[llvm-bugs] [Bug 25358] New: calling string.resize(0xfffffffffffffffd) causes a segfault
via llvm-bugs
llvm-bugs at lists.llvm.org
Fri Oct 30 12:12:16 PDT 2015
https://llvm.org/bugs/show_bug.cgi?id=25358
Bug ID: 25358
Summary: calling string.resize(0xfffffffffffffffd) causes a
segfault
Product: libc++
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P
Component: All Bugs
Assignee: unassignedclangbugs at nondot.org
Reporter: llvm at insonuit.org
CC: llvm-bugs at lists.llvm.org, mclow.lists at gmail.com
Classification: Unclassified
One of our developers found that calling string.resize(0xfffffffffffffffd)
causes a segfault.
It looks like grow_by() is rounding up that size by adding 16 bytes & then
rounding down to a multiple of 16, via __recommend(); at least on this system,
which is FreeBSD x86-64 system. That results in a zero-length allocation
request, which succeeds.
At this point, we're in trouble. append() then calls memset, via assign(), to
zero out the 2^64 bytes or so which were added; and we crash.
Perhaps grow_by() should take alignment into account when checking whether to
throw a length error, or perhaps it needs to avoid aligning if the resulting
size will wrap around 0.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20151030/b1d1c7b3/attachment.html>
More information about the llvm-bugs
mailing list