[llvm-bugs] [Bug 47085] New: [coroutines] optimized code references subobject of promise as temporary
via llvm-bugs
llvm-bugs at lists.llvm.org
Mon Aug 10 01:56:09 PDT 2020
https://bugs.llvm.org/show_bug.cgi?id=47085
Bug ID: 47085
Summary: [coroutines] optimized code references subobject of
promise as temporary
Product: new-bugs
Version: 10.0
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P
Component: new bugs
Assignee: unassignedbugs at nondot.org
Reporter: me at xecycle.info
CC: htmldeveloper at gmail.com, llvm-bugs at lists.llvm.org
Created attachment 23834
--> https://bugs.llvm.org/attachment.cgi?id=23834&action=edit
reproducing source code
Using 10.0.1 as packaged by Arch Linux, attached code when compiled with
"-std=gnu++17 -fcoroutines-ts -O2 -stdlib=libc++" triggers use-after-free
reports in valgrind, but runs ok at -O0. It has
__attribute__((noinline))
void f(std::string s, coroutine_handle<> h)
{
puts(s.c_str());
h.destroy();
}
and
void await_suspend(coroutine_handle<> h)
{
f(std::move(pr->retval), h);
}
Here, calling f() needs a temporary std::string, copied from member of
coroutine promise; at -O0 it is created by alloca, but at -O2 it points to the
original object, and destroyed after returned from f(). Because f() freed the
coroutine, ~std::string() caused a use-after-free.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20200810/462d4937/attachment.html>
More information about the llvm-bugs
mailing list