[Click] Repeated calls to Vector::operator= with an empty vector crash the router
Eddie Kohler
kohler at cs.ucla.edu
Wed Sep 27 11:19:37 EDT 2006
Ugh, absolutely embarrassing! This was introduced on 21 June 06 as part of a
change that prepared for eventually making Vector::size_type unsigned. Thanks
for letting us know. I've applied a different fix, and added a regression
test for the bug; please let me know if you find any problems.
Eddie
Mathias Kurth wrote:
> Hi,
>
>
>
> There is a bug in the vector code which crashes the router if you call
> the assignment operator several times with an empty vector as argument.
> Consider the following example. The empty vector w is assigned 10000
> times to v.
>
>
>
> Vector<int> v, w;
>
> for (int i = 0; i < 10000; i++)
>
> {
>
> v = w;
>
> }
>
>
>
> On execution the application crashes. The reason is that operator= calls
> the method reserve with argument want = 0, since the size of vector w is
> 0. It seems that want = 0 is a special case for reserve. It increases
> its capacity by factor 2. This is repeated several times until there is
> no memory left and the new operator throws an exception. With DEQueue
> the situation is different. It uses want = -1 as special case instead of
> 0.
>
> Checking the size of the given vector in Vector::operator= fixes the
> problem:
>
>
>
> Vector<T>::operator=(const Vector<T> &o)
>
> {
>
> if (&o != this) {
>
> for (size_type i = 0; i < _n; i++)
>
> _l[i].~T();
>
> _n = 0;
>
> - if (reserve(o._n)) {
>
> + if (o._n && reserve(o._n)) {
>
> _n = o._n;
>
> for (size_type i = 0; i < _n; i++)
>
> new(velt(i)) T(o._l[i]);
>
> }
>
> }
>
> return *this;
>
> }
>
>
>
> Kind regards,
>
> Mathias
>
>
>
> _______________________________________________
> click mailing list
> click at amsterdam.lcs.mit.edu
> https://amsterdam.lcs.mit.edu/mailman/listinfo/click
More information about the click
mailing list