UB in std::vector<bool> constructors (read of uninitialized memory)

[nunoplopes]

Some std::vector<bool> constructors read uninitialized memory.
They call __vallocate, which calls new, but doesn't zero the allocated buffer. Constructors then use std::fill_n and std::copy, which in turns sets bit by bit. Since storing a bit involving reading the byte first, this operations ends up reading uninitialized memory.

This simple example clearly shows the loads directly from the new operator: https://gcc.godbolt.org/z/vKaPnfT5M

cross ref (libstdc++ has the same bug): https://gcc.gnu.org/bugzilla/show_bug.cgi?id=122506

[philnik777]

Does this matter under any circumstance?

[nunoplopes]

It does. We caught a real miscompilation in quantlib because of this bug.

[philnik777]

Oh, OK. Could you maybe share a reproducer of this? That would allow us to ensure we won't regress. I don't think any sanitizer ever caught anything there, so I assumed it wasn't optimized on (which is why I've never pursued to fix the issue).

[nunoplopes]

For full disclosure, it's correct that with the current LLVM IR semantics that reading uninitialized memory yields an undef value, the code is ok. That's because bitmasking can get rid of undef.
But we have a prototype to change this to poison, and you can't bitmask out poison bits.

While we can leave the code as-is for now, this is a heads up that some things are going to break, vector being one of those.
The fix is just a memset; not something that will havoc performance, I guess.

[frederick-vs-ja]

Such UB should be able to be caught in constant evaluation. Could you provide an example like the following?

#include <vector>

static_assert([]{
  // ...
  return true;
}());

(static_assert failure due to constant evaluation failure is expected.)