[cfe-dev] Sanitizer and "downcast of address 0xXX...XXX with insufficient space for an object of type '_Rb_tree_node' "

Richard Smith richard at metafoo.co.uk
Thu Aug 1 12:05:42 PDT 2013 

On Thu, Aug 1, 2013 at 12:57 AM, Jeffrey Walton <noloader at gmail.com> wrote:

> Hi All,
>
> What is this finding trying to tell me.
>
> The iterator is a typedef for _Base_ptr, and the address of _M_header
> is a pointer. _Link_type is typedef'd as a _Rb_tree_node<_Tp>*. So I
> don't see a width problem.
>

_M_header is an _Rb_tree_node_base, which is smaller than an
_Rb_tree_node<_Tp>. Usually, this would be OK -- you can reinterpret_cast
between pointers of different types pretty much arbitrarily -- but because
_Rb_tree_node_base is a base class of _Rb_tree_node<_Tp>, this is a
static_cast, and the ruling wording is 5.2.9/11, which says " If the
prvalue of type “pointer to cv1 B” points
to a B that is actually a subobject of an object of type D, the resulting
pointer points to the enclosing object of type D. Otherwise, the behavior
is undefined."

We've managed to prove that the prvalue of type "pointer to
_Rb_tree_node_base" is not, in fact, a subobject of type
"_Rb_tree_node<_Tp>", because there's not enough room in the allocated
storage for an object of that type at that address. So we've determined
that the behavior is undefined.

This is a bug in libstdc++. The fix is to use reinterpret_cast instead of
static_cast in the definition of 'end'.


> *****
> Testing ECDSA (InSiTo unit tests):
> ../usr/include/c++/4.2.1/bits/stl_tree.h:620:25: runtime error:
> downcast of address 0x7fff5598fe88 with insufficient space for an
> object of type '_Rb_tree_node' (aka '_Rb_tree_node<std::pair<const
> Botan::OID, std::basic_string<char> > >')
> 0x7fff5598fe88: note: pointer points here
>  00 00 00 00  00 00 00 00 00 00 00 00  10 a7 14 01 70 60 00 00  80 a7
> 14 01 70 60 00 00  c0 a5 14 01
>               ^
> *****
> From stl_tree.h:
>
>   618    iterator
>   619    end()
>   620    { return
> iterator(static_cast<_Link_type>(&this->_M_impl._M_header)); }
>
> *****
> OS X 10.8.3
>
> $ uname -a
> Darwin riemann.home.pvt 12.4.0 Darwin Kernel Version 12.4.0: Wed May
> 1 17:57:12 PDT 2013; root:xnu-2050.24.15~1/RELEASE_X86_64 x86_64
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130801/f007d31e/attachment.html>

More information about the cfe-dev mailing list