http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59391
Bug ID: 59391
Summary: std::sort will go out of std::vector bounds and crash
Product: gcc
Version: 4.4.6
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: libstdc++
Assignee: unassigned at gcc dot gnu.org
Reporter: awwafa at gmail dot com
$ gcc -v
Using built-in specs.
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla
--enable-bootstrap --enable-shared --enable-threads=posix
--enable-checking=release --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-gnu-unique-object
--enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk
--disable-dssi --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre
--enable-libgcj-multifile --enable-java-maintainer-mode
--with-ecj-jar=/usr/share/java/eclipse-ecj.jar --disable-libjava-multilib
--with-ppl --with-cloog --with-tune=generic --with-arch_32=i686
--build=x86_64-redhat-linux
Thread model: posix
gcc version 4.4.6 20110731 (Red Hat 4.4.6-3) (GCC)
----------- gcc switches used -----
g++ -o sort_test.o -c sort_test.cxx
g++ -o sort_test sort_test.o
------------ sort_test.cxx---------
#include <algorithm>
#include <vector>
bool compare_val(int* a, int* b) {
if (*a <= *b) return true;
return false;
}
int main (void) {
const int int_array[] = {12, 13, 2, 2, 6, 7, 12, 2, 10, 11, 16, 5, 5, 2, 16,
7, 6, 16, 14, 5, 10, 9, 14, 3, 7, 15, 14, 6, 2, 1, 11, 13, 14, 12, 15, 4, 3,
11, 5, 12, 5, 5, 1, 9, 6, 16, 15, 11, 16, 13, 15, 10, 6, 13, 13, 12, 11, 10, 1,
13, 11, 11, 10, 9, 7, 8, 12, 10, 2};
std::vector<int*> my_vec;
int length = sizeof(int_array)/sizeof(int);
for(int i=0; i < length; ++i) {
int *int_ptr =new int;
*int_ptr = int_array[i];
my_vec.push_back(int_ptr);
}
std::sort(my_vec.begin(), my_vec.end(), compare_val);
}
------------ sort_test.cxx---------
---------------- Valgrind output -----------------
==20061== Memcheck, a memory error detector
==20061== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==20061== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==20061== Command: ./sort_test
==20061==
==20061== Invalid read of size 8
==20061== at 0x40159E: __gnu_cxx::__normal_iterator<int**, std::vector<int*,
std::allocator<int*> > >
std::__unguarded_partition<__gnu_cxx::__normal_iterator<int**,
std::vector<int*, std::allocator<int*> > >, int*, bool (*)(int*,
int*)>(__gnu_cxx::__normal_iterator<int**, std::vector<int*,
std::allocator<int*> > >, __gnu_cxx::__normal_iterator<int**, std::vector<int*,
std::allocator<int*> > >, int*, bool (*)(int*, int*)) (in
/home/awafa/tmp/std_sort_crash/sort_test)
==20061== by 0x4010B8: void
std::__introsort_loop<__gnu_cxx::__normal_iterator<int**, std::vector<int*,
std::allocator<int*> > >, long, bool (*)(int*,
int*)>(__gnu_cxx::__normal_iterator<int**, std::vector<int*,
std::allocator<int*> > >, __gnu_cxx::__normal_iterator<int**, std::vector<int*,
std::allocator<int*> > >, long, bool (*)(int*, int*)) (in
/home/awafa/tmp/std_sort_crash/sort_test)
==20061== by 0x400B08: void std::sort<__gnu_cxx::__normal_iterator<int**,
std::vector<int*, std::allocator<int*> > >, bool (*)(int*,
int*)>(__gnu_cxx::__normal_iterator<int**, std::vector<int*,
std::allocator<int*> > >, __gnu_cxx::__normal_iterator<int**, std::vector<int*,
std::allocator<int*> > >, bool (*)(int*, int*)) (in
/home/awafa/tmp/std_sort_crash/sort_test)
==20061== by 0x40092A: main (in /home/awafa/tmp/std_sort_crash/sort_test)
==20061== Address 0x4a33a48 is 8 bytes before a block of size 1,024 alloc'd
==20061== at 0x490459B: operator new(unsigned long)
(vg_replace_malloc.c:220)
==20061== by 0x401844: __gnu_cxx::new_allocator<int*>::allocate(unsigned
long, void const*) (in /home/awafa/tmp/std_sort_crash/sort_test)
==20061== by 0x4012C9: std::_Vector_base<int*, std::allocator<int*>
>::_M_allocate(unsigned long) (in /home/awafa/tmp/std_sort_crash/sort_test)
==20061== by 0x400D5A: std::vector<int*, std::allocator<int*>
>::_M_insert_aux(__gnu_cxx::__normal_iterator<int**, std::vector<int*,
std::allocator<int*> > >, int* const&) (in
/home/awafa/tmp/std_sort_crash/sort_test)
==20061== by 0x400A73: std::vector<int*, std::allocator<int*>
>::push_back(int* const&) (in /home/awafa/tmp/std_sort_crash/sort_test)
==20061== by 0x4008E1: main (in /home/awafa/tmp/std_sort_crash/sort_test)
