As of version 10.0.40219.1 SP1Rel std::vector::_Reserve() contains the following code:
size_type _Size = size();
if (max_size() - _Count < _Size)
which has potential for arithmetic undeflow. For example, in this code:
int _tmain(int /*argc*/, _TCHAR* /*argv*/)
vec.resize( vec.max_size() + 1 );
restriction "_Size + _Count <= max_size()" is clearly violated, yet _Xlen() is not called from that code - instead code proceeds to "else if", then to the "else", then reserve() is called and _Xlen() is called from inside reserve().
The reason is the following. The intention was to compute (_Size+_Count) is such way that it doesn't overflow. There were two options to do that - either check that "max_size()-_Size<_Count" or check that "max_size()-_Count < Size".
The difference is that when checking "max_size()-_Size<_Count" there's a guarantee that "max_size()>= _Size" and therefore there's no risk of underflow. Meanwhile when checking "max_size()-_Count < Size" there's no such guarantee - _Count can have whatever value and that value can exceed "max_size()" and cause an underflow during subtraction.
Because of that the check doesn't work in certain cases, including one in the code snippet above. This check should be rewrtitten.