[LLVMbugs] [Bug 23611] New: UB during unwinding from function target clone failure

Thu May 21 03:57:13 PDT 2015

https://llvm.org/bugs/show_bug.cgi?id=23611

            Bug ID: 23611
           Summary: UB during unwinding from function target clone failure
           Product: libc++
           Version: 3.6
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: All Bugs
          Assignee: unassignedclangbugs at nondot.org
          Reporter: david_work at me.com
                CC: llvmbugs at cs.uiuc.edu, mclow.lists at gmail.com
    Classification: Unclassified

Cloning a std::function target object goes like this:

1. Construct and call an allocator object.
2. Pass the newly allocated memory to a unique_ptr.
3. Placement-construct the new erasure object into the raw memory.
4. Release the handle from the now-valid unique_ptr.

After #2, the unique_ptr is attempting to manage raw memory, which is
dangerous. If #3 throws, unwinding will destroy the new erasure object before
reaching __clone. At this point the unique_ptr is destroyed, and destroys the
erasure a second time.

No misbehavior occurs, I suppose, because the erasure is polymorphic and its
root base class, aside from being polymorphic, would be trivially-destructible.
Each virtual destructor begins by resetting the vtable to its own class. The
post-destruction state points to a vtable with an empty destructor.

However, the destructor really isn't trivial, and accessing the destroyed
object at all is UB.

NB: I'm already working on some major upgrades to std::function.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20150521/9415961a/attachment.html>