<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/63523>63523</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            CFI check fails in __make_uninitialized_buffer
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            libc++
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          zmodem
      </td>
    </tr>
</table>

<pre>
    After 31eeba3f7c0e2ef4a21c07da9326a4ae1a8de7e2 we're seeing CFI check failures in libc++'s `__make_uninitialized_buffer` during `std::stable_sort`.

It appears that the function is performing an illegal cast (https://eel.is/c++draft/basic.life#6.4), as shown by the reproducer below:

```
$ cat /tmp/a.cc
#include <algorithm>
#include <vector>

struct S {
  S(int x) : x(x) {}
  virtual void foo() {}
  int x;
};

struct Cmp {
  bool operator()(const S &s, const S &t) { return s.x > t.x; }
};

int main() {
 std::vector<S> v;
  for (int i = 0; i < 300; i++)
 v.emplace_back(S(i));

  std::stable_sort(v.begin(), v.end(), Cmp());
  return 0;
}

$ build/bin/clang++ /tmp/a.cc -stdlib=libc++ -fsanitize=cfi -flto=thin -fuse-ld=lld -fvisibility=hidden -fno-sanitize-trap=cfi -fsanitize-recover=cfi && LD_LIBRARY_PATH=build/lib/x86_64-unknown-linux-gnu ./a.out
/work/llvm-project/build/bin/../include/c++/v1/__memory/uninitialized_buffer.h:72:16: runtime error: control flow integrity check for type 'S' failed during cast to unrelated type (vtable address 0x7fe6e97cc320)
0x7fe6e97cc320: note: invalid vtable
 e6 7f 00 00  10 c3 7c e9 e6 7f 00 00  10 c3 7c e9 e6 7f 00 00  20 c3 7c e9 e6 7f 00 00  20 c3 7c e9
              ^ 
/work/llvm-project/build/bin/../include/c++/v1/__memory/uninitialized_buffer.h:72:16: note: check failed in /work/llvm-project/a.out, vtable located in /lib/x86_64-linux-gnu/libc.so.6
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /work/llvm-project/build/bin/../include/c++/v1/__memory/uninitialized_buffer.h:72:16 in
```
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzEVl2P2ygU_TXk5SqWDR5_POQhkzTaSq206mwf-hRhuI7ZwRAB9sz016-w40xm2q76strIcowvHA6Hc_Hl3quTQdyQu3tyt1_xIXTWbb73VmK_aqx82WzbgA5Yhthw1pYiRYptzmkm0lLymtGC5xwzXkkskcITElo6BI-ozAl2h48gOhSP0HKlB4celAGtGkHo_XSVHkiRHo89f8TjYJRRQXGtvqM8NkPboiNFCnJwEY0UqQ-SsC1hWx94o_HorQukSBOS7km6ne8fA_DzGbnzEDoeIHQI7WBEUNaA8nBG11rXR0RuQGmNJ65BcB-A0KoL4ezjHPRA6AFRJ8oTergQlo63gdBDw70SiVYtEsqKJCe0JnQH3IPv7JOB5mWa1uHZWTkIdNCgtk8R94YpKdLLNTdpDoJHFofQnwk98ESIJcSUEXqQCITtuD5Zp0LXE_bhZ_ERRbDuNTjdfXCDCPAApLyf3wA8EFopE-CZ0BoI28aHam6U96TcL_1G5cLANYxWSWitJbT6sdMMxC7gMXB9viWw68-3FBprNdgzOh4pT7iEVsIaP3GlhY_C3rTDZWZwGAZnwCfPQNgHCEmcHK6EfiQQCfZcmRv2M4mrqxbhdg8RcbyOB2itg4tYCgjbQxoni487YOncWDxdXwaNCfZnzQUeGy4eCa0muacF1u-oAfzU2bQakwZPC-WoxJigka_NXTRK9Q4TFm3SN9tx6zyaQzMoLaOXI_xBaG5O8wreGhDWPkitGsL2r4kL69bzmKvfkbC9aBWsWx0sYfvQKQPrdvC41jKO0RLW7ai8apRW4YWwfaekxNjJ2PWCsg6On69Q17cOhR3RXQKEFoQW8Gl__PTx_sv2y7fjn9u__iBsvywl0qSH56o4Fvl6MI_GPpm1VmZ4Xp_MAMm0JDuERYTDk3WPcZwe-_XZ2b9RTNn9RpkkDrtk1-tJQOhhzAg9HI899ta9EHr42fGVdIRtS0rYNitigrnBBNUjoHPRaNvo7OCshlbbp5hCeHIqvCynpnUQXs4IhJYPhJbTMYpyORCnMytYGIxDzQPKpXM1TiYCLqVD7yF9LlsssC6FYDS9OvTda7YFYwPGf2VGrpWEGefiKiygbCFN4wVZCoJBKQDr3wzQ3wgs_r39kbsP8P9t2KLI62cMZfyI_ZLLbLCYqfMeaCumrZnHvHHo1ZlzQCTeJsW81Ievnz9vv3yLM381EltlUN5jx0dl3cMlOyb_DEt03VzCv6b2H8kEyrz7nq3khsma1XyFm6yoyrJirMhX3SYT2NKWsqpmbZ6lFLOiyVNetZm8wzqrV2pDU8rSghYZzWmeJ4JlWKPMaFXWVVVXJE-x50oncW2JdaeV8n7ATcHuKFtp3qD2Uz1D6W2dQWN94zaTIM1w8iRPtfLBv8IEFTRu3lYsU7nyL8XJanB687ZiOKnQDU0ibH_R_8dtmAjHomLi_E8AAAD__-IG2ew">