[llvm-bugs] [Bug 35889] New: SmallVector: use-after-poison MSAN error in destructor

[via llvm-bugs]

https://bugs.llvm.org/show_bug.cgi?id=35889

            Bug ID: 35889
           Summary: SmallVector: use-after-poison MSAN error in destructor
           Product: libraries
           Version: trunk
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: Core LLVM classes
          Assignee: unassignedbugs at nondot.org
          Reporter: steve at obrien.cc
                CC: llvm-bugs at lists.llvm.org

The topmost class, `SmallVector`, has internal storage for some elements; `N -
1` elements' bytes worth of space.  Meanwhile a base class
`SmallVectorTemplateCommon` has room for one element as well, totaling `N`
elements' worth of space.

The space for the N elements is contiguous and straddles
`SmallVectorTemplateCommon` and `SmallVector`.

A class "between" those two owning the storage, `SmallVectorImpl`, in its
destructor, calls the destructor for elements contained in the vector, if any. 
It uses `destroy_range(begin, end)` to destroy all items in sequence, starting
from the end.

By the time the destructor for `SmallVectorImpl` is running, though, the memory
for elements `[1, N)` is already poisoned, due to `SmallVector`'s destructor
having done its thing already.

So if the element type `T` has a nontrivial destructor that accesses any
members of the `T` instance being destroyed, we'll run into a use-after-poison
bug.

This patch moves the destruction loop into `SmallVector`'s destructor, so any
memory being accessed while dtors are running is not yet poisoned.

[Phabricator diff and repro steps coming]

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180110/cfd113b5/attachment.html>