You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It uses [[no_unique_address]] in its data member. But on operator=, it calls destroy_at followed by construct_at. If the data member has tail padding, the tail padding would be zeroed out. If the user put the next data in the tail padding, this would overwrite the next data member. We have done this by ourselves, e.g. in transform_view, the next data member is the underlying view and the first example shows that the underlying view's memory was zeroed out, causing it to crash
…ata that lives in the tail padding (#71314)
fixes#70506
The detailed problem description is in #70506
The original proposed fix was to remove `[[no_unique_address]]` except
when `_Tp` is empty.
Edit:
After the discussion in the comments below, the new fix here is to
remove the `[[no_unique_address]]` from `movable_box` in the cases where
we need to add our own assignment operator, which has contains the
problematic `construct_at`
std::ranges::__movable_box
can overwrite data that comes after itthis is similar to #68552
This example shows how user would hit this bug
This example explains why it happens
movable boxes are widely used in ranges.
It uses
[[no_unique_address]]
in its data member. But onoperator=
, it callsdestroy_at
followed byconstruct_at
. If the data member has tail padding, the tail padding would be zeroed out. If the user put the next data in the tail padding, this would overwrite the next data member. We have done this by ourselves, e.g. intransform_view
, the next data member is the underlying view and the first example shows that the underlying view's memory was zeroed out, causing it to crashhttps://godbolt.org/z/GcYoer4W4
https://godbolt.org/z/hvh4v1EWK
The text was updated successfully, but these errors were encountered: