Boost C++ Libraries: Ticket #8667: gmp_int wrongly assumes m_data is initialised on copy assignment https://svn.boost.org/trac10/ticket/8667 <p> Also reported on github, I can't link it because otherwise trac thinks my report is spam. </p> <p> ... but m_data might be left uninitialised after a move and gmp will segfaults. Here is a test case. </p> <pre class="wiki">#include &lt;boost/multiprecision/gmp.hpp&gt; #include &lt;vector&gt; using boost::multiprecision::mpz_int; int main(int argc, char const *argv[]) { std::vector&lt;mpz_int&gt; elements_(10, 123); elements_.resize(1); // this leaves garbage after the end mpz_int e = 321; elements_.insert(elements_.begin(), e); return 0; } </pre><p> Compiled with libc++ </p> <p> clang++ -g -O0 -std=c++11 -stdlib=libc++ -I$BOOST_ROOT -lgmp test.cpp -o test will segfaults on the insert. </p> <pre class="wiki">* thread #1: tid = 0x1c03, 0x0000000100051ae4 libgmp.10.dylib`__gmpn_copyi + 548, stop reason = EXC_BAD_ACCESS (code=1, address=0x0) frame #0: 0x0000000100051ae4 libgmp.10.dylib`__gmpn_copyi + 548 frame #1: 0x0000000100020e1b libgmp.10.dylib`__gmpz_set + 55 frame #2: 0x00000001000033f7 test`boost::multiprecision::backends::gmp_int::operator=(this=0x00000001001039e0, o=0x00007fff5fbff550) + 55 at gmp.hpp:1019 frame #3: 0x00000001000025ef test`boost::multiprecision::number&lt;boost::multiprecision::backends::gmp_int, (this=0x00000001001039e0, e=0x00007fff5fbff550)1&gt;::operator=(boost::multiprecision::number&lt;boost::multiprecision::backends::gmp_int, (boost::multiprecision::expression_template_option)1&gt; const&amp;) + 47 at number.hpp:148 frame #4: 0x0000000100001859 test`std::__1::vector&lt;boost::multiprecision::number&lt;boost::multiprecision::backends::gmp_int, (this=0x00007fff5fbff588, __position=(null), __x=0x00007fff5fbff550)1&gt;, std::__1::allocator&lt;boost::multiprecision::number&lt;boost::multiprecision::backends::gmp_int, (boost::multiprecision::expression_template_option)1&gt; &gt; &gt;::insert(std::__1::__wrap_iter&lt;boost::multiprecision::number&lt;boost::multiprecision::backends::gmp_int, (boost::multiprecision::expression_template_option)1&gt; const*&gt;, boost::multiprecision::number&lt;boost::multiprecision::backends::gmp_int, (boost::multiprecision::expression_template_option)1&gt; const&amp;) + 841 at vector:1609 frame #5: 0x0000000100001244 test`main(argc=1, argv=0x00007fff5fbff650) + 340 at test.cpp:11 frame #6: 0x00007fff918ff7e1 libdyld.dylib`start + 1 </pre><p> The issue is in gmp_int&amp; operator = (const gmp_int&amp; o) which calls mpz_set(m_data, o.m_data) wrongly assuming m_data is a coherent state, which is false after a move since gmp_int(gmp_int&amp;&amp; o) sets o.m_data<a class="missing changeset" title="No changeset 0 in the repository">[0]</a>._mp_d = 0. </p> <p> The problem seems not to appear with libstdc++ (at least my version), perhaps because std::vector does a copy rather than a move to make space for the inserted elements. </p> <p> I reckon the same problem might be presents in other places in gmp.hpp. Wouldn't also be better to replace o.m_data<a class="missing changeset" title="No changeset 0 in the repository">[0]</a>._mp_d = 0 with a proper deinitialisation ? </p> en-us Boost C++ Libraries /htdocs/site/boost.png https://svn.boost.org/trac10/ticket/8667 Trac 1.4.3 John Maddock Fri, 07 Jun 2013 18:21:55 GMT <link>https://svn.boost.org/trac10/ticket/8667#comment:1 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/8667#comment:1</guid> <description> <blockquote class="citation"> <p> I reckon the same problem might be presents in other places in gmp.hpp. Wouldn't also be better to replace o.m_data<a class="missing changeset" title="No changeset 0 in the repository">[0]</a>._mp_d = 0 with a proper deinitialisation ? </p> </blockquote> <p> Then it would do a copy, rather than a move. </p> <p> Looks like a straight cut-and-paste error in the code to me, the other assignment operators have it right I believe, can you try the attached? </p> </description> <category>Ticket</category> </item> <item> <dc:creator>John Maddock</dc:creator> <pubDate>Fri, 07 Jun 2013 18:22:29 GMT</pubDate> <title>attachment set https://svn.boost.org/trac10/ticket/8667 https://svn.boost.org/trac10/ticket/8667 <ul> <li><strong>attachment</strong> → <span class="trac-field-new">gmp.hpp</span> </li> </ul> Ticket John Maddock Sat, 08 Jun 2013 10:45:15 GMT <link>https://svn.boost.org/trac10/ticket/8667#comment:2 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/8667#comment:2</guid> <description> <p> Never mind, I have the test suite reproducing the problem now. Will post fixes shortly. </p> </description> <category>Ticket</category> </item> <item> <dc:creator>John Maddock</dc:creator> <pubDate>Sat, 08 Jun 2013 14:07:22 GMT</pubDate> <title/> <link>https://svn.boost.org/trac10/ticket/8667#comment:3 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/8667#comment:3</guid> <description> <p> (In <a class="changeset" href="https://svn.boost.org/trac10/changeset/84687" title="Fix assignment operations to be safe after a move. Added test cases to ...">[84687]</a>) Fix assignment operations to be safe after a move. Added test cases to catch bug case. Refs <a class="closed ticket" href="https://svn.boost.org/trac10/ticket/8667" title="#8667: Bugs: gmp_int wrongly assumes m_data is initialised on copy assignment (closed: fixed)">#8667</a>. </p> </description> <category>Ticket</category> </item> <item> <dc:creator>John Maddock</dc:creator> <pubDate>Sat, 15 Jun 2013 17:38:47 GMT</pubDate> <title>status changed; resolution set https://svn.boost.org/trac10/ticket/8667#comment:4 https://svn.boost.org/trac10/ticket/8667#comment:4 <ul> <li><strong>status</strong> <span class="trac-field-old">new</span> → <span class="trac-field-new">closed</span> </li> <li><strong>resolution</strong> → <span class="trac-field-new">fixed</span> </li> </ul> <p> (In <a class="changeset" href="https://svn.boost.org/trac10/changeset/84799" title="Merge fixes for from Trunk. Fixes #8692. Fixes #8670. Fixes #8667.">[84799]</a>) Merge fixes for from Trunk. Fixes <a class="closed ticket" href="https://svn.boost.org/trac10/ticket/8692" title="#8692: Bugs: setting mpfr precision uses wrong precision and trashes value (closed: fixed)">#8692</a>. Fixes <a class="closed ticket" href="https://svn.boost.org/trac10/ticket/8670" title="#8670: Bugs: Bug in handling 0 mod n (closed: fixed)">#8670</a>. Fixes <a class="closed ticket" href="https://svn.boost.org/trac10/ticket/8667" title="#8667: Bugs: gmp_int wrongly assumes m_data is initialised on copy assignment (closed: fixed)">#8667</a>. </p> Ticket