[llvm-bugs] [Bug 35889] New: SmallVector: use-after-poison MSAN error in destructor
via llvm-bugs
llvm-bugs at lists.llvm.org
Wed Jan 10 09:36:32 PST 2018
https://bugs.llvm.org/show_bug.cgi?id=35889
Bug ID: 35889
Summary: SmallVector: use-after-poison MSAN error in destructor
Product: libraries
Version: trunk
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P
Component: Core LLVM classes
Assignee: unassignedbugs at nondot.org
Reporter: steve at obrien.cc
CC: llvm-bugs at lists.llvm.org
The topmost class, `SmallVector`, has internal storage for some elements; `N -
1` elements' bytes worth of space. Meanwhile a base class
`SmallVectorTemplateCommon` has room for one element as well, totaling `N`
elements' worth of space.
The space for the N elements is contiguous and straddles
`SmallVectorTemplateCommon` and `SmallVector`.
A class "between" those two owning the storage, `SmallVectorImpl`, in its
destructor, calls the destructor for elements contained in the vector, if any.
It uses `destroy_range(begin, end)` to destroy all items in sequence, starting
from the end.
By the time the destructor for `SmallVectorImpl` is running, though, the memory
for elements `[1, N)` is already poisoned, due to `SmallVector`'s destructor
having done its thing already.
So if the element type `T` has a nontrivial destructor that accesses any
members of the `T` instance being destroyed, we'll run into a use-after-poison
bug.
This patch moves the destruction loop into `SmallVector`'s destructor, so any
memory being accessed while dtors are running is not yet poisoned.
[Phabricator diff and repro steps coming]
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180110/cfd113b5/attachment.html>
More information about the llvm-bugs
mailing list