[libcxx-commits] [PATCH] D130212: [libc++][ranges] attempt to fix proxy iterator issues that cause Chromium to crash
Hui via Phabricator via libcxx-commits
libcxx-commits at lists.llvm.org
Wed Jul 20 16:12:19 PDT 2022
huixie90 created this revision.
huixie90 added reviewers: ldionne, var-const.
Herald added a subscriber: mgrang.
Herald added a project: All.
huixie90 requested review of this revision.
Herald added a project: libc++.
Herald added a subscriber: libcxx-commits.
Herald added a reviewer: libc++.
[libc++][ranges] attempt to fix proxy iterator issues that cause Chromium to crash
The crash reported by Chrome v8 is related to sorting with `v8::internal::AtomicSlot`
According to https://chromium.googlesource.com/v8/v8/+/9bcb5eb590643db0c1f688fea316c7f1f4786a3c/src/objects/slots-atomic-inl.h
`AtomicSlot` is indeed a proxy iterator with a proxy type `AtomicSlot::Reference`
https://reviews.llvm.org/D130197 correctly spotted issues in `__iter_move`, but the fix does not fix the issue.
The reason is that `AtomicSlot::operator*` returns a prvalue `Reference`. After the fix in D130197 <https://reviews.llvm.org/D130197>, the return type
of `__iter_move` is `Reference&&`. But the rvalue reference is bond to the temporary value returned by `operator*`,
which will be dangling after `__iter_move` returns.
The idea of the fix in this change is borrowed from C++17's move_iterator
https://timsong-cpp.github.io/cppwp/n4659/move.iterators#move.iterator-1
When underlying reference is a prvalue, we just return it by value.
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D130212
Files:
libcxx/include/__algorithm/iterator_operations.h
libcxx/test/std/algorithms/alg.sorting/alg.sort/sort/sort_proxy.pass.cpp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D130212.446294.patch
Type: text/x-patch
Size: 5316 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/libcxx-commits/attachments/20220720/d0e5c61d/attachment.bin>
More information about the libcxx-commits
mailing list