[#STDCXX-554] [MSVC 7.1] Bad code generation of the std::moneypunct ctor (and possibly of the std::messages ctor)

C++ Standard Library

[MSVC 7.1] Bad code generation of the std::moneypunct ctor (and possibly of the std::messages ctor)

Created: 13/Sep/07 06:06 PM Updated: 04/Apr/08 06:17 PM

Return to search

Component/s:

22. Localization

Affects Version/s:

4.1.3

Fix Version/s:

4.2.0

Time Tracking:

Not Specified

File Attachments:

	File Name	Date Attached	Attached By	Size
	stdcxx-554.patch	2007-09-13 06:07 PM	Farid Zaripov	0.9 kB

Environment:

« Hide

MSVC 7.1 with Service Pack 1

Issue Links:

Blocker

This issue is blocked by:

STDCXX-556 [MSVC 7.1] Bug in implementation of the empty base optimization

Reference

This issue relates to:

~~STDCXX-827~~ SIGBUS in 22.locale.stdcxx-554

Patch Info:	Patch Available
Severity:	Runtime Error
Resolution Date:	14/Sep/07 10:47 AM

Description

« Hide

The 22.locale.money.put.cpp test fails on MSVC 7.1 (15s build type) with buffer overrun error due to bad code generation.

Here the assembly code for moneypunct ctor:
-------------
_EXPLICIT moneypunct (_RWSTD_SIZE_T __refs = 0)
: RW::rw_facet (_refs), money_base () { }
004018C0 push ebp
004018C1 mov ebp,esp
004018C3 push ecx
004018C4 mov dword ptr [ebp-4],ecx
004018C7 mov eax,dword ptr [__refs]
004018CA push eax
004018CB mov ecx,dword ptr [this]
004018CE call _rw::rw_facet::_rw_facet (412E20h)

004018D3 xor ecx,ecx
004018D5 mov edx,dword ptr [this]
004018D8 add edx,38h // the sizeof (moneypunct) == 0x38
004018DB mov byte ptr [edx],cl // here the place of the buffer overrun

004018DD mov eax,dword ptr [this]
004018E0 mov dword ptr [eax],offset std::moneypunct<char,0>::`vftable' (488838h)
004018E6 mov eax,dword ptr [this]
004018E9 mov esp,ebp
004018EB pop ebp
004018EC ret 4
-------------

When I commented the money_base () call the test succeeded and assembly code has changed to:
-------------
_EXPLICIT moneypunct (_RWSTD_SIZE_T __refs = 0)
: RW::rw_facet (_refs)/, money_base ()/ { }
004018C0 push ebp
004018C1 mov ebp,esp
004018C3 push ecx
004018C4 mov dword ptr [ebp-4],ecx
004018C7 mov eax,dword ptr [__refs]
004018CA push eax
004018CB mov ecx,dword ptr [this]
004018CE call _rw::rw_facet::_rw_facet (412E20h)
004018D3 mov ecx,dword ptr [this]
004018D6 mov dword ptr [ecx],offset std::moneypunct<char,0>::`vftable' (488838h)
004018DC mov eax,dword ptr [this]
004018DF mov esp,ebp
004018E1 pop ebp
004018E2 ret 4
-------------

Here the same assembly, but in 12s configuration:

before change:
-------------
const PunctT pun;
004018B1 push 1
004018B3 lea ecx,[esp+0B4h]
004018BA call _rw::rw_facet::_rw_facet (40A770h)

004018BF mov byte ptr [esp+0E8h],bl // 0xE8 - 0xB4 == 0x34, so here not buffer overrun,
// but maybe changed last 4-byte member of the __rw_facet
// (I suppose is _C_pid)

004018C6 mov dword ptr [esp+0B0h],offset Punct<char,0>::`vftable' (43A258h)
-------------

after change:
-------------
const PunctT pun;
00401891 push 1
00401893 lea ecx,[esp+0B4h]
0040189A call _rw::rw_facet::_rw_facet (40A720h)
0040189F mov dword ptr [esp+0B0h],offset Punct<char,0>::`vftable' (43A258h)
-------------

I have not verified, but I suppose that the same problem might be with messages class.

Description

The 22.locale.money.put.cpp test fails on MSVC 7.1 (15s build type) with buffer overrun error due to bad code generation. Here the assembly code for moneypunct ctor: ------------- _EXPLICIT moneypunct (_RWSTD_SIZE_T __refs = 0) : RW::rw_facet (_refs), money_base () { } 004018C0 push ebp 004018C1 mov ebp,esp 004018C3 push ecx 004018C4 mov dword ptr [ebp-4],ecx 004018C7 mov eax,dword ptr [__refs] 004018CA push eax 004018CB mov ecx,dword ptr [this] 004018CE call _rw::rw_facet::_rw_facet (412E20h) 004018D3 xor ecx,ecx 004018D5 mov edx,dword ptr [this] 004018D8 add edx,38h // the sizeof (moneypunct) == 0x38 004018DB mov byte ptr [edx],cl // here the place of the buffer overrun 004018DD mov eax,dword ptr [this] 004018E0 mov dword ptr [eax],offset std::moneypunct<char,0>::`vftable' (488838h) 004018E6 mov eax,dword ptr [this] 004018E9 mov esp,ebp 004018EB pop ebp 004018EC ret 4 ------------- When I commented the money_base () call the test succeeded and assembly code has changed to: ------------- _EXPLICIT moneypunct (_RWSTD_SIZE_T __refs = 0) : RW::rw_facet (_refs)/, money_base ()/ { } 004018C0 push ebp 004018C1 mov ebp,esp 004018C3 push ecx 004018C4 mov dword ptr [ebp-4],ecx 004018C7 mov eax,dword ptr [__refs] 004018CA push eax 004018CB mov ecx,dword ptr [this] 004018CE call _rw::rw_facet::_rw_facet (412E20h) 004018D3 mov ecx,dword ptr [this] 004018D6 mov dword ptr [ecx],offset std::moneypunct<char,0>::`vftable' (488838h) 004018DC mov eax,dword ptr [this] 004018DF mov esp,ebp 004018E1 pop ebp 004018E2 ret 4 ------------- Here the same assembly, but in 12s configuration: before change: ------------- const PunctT pun; 004018B1 push 1 004018B3 lea ecx,[esp+0B4h] 004018BA call _rw::rw_facet::_rw_facet (40A770h) 004018BF mov byte ptr [esp+0E8h],bl // 0xE8 - 0xB4 == 0x34, so here not buffer overrun, // but maybe changed last 4-byte member of the __rw_facet // (I suppose is _C_pid) 004018C6 mov dword ptr [esp+0B0h],offset Punct<char,0>::`vftable' (43A258h) ------------- after change: ------------- const PunctT pun; 00401891 push 1 00401893 lea ecx,[esp+0B4h] 0040189A call _rw::rw_facet::_rw_facet (40A720h) 0040189F mov dword ptr [esp+0B0h],offset Punct<char,0>::`vftable' (43A258h) ------------- I have not verified, but I suppose that the same problem might be with messages class.

Show »

All

Comments

Work Log

Change History

Subversion Commits

Sort Order:

[ Permlink | « Hide ]

Farid Zaripov added a comment - 13/Sep/07 06:12 PM

The reference thread in development mailing-list: http://www.mail-archive.com/stdcxx-dev@incubator.apache.org/msg04931.html

[ Permlink | « Hide ]

Farid Zaripov added a comment - 14/Sep/07 10:47 AM

Fixed thus: http://svn.apache.org/viewvc?rev=575613&view=rev

[ Permlink | « Hide ]

Farid Zaripov added a comment - 14/Sep/07 10:51 AM

The regression test added thus: http://svn.apache.org/viewvc?rev=575614&view=rev