[STDCXX-554] [MSVC 7.1] Bad code generation of the std::moneypunct ctor (and possibly of the std::messages ctor) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 4.1.3
Fix Version/s: 4.2.0
Component/s: 22. Localization
Labels:
None
Environment:

MSVC 7.1 with Service Pack 1

Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 13.10.6030 for 80x86
Copyright (C) Microsoft Corporation 1984-2002. All rights reserved.

Patch Info:

Patch Available
Severity:
Runtime Error

Description

The 22.locale.money.put.cpp test fails on MSVC 7.1 (15s build type) with buffer overrun error due to bad code generation.

Here the assembly code for moneypunct ctor:
-------------
_EXPLICIT moneypunct (_RWSTD_SIZE_T __refs = 0)
: RW::rw_facet (_refs), money_base () { }
004018C0 push ebp
004018C1 mov ebp,esp
004018C3 push ecx
004018C4 mov dword ptr [ebp-4],ecx
004018C7 mov eax,dword ptr [__refs]
004018CA push eax
004018CB mov ecx,dword ptr [this]
004018CE call _rw::rw_facet::_rw_facet (412E20h)

004018D3 xor ecx,ecx
004018D5 mov edx,dword ptr [this]
004018D8 add edx,38h // the sizeof (moneypunct) == 0x38
004018DB mov byte ptr [edx],cl // here the place of the buffer overrun

004018DD mov eax,dword ptr [this]
004018E0 mov dword ptr [eax],offset std::moneypunct<char,0>::`vftable' (488838h)
004018E6 mov eax,dword ptr [this]
004018E9 mov esp,ebp
004018EB pop ebp
004018EC ret 4
-------------

When I commented the money_base () call the test succeeded and assembly code has changed to:
-------------
_EXPLICIT moneypunct (_RWSTD_SIZE_T __refs = 0)
: RW::rw_facet (_refs)/, money_base ()/ { }
004018C0 push ebp
004018C1 mov ebp,esp
004018C3 push ecx
004018C4 mov dword ptr [ebp-4],ecx
004018C7 mov eax,dword ptr [__refs]
004018CA push eax
004018CB mov ecx,dword ptr [this]
004018CE call _rw::rw_facet::_rw_facet (412E20h)
004018D3 mov ecx,dword ptr [this]
004018D6 mov dword ptr [ecx],offset std::moneypunct<char,0>::`vftable' (488838h)
004018DC mov eax,dword ptr [this]
004018DF mov esp,ebp
004018E1 pop ebp
004018E2 ret 4
-------------

Here the same assembly, but in 12s configuration:

before change:
-------------
const PunctT pun;
004018B1 push 1
004018B3 lea ecx,[esp+0B4h]
004018BA call _rw::rw_facet::_rw_facet (40A770h)

004018BF mov byte ptr [esp+0E8h],bl // 0xE8 - 0xB4 == 0x34, so here not buffer overrun,
// but maybe changed last 4-byte member of the __rw_facet
// (I suppose is _C_pid)

004018C6 mov dword ptr [esp+0B0h],offset Punct<char,0>::`vftable' (43A258h)
-------------

after change:
-------------
const PunctT pun;
00401891 push 1
00401893 lea ecx,[esp+0B4h]
0040189A call _rw::rw_facet::_rw_facet (40A720h)
0040189F mov dword ptr [esp+0B0h],offset Punct<char,0>::`vftable' (43A258h)
-------------

I have not verified, but I suppose that the same problem might be with messages class.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

stdcxx-554.patch
13/Sep/07 18:07
0.9 kB
Farid Zaripov

Issue Links

is blocked by

STDCXX-556 [MSVC 7.1] Bug in implementation of the empty base optimization

Open

relates to

STDCXX-827 SIGBUS in 22.locale.stdcxx-554

Resolved

Activity

People

Assignee:: Farid Zaripov

Reporter:: Farid Zaripov

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 13/Sep/07 18:06

Updated:: 04/Apr/08 18:17

Resolved:: 14/Sep/07 10:47