On Tue, Aug 16, 2022 at 9:15 PM Keef Aragon <keef.ara...@konscious.net> wrote:
>
> This probably has never actually affected anyone in practice. The normal
> ABI implementation just uses malloc and only falls back to the pool on
> malloc failure. But if that happens a bunch of times the freelist gets out
> of order which violates some of the invariants of the freelist (as well as
> the comments that follow the bug). The bug is just a comparison reversal
> when traversing the freelist in the case where the pointer being returned
> to the pool is after the existing freelist.
>
> I'm not sure what to do as far as the test suite is concerned. It's a
> private part of the implementation of the exception handling ABI and it can
> only ever be triggered if malloc fails (repeatedly). So it seems like
> reproducing it from the external interface will require hooking malloc to
> forcibly return NULL.
>
> But I'm a newb on these lists, so will obediently do as instructed.
Oops, that's my fault.
For consistency it's probably best written
as reinterpret_cast <char *> (e) + sz > reinterpret_cast <char *> ((*fe))
thus
diff --git a/libstdc++-v3/libsupc++/eh_alloc.cc
b/libstdc++-v3/libsupc++/eh_alloc.cc
index c85b9aed40b..68f319869f9 100644
--- a/libstdc++-v3/libsupc++/eh_alloc.cc
+++ b/libstdc++-v3/libsupc++/eh_alloc.cc
@@ -224,8 +224,8 @@ namespace
free_entry **fe;
for (fe = &first_free_entry;
(*fe)->next
- && (reinterpret_cast <char *> ((*fe)->next)
- > reinterpret_cast <char *> (e) + sz);
+ && (reinterpret_cast <char *> (e) + sz
+ > reinterpret_cast <char *> ((*fe)->next));
fe = &(*fe)->next)
;
// If we can merge the next block into us do so and continue
The change is OK with that adjustment. I see you do not have write access so
I'll test & push it for you.
I'm curious how you noticed?
Thanks,
Richard.
