id,summary,reporter,owner,description,type,status,milestone,component,version,severity,resolution,keywords,cc
602,segm. fault during std::string (STLport 5.0.2) serialization,simmeone,Robert Ramey,"{{{
There is an segmentation fault during STLport5.0.2
std::string object serialization.

It is probably caused by new implementation of
std::string. Now, one of possible implementation of
_String_base class contains members:
_M_buffers - union, wich holds dynamic char buffer
_M_Finish - pointer to end of string in dynamic buffer

In this case it represents our string, as a chain of
chars, which is not ended with null separator. For
example in my debbuger string ""Un."" is represented as:

+_M_buffers._M_dynamic_buf	0x00378958 ""Un.' 'data same
as trigger' parameter is not set, 'use as data' cannot
be changed.ÍÍÍÍÍÍWhen 'data same as trigger' parameter
is not set, 'use as data' cannot be changed.ÍÍÍÍÍÍ`Š7""
char *

-_M_finish	0x0037895b ""' 'data same as trigger'
parameter is not set, 'use as data' cannot be
changed.ÍÍÍÍÍÍWhen 'data same as trigger' parameter is
not set, 'use as data' cannot be changed.ÍÍÍÍÍÍ`Š7""	char *

During serialization, there is used std::copy
algorithm, which use template class escape, as an
iterator, to iterate through the string.

in file: ../boost/archive/iterators/escape.hpp we see
function:

void increment(){
        if(++m_bnext < m_bend){
            m_current_value = *m_bnext;
            return;
        }
        ++(this->base_reference());
        m_bnext = NULL;
        m_bend = NULL;
        m_current_value = (static_cast<Derived
*>(this))->fill(m_bnext, m_bend);
}

When iterator points to last char in string, and then
is incremented, it points to next char in dynamic
buffer _M_buffers._M_dynamic_buf - in our example with
string ""Un."" it points to apostrof character '\''. Then
function ""fill"" modifies ""m_bnext"" and ""m_bend"",
because of character '\''. In the next step, function
""equal"" is called, to check if copy algorithm should be
stopped or not.

bool equal(const this_t & rhs) const {       
        return 
            NULL == m_bnext
            && NULL == m_bend
            && this->base_reference() ==
rhs.base_reference()
        ;
}

And because of m_bnext and m_bend are not NULL's, copy
algorithm is not stopped and goes on. It leads to
segmentation fault.

}}}",Bugs,closed,,serialization,None,,None,,