https://llvm.org/bugs/show_bug.cgi?id=25358
Bug ID: 25358
Summary: calling string.resize(0xfffffffffffffffd) causes a
segfault
Product: libc++
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P
Component: All Bugs
Assignee: unassignedclangb...@nondot.org
Reporter: l...@insonuit.org
CC: llvm-bugs@lists.llvm.org, mclow.li...@gmail.com
Classification: Unclassified
One of our developers found that calling string.resize(0xfffffffffffffffd)
causes a segfault.
It looks like grow_by() is rounding up that size by adding 16 bytes & then
rounding down to a multiple of 16, via __recommend(); at least on this system,
which is FreeBSD x86-64 system. That results in a zero-length allocation
request, which succeeds.
At this point, we're in trouble. append() then calls memset, via assign(), to
zero out the 2^64 bytes or so which were added; and we crash.
Perhaps grow_by() should take alignment into account when checking whether to
throw a length error, or perhaps it needs to avoid aligning if the resulting
size will wrap around 0.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
