| nvsize=8, nvalign=8]
*** Dumping AST Record Layout
0 | struct C
0 | (C vbtable pointer)
8 | struct B (virtual base)
8 | (B vftable pointer)
| [sizeof=16, align=8,
| nvsize=8, nvalign=8]
*** Dumping AST Record Layout
0 | struct D
0 | struct C (base)
0 | (C vbtable pointer)
8 | struct A (virtual base)
8 | (A vftable pointer)
16 | struct B (virtual base)
16 | (B vftable pointer)
| [sizeof=24, align=8,
| nvsize=8, nvalign=8]</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>