stdcxx-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Sebor (JIRA)" <>
Subject [jira] Created: (STDCXX-131) SIGSEGV in std::stable_partition() due to double destruction
Date Thu, 02 Feb 2006 02:23:43 GMT
SIGSEGV in std::stable_partition() due to double destruction

         Key: STDCXX-131
     Project: C++ Standard Library
        Type: Bug
  Components: 25. Algorithms  
    Versions: 4.1.2, 4.1.3    
 Environment: all
    Reporter: Martin Sebor
     Fix For: 4.1.4


-------- Original Message --------
Subject: Re: Re: test for lib.alg.partitions
Date: Fri, 27 Jan 2006 19:01:52 +0300
From: Anton Pevtsov <>


Martin Sebor wrote:
> It's certainly possible that there is a bug in the algorithm, but I
> would be more inclined to suspect the test before the algorithm just
> because you just made making non-trivial changes to it.
> A simple test case would be helpful.

The old test version didn't exercise all possible cases. I updated the
test according to your notes and got the same results. So I still
suspect the bug in the algorithm.
The attached file stable_partition_test.cpp illustrates the problem: 
the algorithm fails when the predicate returns true for any element.

I debug the algorithm and found the following code in, line

    _Dist __fill = 0;

    const _BidirIter __res =
        __stable_partition_adaptive (__first, __last, __pred, __dist,
                                     __pair.first, __pair.second,
                                     __fill, (_TypeT*)0);

    for (_TypeT *__ptr = __pair.first + __fill; !(__pair.first ==
--__ptr); )
        (*__ptr).~_TypeT ();

If the __fill remains equal to 0 after the __stable_partition_adaptive
call the "for" will never end and will try to call destructors of
non-existing elements moving from the left bound of the given sequence
to left. Also if __fill is equal to 1 no destructors will be called, but
one should be, shouldn't it?
May be, something like this

    for (_TypeT *__ptr = __pair.first + __fill; !(__pair.first ==
__ptr--); )
        (*__ptr).~_TypeT ();
will fix the issue?

And I have another question: what will happen with the temporary buffer
in stable_partition if the X copy ctor throws an exception? It looks
like the buffer will leak.

With best wishes,
Anton Pevtsov

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message