Fix nullptr dereference in vector_base::fill_insert #6041

charan-003 · 2025-09-26T13:36:28Z

[BUG FIX] Fix nullptr dereference in vector_base::fill_insert for empty vectors

Summary

This PR fixes a nullptr dereference that occurs when calling fill_insert on an empty thrust::vector or thrust::device_vector. The issue was that the function would attempt to access begin(), end(), or position on unallocated storage.

Changes

Added a special case for empty vectors that:
- Handles allocation if needed
- Uses uninitialized_fill_n directly to avoid iterator operations on unallocated storage

Fixes #2964

copy-pr-bot · 2025-09-26T13:36:32Z

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

charan-003 · 2025-09-26T13:41:48Z

Hi @miscco ,

Thank you for your guidance on this issue! I assume that the suggested approach of filling the entire vector with x would change the intended behavior of
fill_insert from "inserting at position" to "resizing and filling.

thrust/thrust/detail/vector_base.inl

miscco · 2025-09-29T06:26:04Z

thrust/thrust/detail/vector_base.inl

+  }
+
+  // Handle the simple case: empty vector
+  if (size() == 0)


This is a rare case that should not need a special case, I believe we should only check for capacity < n and then handle all other cases after that

Hii @miscco

Done! Now clears existing elements and sets size to 0 when n == 0
updated the code to destroy all elements before returning.

bernhardmgruber · 2025-10-07T06:55:42Z

/ok to test 08d1ded

charan-003 · 2025-10-08T23:55:44Z

@bernhardmgruber @miscco
Just wondering if there are any changes needed or anything else I should do for this PR?

bernhardmgruber · 2025-10-11T09:16:13Z

I will let @miscco review this PR next week.

charan-003 · 2025-10-31T23:01:03Z

Hi @miscco
Please let me know if any changes are needed for this PR.

miscco · 2025-11-03T10:38:57Z

/ok to test cb9806f

miscco · 2025-11-03T10:39:44Z

thrust/thrust/detail/vector_base.inl

+    if (size() > 0)
    {
-      // we've got room for all of them
-      // how many existing elements will we displace?
-      const size_type num_displaced_elements = end() - position;
-      iterator old_end                       = end();
+      m_storage.destroy(begin(), end());
+    }
+    m_size = 0;


Nitpick:

Suggested change

if (size() > 0)

{

// we've got room for all of them

// how many existing elements will we displace?

const size_type num_displaced_elements = end() - position;

iterator old_end = end();

m_storage.destroy(begin(), end());

}

m_size = 0;

if (size() > 0)

{

m_storage.destroy(begin(), end());

m_size = 0;

}

miscco · 2025-11-03T10:42:20Z

thrust/thrust/detail/vector_base.inl

+    // allocate exponentially larger new storage
+    new_capacity = ::cuda::std::max<size_type>(new_capacity, 2 * capacity());

-        // finally, fill the range to the insertion point
-        thrust::fill_n(position, n, x);
-      } // end if
-      else
-      {
-        // construct new elements at the end of the vector
-        m_storage.uninitialized_fill_n(end(), n - num_displaced_elements, x);
+    // do not exceed maximum storage
+    new_capacity = ::cuda::std::min<size_type>(new_capacity, max_size());


I believe we should rather use ::cuda::std::clamp

Suggested change

// allocate exponentially larger new storage

new_capacity = ::cuda::std::max<size_type>(new_capacity, 2 * capacity());

// finally, fill the range to the insertion point

thrust::fill_n(position, n, x);

} // end if

else

{

// construct new elements at the end of the vector

m_storage.uninitialized_fill_n(end(), n - num_displaced_elements, x);

// do not exceed maximum storage

new_capacity = ::cuda::std::min<size_type>(new_capacity, max_size());

// Ensure allocation grows exponentially wiithin bounds

new_capacity = ::cuda::std::clamp<size_type>(new_capacity, static_cast<size_type>(2 * capacity()), max_size());

miscco · 2025-11-03T10:42:54Z

thrust/thrust/detail/vector_base.inl

+    if (new_capacity > max_size())
+    {
+      throw std::length_error("insert(): insertion exceeds max_size().");
+    } // end if


Important: This cannot happen due to the clamp above

miscco · 2025-11-03T10:46:11Z

thrust/thrust/detail/vector_base.inl

+    m_storage.destroy(begin(), end());

-      storage_type new_storage(copy_allocator_t(), m_storage, new_capacity);
+    // record the vector's new state
+    m_storage.swap(new_storage);


Nitpick: we should first swap then destroy

miscco · 2025-11-03T10:47:06Z

thrust/thrust/detail/vector_base.inl

+    m_size = old_size + n;
+  }
+  else
+  {


Nitpick: I would prefer if we would return here and reduce indentation afterwards

Suggested change

m_size = old_size + n;

}

else

{

m_size = old_size + n;

return;

}

miscco · 2025-11-03T10:51:03Z

thrust/thrust/detail/vector_base.inl

-        m_storage.destroy(new_storage.begin(), new_end);
-        new_storage.deallocate();
+      // finally, fill the range to the insertion point
+      thrust::fill_n(position, n, x);


Critical: Missing include

github-actions · 2025-11-03T13:13:48Z

😬 CI Workflow Results

🟥 Finished in 2h 32m: Pass: 98%/70 | Total: 2d 15h | Max: 2h 31m | Hits: 68%/115298

See results here.

Fix nullptr dereference in vector_base::fill_insert

6edddc5

charan-003 requested a review from a team as a code owner September 26, 2025 13:36

charan-003 requested a review from gevtushenko September 26, 2025 13:36

github-project-automation bot added this to CCCL Sep 26, 2025

github-project-automation bot moved this to Todo in CCCL Sep 26, 2025

cccl-authenticator-app bot moved this from Todo to In Review in CCCL Sep 26, 2025

Merge branch 'main' into bugfix/vector_fill_insert

4534be4

miscco requested changes Sep 29, 2025

View reviewed changes

github-project-automation bot moved this from In Review to In Progress in CCCL Sep 29, 2025

handle empty vector

a03ffd1

charan-003 requested a review from miscco October 1, 2025 15:58

Merge branch 'main' into bugfix/vector_fill_insert

08d1ded

This comment has been minimized.

Sign in to view

charan-003 added 3 commits October 16, 2025 15:27

Merge branch 'main' into bugfix/vector_fill_insert

82c33b2

Merge branch 'main' into bugfix/vector_fill_insert

bbc29a8

Merge branch 'main' into bugfix/vector_fill_insert

cb9806f

miscco requested changes Nov 3, 2025

View reviewed changes

Fix nullptr dereference in vector_base::fill_insert #6041

Are you sure you want to change the base?

Fix nullptr dereference in vector_base::fill_insert #6041

Conversation

charan-003 commented Sep 26, 2025

Summary

Changes

Uh oh!

copy-pr-bot bot commented Sep 26, 2025

Uh oh!

charan-003 commented Sep 26, 2025

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

bernhardmgruber commented Oct 7, 2025

Uh oh!

This comment has been minimized.

charan-003 commented Oct 8, 2025

Uh oh!

bernhardmgruber commented Oct 11, 2025

Uh oh!

charan-003 commented Oct 31, 2025

Uh oh!

miscco commented Nov 3, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Nov 3, 2025

😬 CI Workflow Results

🟥 Finished in 2h 32m: Pass: 98%/70 | Total: 2d 15h | Max: 2h 31m | Hits: 68%/115298

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants