[Bug 11361] New: uclibc++ crashes when trying to splice to empty list

bugzilla at busybox.net bugzilla at busybox.net
Fri Sep 21 19:54:45 UTC 2018


https://bugs.busybox.net/show_bug.cgi?id=11361

            Bug ID: 11361
           Summary: uclibc++ crashes when trying to splice to empty list
           Product: uClibc++
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Standard Compliance
          Assignee: unassigned at uclibc.org
          Reporter: charlemagnelasse at gmail.com
                CC: uclibc-cvs at uclibc.org
  Target Milestone: ---

Right now, each program seems to crash which uses splice to move an item to
another list (which is empty):

    #include <list>

    int main()
    {
        std::list<int> empty_list;
        std::list<int> two_item_list;

        two_item_list.push_back(1);
        two_item_list.push_back(2);

        empty_list.splice(empty_list.end(), two_item_list,
two_item_list.begin());

        return 0;
    }

It crashes with:

    4         {
    1: two_item_list = {list_start = 0x1, list_end = 0x77f0d57f
<blobmsg_add_field+42>, elements = 2012192832, a = {<No data fields>}}
    2: empty_list = {list_start = 0x0, list_end = 0x77ec51ec <operator
new(unsigned int)+44>, elements = 32, a = {<No data fields>}}
    (gdb) n
    151             std::list<int> empty_list;
    1: two_item_list = {list_start = 0x1, list_end = 0x77f0d57f
<blobmsg_add_field+42>, elements = 2012192832, a = {<No data fields>}}
    2: empty_list = {list_start = 0x0, list_end = 0x77ec51ec <operator
new(unsigned int)+44>, elements = 32, a = {<No data fields>}}
    (gdb) n
    5             std::list<int> two_item_list;
    1: two_item_list = {list_start = 0x1, list_end = 0x77f0d57f
<blobmsg_add_field+42>, elements = 2012192832, a = {<No data fields>}}
    2: empty_list = {list_start = 0x77eb0910, list_end = 0x77eb0910, elements =
0, a = {<No data fields>}}
    (gdb) n
    6             two_item_list.push_back(1);
    1: two_item_list = {list_start = 0x77eb0930, list_end = 0x77eb0930,
elements = 0, a = {<No data fields>}}
    2: empty_list = {list_start = 0x77eb0910, list_end = 0x77eb0910, elements =
0, a = {<No data fields>}}
    (gdb) n
    7             two_item_list.push_back(2);
    1: two_item_list = {list_start = 0x77eb0950, list_end = 0x77eb0930,
elements = 1, a = {<No data fields>}}
    2: empty_list = {list_start = 0x77eb0910, list_end = 0x77eb0910, elements =
0, a = {<No data fields>}}
    (gdb) n
    8             empty_list.splice(empty_list.end(), two_item_list,
two_item_list.begin());
    1: two_item_list = {list_start = 0x77eb0950, list_end = 0x77eb0930,
elements = 2, a = {<No data fields>}}
    2: empty_list = {list_start = 0x77eb0910, list_end = 0x77eb0910, elements =
0, a = {<No data fields>}}
    (gdb) n

    Program received signal SIGSEGV, Segmentation fault.
    std::list<int, std::allocator<int> >::splice (i=..., x=..., position=...,
this=0x7ffffb98) at
/usr/src/openwrt/staging_dir/target-mips_24kc_musl-1.1.16/usr/include/uClibc++/list:608
    608                             i.link_struct()->previous->next =
i.link_struct()->next;

The reported line is

    605                 //Insert at begining special case
    606                 if(position == begin()){
    607 
    608                         i.link_struct()->previous->next =
i.link_struct()->next;
    609                         i.link_struct()->next->previous =
i.link_struct()->previous;
    610 
    611                         i.link_struct()->previous = 0;
    612                         i.link_struct()->next = position.link_struct();
    613                         position.link_struct()->previous =
i.link_struct();
    614 
    615                         list_start = i.link_struct();
    616 
    617                         --x.elements;
    618                         ++elements;
    619                         return;
    620                 }


See also https://github.com/mwarning/zerotier-openwrt/issues/9 and
https://bugs.openwrt.org/index.php?do=details&task_id=1859 and
https://github.com/uClibcxx/uClibcxx/issues/1

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the uClibc-cvs mailing list