My favorites | Sign in
Project Home Issues
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 38630: NDK: stlport iterator wrapper implementation (_IteWrapper) can lead to runtime crashes.
1 person starred this issue and may be notified of changes. Back to list
Status:  Released
Owner:  di...@android.com
Closed:  Oct 2012
Cc:  andrewhs...@google.com


Sign in to add a comment
 
Project Member Reported by di...@android.com, Oct 18, 2012
the _IteWrapper template class under sources/cxx-stl/stlport/stlport/stl/pointers/_tools.h has an operator*() implementation that looks like the following:

  const_reference operator*() const
  { return cast_traits::to_storage_type_cref(*_M_ite); }

The problem with it is that, sometimes, the compiler will implement by retrieving the value of *_M_ite into a temporary local variable, then apply the type-casting to_storage_type_cref operation to it.

This means that the function really returns the address of a stack-allocated variable that doesn't exist anymore (i.e. a dangling pointer).

In certain cases, this can causes crashes when said pointer is referenced.
This happened in Chrome for Android, when doing something as simple as:

  SetOfStuff set1(vector1.begin(), vector1.end());

while the corresponding operation doesn't crash:

  SetOfStuff set1;
  std::copy(vector1.begin(), vector1.end(),
            std::inserter(set1, set1.begin()));

This bug is to track the issue, and provide a bugfix, which can be done with a change like:

  const_reference operator*() const
  { return __reinterpret_cast<const_reference>(*_M_ite); }

Oct 18, 2012
Project Member #1 di...@android.com
Fix uploaded at https://android-review.googlesource.com/#/c/44805/
Oct 24, 2012
Project Member #2 di...@android.com
(No comment was entered for this change.)
Status: FutureRelease
Nov 20, 2012
Project Member #3 andrewhs...@google.com
released in r8c
Status: Released
Sign in to add a comment

Powered by Google Project Hosting