[jira] Created: (STDCXX-554) Bad code generation of the std::moneypunct ctor (and possibly of the std::messages ctor)

Thu, 13 Sep 2007 11:07:55 -0700 

Bad code generation of the std::moneypunct ctor (and possibly of the 
std::messages ctor)
----------------------------------------------------------------------------------------

                 Key: STDCXX-554
                 URL: https://issues.apache.org/jira/browse/STDCXX-554
             Project: C++ Standard Library
          Issue Type: Bug
          Components: 22. Localization
    Affects Versions: trunk
         Environment: MSVC 7.1
            Reporter: Farid Zaripov
         Attachments: stdcxx-554.patch

  The 22.locale.money.put.cpp test fails on MSVC 7.1 (15s build type) with 
buffer overrun error due to bad code generation.

  Here the assembly code for moneypunct ctor:
-------------
    _EXPLICIT moneypunct (_RWSTD_SIZE_T __refs = 0)
        : _RW::__rw_facet (__refs), money_base () { }
004018C0  push        ebp  
004018C1  mov         ebp,esp 
004018C3  push        ecx  
004018C4  mov         dword ptr [ebp-4],ecx 
004018C7  mov         eax,dword ptr [__refs] 
004018CA  push        eax  
004018CB  mov         ecx,dword ptr [this] 
004018CE  call        __rw::__rw_facet::__rw_facet (412E20h) 

004018D3  xor         ecx,ecx 
004018D5  mov         edx,dword ptr [this] 
004018D8  add         edx,38h                       // the sizeof (moneypunct) 
== 0x38
004018DB  mov         byte ptr [edx],cl           // here the place of the 
buffer overrun

004018DD  mov         eax,dword ptr [this] 
004018E0  mov         dword ptr [eax],offset std::moneypunct<char,0>::`vftable' 
(488838h) 
004018E6  mov         eax,dword ptr [this] 
004018E9  mov         esp,ebp 
004018EB  pop         ebp  
004018EC  ret         4    
-------------

  When I commented the money_base () call the test succeeded and assembly code 
has changed to:
-------------
    _EXPLICIT moneypunct (_RWSTD_SIZE_T __refs = 0)
        : _RW::__rw_facet (__refs)/*, money_base ()*/ { }
004018C0  push        ebp  
004018C1  mov         ebp,esp 
004018C3  push        ecx  
004018C4  mov         dword ptr [ebp-4],ecx 
004018C7  mov         eax,dword ptr [__refs] 
004018CA  push        eax  
004018CB  mov         ecx,dword ptr [this] 
004018CE  call        __rw::__rw_facet::__rw_facet (412E20h) 
004018D3  mov         ecx,dword ptr [this] 
004018D6  mov         dword ptr [ecx],offset std::moneypunct<char,0>::`vftable' 
(488838h) 
004018DC  mov         eax,dword ptr [this] 
004018DF  mov         esp,ebp 
004018E1  pop         ebp  
004018E2  ret         4    
-------------

  Here the same assembly, but in 12s configuration:

before change:
-------------
    const PunctT pun;
004018B1  push        1    
004018B3  lea         ecx,[esp+0B4h] 
004018BA  call        __rw::__rw_facet::__rw_facet (40A770h) 

004018BF  mov         byte ptr [esp+0E8h],bl            // 0xE8 - 0xB4 == 0x34, 
so here not buffer overrun,
                                                                            // 
but maybe changed last 4-byte member of the __rw_facet
                                                                            // 
(I suppose is _C_pid)

004018C6  mov         dword ptr [esp+0B0h],offset Punct<char,0>::`vftable' 
(43A258h) 
-------------

after change:
-------------
    const PunctT pun;
00401891  push        1    
00401893  lea         ecx,[esp+0B4h] 
0040189A  call        __rw::__rw_facet::__rw_facet (40A720h) 
0040189F  mov         dword ptr [esp+0B0h],offset Punct<char,0>::`vftable' 
(43A258h) 
-------------

  I have not verified, but I suppose that the same problem might be with 
messages class.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to