https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90904
Bug ID: 90904
Summary: vec assignment and copying undefined
Product: gcc
Version: 9.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: other
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
Compiling the following function succeeds but running the code crashes with the
stack trace below. The problem is that even though it owns (allocates and
deallocates) its own memory in its ctor and dtor, the auto_vec class fails to
define the copy assignment operator (or copy constructor) to allocate memory
for the copy. As a result, a compiler-generated copy assignment and copy ctor
are provided which simply copy the pointer to memory owned by the original to
the other object. That results in a double free upon destruction of the
original.
void f (void)
{
auto_vec<int> a;
a.safe_push (1);
auto_vec<int> b;
b = a;
if (a.length () != b.length ())
abort ();
}
free(): double free detected in tcache 2
...
0x111471e crash_signal
gcc/toplev.c:326
0x97fd04 void va_heap::release<int>(vec<int, va_heap, vl_embed>*&)
gcc/vec.h:311
0x97fb77 vec<int, va_heap, vl_ptr>::release()
gcc/vec.h:1690
0x9fd84f auto_vec<int, 0ul>::~auto_vec()
gcc/vec.h:1463
The vec base class provides a copy() member function to copy the data that one
would hope to be able to use to copy auto_vec instances. Regrettably, the copy
function returns a vec class so it cannot be used to copy the derived auto_vec.
The vec base too fails to provide a user-defined copy ctor so it's also unsafe
to copy using the expected syntax.
