[LLVMbugs] [Bug 20362] New: Double-free corruption in vector move assignment

Fri Jul 18 15:09:54 PDT 2014

http://llvm.org/bugs/show_bug.cgi?id=20362

            Bug ID: 20362
           Summary: Double-free corruption in vector move assignment
           Product: libc++
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: All Bugs
          Assignee: unassignedclangbugs at nondot.org
          Reporter: tkoeppe at google.com
                CC: llvmbugs at cs.uiuc.edu, mclow.lists at gmail.com
    Classification: Unclassified

Created attachment 12792
  --> http://llvm.org/bugs/attachment.cgi?id=12792&action=edit
Demonstrates double-free corruption in vector move assignment

The move-assignment operator in vector acknowledges that it may throw an
exception if the allocator's move assignment throws, but the implementation is
not correct when an actual exception occurs: both the source and the target are
left owning the same dynamic memory.

For example, see vector:1337 at revision 213415. (I haven't looked further to
see if similar problems exist elsewhere.)

I'm attaching a self-contained example.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20140718/ad092d99/attachment.html>