You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@stdcxx.apache.org by "Farid Zaripov (JIRA)" <ji...@apache.org> on 2007/09/14 12:48:32 UTC
[jira] Resolved: (STDCXX-554) [MSVC 7.1] Bad code generation of the
std::moneypunct ctor (and possibly of the std::messages ctor)
[ https://issues.apache.org/jira/browse/STDCXX-554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Farid Zaripov resolved STDCXX-554.
----------------------------------
Resolution: Fixed
Fixed thus: http://svn.apache.org/viewvc?rev=575613&view=rev
> [MSVC 7.1] Bad code generation of the std::moneypunct ctor (and possibly of the std::messages ctor)
> ---------------------------------------------------------------------------------------------------
>
> Key: STDCXX-554
> URL: https://issues.apache.org/jira/browse/STDCXX-554
> Project: C++ Standard Library
> Issue Type: Bug
> Components: 22. Localization
> Affects Versions: 4.1.3, trunk
> Environment: MSVC 7.1 with Service Pack 1
> Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 13.10.6030 for 80x86
> Copyright (C) Microsoft Corporation 1984-2002. All rights reserved.
> Reporter: Farid Zaripov
> Assignee: Farid Zaripov
> Fix For: 4.2
>
> Attachments: stdcxx-554.patch
>
>
> The 22.locale.money.put.cpp test fails on MSVC 7.1 (15s build type) with buffer overrun error due to bad code generation.
> Here the assembly code for moneypunct ctor:
> -------------
> _EXPLICIT moneypunct (_RWSTD_SIZE_T __refs = 0)
> : _RW::__rw_facet (__refs), money_base () { }
> 004018C0 push ebp
> 004018C1 mov ebp,esp
> 004018C3 push ecx
> 004018C4 mov dword ptr [ebp-4],ecx
> 004018C7 mov eax,dword ptr [__refs]
> 004018CA push eax
> 004018CB mov ecx,dword ptr [this]
> 004018CE call __rw::__rw_facet::__rw_facet (412E20h)
> 004018D3 xor ecx,ecx
> 004018D5 mov edx,dword ptr [this]
> 004018D8 add edx,38h // the sizeof (moneypunct) == 0x38
> 004018DB mov byte ptr [edx],cl // here the place of the buffer overrun
> 004018DD mov eax,dword ptr [this]
> 004018E0 mov dword ptr [eax],offset std::moneypunct<char,0>::`vftable' (488838h)
> 004018E6 mov eax,dword ptr [this]
> 004018E9 mov esp,ebp
> 004018EB pop ebp
> 004018EC ret 4
> -------------
> When I commented the money_base () call the test succeeded and assembly code has changed to:
> -------------
> _EXPLICIT moneypunct (_RWSTD_SIZE_T __refs = 0)
> : _RW::__rw_facet (__refs)/*, money_base ()*/ { }
> 004018C0 push ebp
> 004018C1 mov ebp,esp
> 004018C3 push ecx
> 004018C4 mov dword ptr [ebp-4],ecx
> 004018C7 mov eax,dword ptr [__refs]
> 004018CA push eax
> 004018CB mov ecx,dword ptr [this]
> 004018CE call __rw::__rw_facet::__rw_facet (412E20h)
> 004018D3 mov ecx,dword ptr [this]
> 004018D6 mov dword ptr [ecx],offset std::moneypunct<char,0>::`vftable' (488838h)
> 004018DC mov eax,dword ptr [this]
> 004018DF mov esp,ebp
> 004018E1 pop ebp
> 004018E2 ret 4
> -------------
> Here the same assembly, but in 12s configuration:
> before change:
> -------------
> const PunctT pun;
> 004018B1 push 1
> 004018B3 lea ecx,[esp+0B4h]
> 004018BA call __rw::__rw_facet::__rw_facet (40A770h)
> 004018BF mov byte ptr [esp+0E8h],bl // 0xE8 - 0xB4 == 0x34, so here not buffer overrun,
> // but maybe changed last 4-byte member of the __rw_facet
> // (I suppose is _C_pid)
> 004018C6 mov dword ptr [esp+0B0h],offset Punct<char,0>::`vftable' (43A258h)
> -------------
> after change:
> -------------
> const PunctT pun;
> 00401891 push 1
> 00401893 lea ecx,[esp+0B4h]
> 0040189A call __rw::__rw_facet::__rw_facet (40A720h)
> 0040189F mov dword ptr [esp+0B0h],offset Punct<char,0>::`vftable' (43A258h)
> -------------
> I have not verified, but I suppose that the same problem might be with messages class.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.