https://llvm.org/bugs/show_bug.cgi?id=23611
Bug ID: 23611
Summary: UB during unwinding from function target clone failure
Product: libc++
Version: 3.6
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P
Component: All Bugs
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected], [email protected]
Classification: Unclassified
Cloning a std::function target object goes like this:
1. Construct and call an allocator object.
2. Pass the newly allocated memory to a unique_ptr.
3. Placement-construct the new erasure object into the raw memory.
4. Release the handle from the now-valid unique_ptr.
After #2, the unique_ptr is attempting to manage raw memory, which is
dangerous. If #3 throws, unwinding will destroy the new erasure object before
reaching __clone. At this point the unique_ptr is destroyed, and destroys the
erasure a second time.
No misbehavior occurs, I suppose, because the erasure is polymorphic and its
root base class, aside from being polymorphic, would be trivially-destructible.
Each virtual destructor begins by resetting the vtable to its own class. The
post-destruction state points to a vtable with an empty destructor.
However, the destructor really isn't trivial, and accessing the destroyed
object at all is UB.
NB: I'm already working on some major upgrades to std::function.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
LLVMbugs mailing list
[email protected]
http://lists.cs.uiuc.edu/mailman/listinfo/llvmbugs
