[Bug sanitizer/67626] New: Erroneous report on downcast to __numpunct_cache

Fri, 18 Sep 2015 07:25:04 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67626

            Bug ID: 67626
           Summary: Erroneous report on downcast to __numpunct_cache
           Product: gcc
           Version: 5.2.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: sduvan.gcc at gmail dot com
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org
  Target Milestone: ---

Created attachment 36347
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=36347&action=edit
Preprocessed source code

For the testcase below, it seems to me that ubsan is confused. The locale
stores 'facet*':s in its cache which are downcast by __use_cache::operator() to
retrieve the actual type (std::__numpunct_cache<char>). Moreover,
__numpunct_cache is a template and no type, as indicated in the error message
below.

Reduced testcase:

#include <locale>

int main() {
  std::locale loc(std::locale(), new std::num_put<char, char*>());
  std::num_put<char, char*> const& np = std::use_facet<std::num_put<char,
char*>>(loc);
  char buf[256];
  struct ios : std::ios_base {} ios;
  np.put(buf, ios, '0', 1l);
}

bash> /usr/local/products/gcc/5.2.0/bin/g++ -fsanitize=undefined -std=gnu++11
-o bug bug.C -Wl,-rpath,/usr/local/products/gcc/5.2.0/lib64
bash> ./bug
/usr/local/products/gcc/5.2.0/include/c++/5.2.0/bits/locale_facets.tcc:72:67:
runtime error: downcast of address 0x7f57533d21e0 which does not point to an
object of type '__numpunct_cache'
0x7f57533d21e0: note: object is of type 'std::__numpunct_cache<char>'
00 00 00 00  d8 5f 3c 53 57 7f 00 00  01 00 00 00 00 00 00 00  8a bd 38 53 57
7f 00 00  00 00 00 00
             ^~~~~~~~~~~~~~~~~~~~~~~
             vptr for 'std::__numpunct_cache<char>'
/usr/local/products/gcc/5.2.0/include/c++/5.2.0/bits/locale_facets.tcc:880:2:
runtime error: member access within address 0x7f57533d21e0 which does not point
to an object of type '__numpunct_cache'
0x7f57533d21e0: note: object is of type 'std::__numpunct_cache<char>'
00 00 00 00  d8 5f 3c 53 57 7f 00 00  01 00 00 00 00 00 00 00  8a bd 38 53 57
7f 00 00  00 00 00 00
             ^~~~~~~~~~~~~~~~~~~~~~~
             vptr for 'std::__numpunct_cache<char>'


bash> /usr/local/products/gcc/5.2.0/bin/g++ -v
Using built-in specs.
COLLECT_GCC=/usr/local/products/gcc/5.2.0/bin/g++
COLLECT_LTO_WRAPPER=/usr/local/products/gcc/5.2.0/lib/gcc/x86_64-suse-linux/5.2.0/lto-wrapper
Target: x86_64-suse-linux
Configured with: ../../gcc-5.2.0/configure --enable-languages=c,c++,fortran
--enable-targets=x86_64-suse-linux,i686-suse-linux
--prefix=/usr/local/products/gcc/5.2.0 --with-gnu-as
--with-as=/usr/local/products/gcc/binutils-2.25.1/bin/as --with-gnu-ld
--with-ld=/usr/local/products/gcc/binutils-2.25.1/bin/ld.gold
--with-gmp=/usr/local/products/gcc/gmp-5.0.1
--with-mpfr=/usr/local/products/gcc/mpfr-3.0.0
--with-mpc=/usr/local/products/gcc/mpc-0.8.2 --enable-threads=posix
--enable-shared --enable-__cxa_atexit --enable-libstdcxx-allocator=pool
x86_64-suse-linux
Thread model: posix
gcc version 5.2.0 (GCC)

Reply via email to