* [Bug other/107379] [13 regression] g++.dg/modules/adl-3_c.C and adl-4_b.C break as of r13-2887-gb04208895fed34
2022-10-24 16:48 [Bug other/107379] New: [13 regression] g++.dg/modules/adl-3_c.C and adl-4_b.C break as of r13-2887-gb04208895fed34 seurer at gcc dot gnu.org
@ 2022-10-24 16:50 ` pinskia at gcc dot gnu.org
2022-10-26 10:04 ` jakub at gcc dot gnu.org
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: pinskia at gcc dot gnu.org @ 2022-10-24 16:50 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107379
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |ice-on-valid-code
Target Milestone|--- |13.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug other/107379] [13 regression] g++.dg/modules/adl-3_c.C and adl-4_b.C break as of r13-2887-gb04208895fed34
2022-10-24 16:48 [Bug other/107379] New: [13 regression] g++.dg/modules/adl-3_c.C and adl-4_b.C break as of r13-2887-gb04208895fed34 seurer at gcc dot gnu.org
2022-10-24 16:50 ` [Bug other/107379] " pinskia at gcc dot gnu.org
@ 2022-10-26 10:04 ` jakub at gcc dot gnu.org
2022-10-26 10:17 ` jakub at gcc dot gnu.org
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: jakub at gcc dot gnu.org @ 2022-10-26 10:04 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107379
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |nathan at gcc dot gnu.org,
| |ppalka at gcc dot gnu.org
--- Comment #1 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
I can reproduce, but I think this has really nothing to do with the changes
except bad luck.
The bug is in
tree *slot = find_namespace_slot (current_namespace, name, false);
if (slot)
ns = reuse_namespace (slot, current_namespace, name);
if (!ns)
ns = make_namespace (current_namespace, name,
input_location, make_inline);
if (pushdecl (ns) == error_mark_node)
ns = NULL_TREE;
else
{
/* Finish up making the namespace. */
add_decl_to_level (NAMESPACE_LEVEL (current_namespace), ns);
if (!slot)
{
slot = find_namespace_slot (current_namespace, name);
/* This should find the slot created by pushdecl. */
gcc_checking_assert (slot && *slot == ns);
}
make_namespace_finish (ns, slot);
find_namespace_slot will
tree *slot = DECL_NAMESPACE_BINDINGS (ns)
->find_slot_with_hash (name, name ? IDENTIFIER_HASH_VALUE (name) : 0,
create_p ? INSERT : NO_INSERT);
In the <identifier_node 0x7fffe9f55ac0 details> ns case, slot is non-NULL above
with a binding_vector in it.
Then pushdecl is called and this does:
3659 slot = find_namespace_slot (ns, name, ns ==
current_namespace);
where ns == current_namespace (ns is :: and name is details) is true.
So this again calls
122 tree *slot = DECL_NAMESPACE_BINDINGS (ns)
123 ->find_slot_with_hash (name, name ? IDENTIFIER_HASH_VALUE (name) :
0,
124 create_p ? INSERT : NO_INSERT);
but this time with create_p and so INSERT.
At this point we reach
966 if (insert == INSERT && m_size * 3 <= m_n_elements * 4)
967 expand ();
and when we are unlucky and the occupancy of the hash table just reached 3/4,
expand () is called and the hash table is reallocated. But when that happens,
it means the slot pointer in the pushdecl caller points to freed memory and so
any accesses to it in make_namespace_finish will be UB.
Perhaps a fix would be to do else slot = find_namespace_slot
(current_namespace, name); again before make_namespace_finish (with some
assertion that at least slot is non-NULL)?
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug other/107379] [13 regression] g++.dg/modules/adl-3_c.C and adl-4_b.C break as of r13-2887-gb04208895fed34
2022-10-24 16:48 [Bug other/107379] New: [13 regression] g++.dg/modules/adl-3_c.C and adl-4_b.C break as of r13-2887-gb04208895fed34 seurer at gcc dot gnu.org
2022-10-24 16:50 ` [Bug other/107379] " pinskia at gcc dot gnu.org
2022-10-26 10:04 ` jakub at gcc dot gnu.org
@ 2022-10-26 10:17 ` jakub at gcc dot gnu.org
2022-10-27 18:11 ` [Bug c++/107379] " cvs-commit at gcc dot gnu.org
2022-12-21 13:52 ` rguenth at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: jakub at gcc dot gnu.org @ 2022-10-26 10:17 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107379
--- Comment #2 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
In (untested) patch form:
--- gcc/cp/name-lookup.cc.jj 2022-10-12 17:51:00.912944731 +0200
+++ gcc/cp/name-lookup.cc 2022-10-26 12:06:38.177590655 +0200
@@ -8596,6 +8596,13 @@ push_namespace (tree name, bool make_inl
/* This should find the slot created by pushdecl. */
gcc_checking_assert (slot && *slot == ns);
}
+ else
+ {
+ /* pushdecl could have expanded the hash table, so
+ slot might be invalid. */
+ slot = find_namespace_slot (current_namespace, name);
+ gcc_checking_assert (slot);
+ }
make_namespace_finish (ns, slot);
/* Add the anon using-directive here, we don't do it in
which fixes the ICE for me on the cross-compiler.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug c++/107379] [13 regression] g++.dg/modules/adl-3_c.C and adl-4_b.C break as of r13-2887-gb04208895fed34
2022-10-24 16:48 [Bug other/107379] New: [13 regression] g++.dg/modules/adl-3_c.C and adl-4_b.C break as of r13-2887-gb04208895fed34 seurer at gcc dot gnu.org
` (2 preceding siblings ...)
2022-10-26 10:17 ` jakub at gcc dot gnu.org
@ 2022-10-27 18:11 ` cvs-commit at gcc dot gnu.org
2022-12-21 13:52 ` rguenth at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-10-27 18:11 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107379
--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Jakub Jelinek <jakub@gcc.gnu.org>:
https://gcc.gnu.org/g:a33d623d2d3a78f5ef6f9e854946303e063eef63
commit r13-3528-ga33d623d2d3a78f5ef6f9e854946303e063eef63
Author: Jakub Jelinek <jakub@redhat.com>
Date: Thu Oct 27 20:10:18 2022 +0200
c++: Fix ICE on g++.dg/modules/adl-3_c.C [PR107379]
As mentioned in the PR, apparently my r13-2887 P1467R9 changes
regressed these tests on powerpc64le-linux with IEEE quad by default.
I believe my changes just uncovered a latent bug.
The problem is that push_namespace calls find_namespace_slot,
which does:
tree *slot = DECL_NAMESPACE_BINDINGS (ns)
->find_slot_with_hash (name, name ? IDENTIFIER_HASH_VALUE (name) : 0,
create_p ? INSERT : NO_INSERT);
In the <identifier_node 0x7fffe9f55ac0 details> ns case, slot is non-NULL
above with a binding_vector in it.
Then pushdecl is called and this does:
slot = find_namespace_slot (ns, name, ns ==
current_namespace);
where ns == current_namespace (ns is :: and name is details) is true.
So this again calls
tree *slot = DECL_NAMESPACE_BINDINGS (ns)
->find_slot_with_hash (name, name ? IDENTIFIER_HASH_VALUE
(name) : 0,
create_p ? INSERT : NO_INSERT);
but this time with create_p and so INSERT.
At this point we reach
if (insert == INSERT && m_size * 3 <= m_n_elements * 4)
expand ();
and when we are unlucky and the occupancy of the hash table just reached
3/4,
expand () is called and the hash table is reallocated. But when that
happens,
it means the slot pointer in the pushdecl caller (push_namespace) points to
freed memory and so any accesses to it in make_namespace_finish will be UB.
The following patch fixes it by calling find_namespace_slot again even if
it
was non-NULL, just doesn't assert it is *slot == ns in that case (because
it often is not).
2022-10-27 Jakub Jelinek <jakub@redhat.com>
PR c++/107379
* name-lookup.cc (push_namespace): Call find_namespace_slot again
after pushdecl as the hash table might be expanded during pushdecl.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug c++/107379] [13 regression] g++.dg/modules/adl-3_c.C and adl-4_b.C break as of r13-2887-gb04208895fed34
2022-10-24 16:48 [Bug other/107379] New: [13 regression] g++.dg/modules/adl-3_c.C and adl-4_b.C break as of r13-2887-gb04208895fed34 seurer at gcc dot gnu.org
` (3 preceding siblings ...)
2022-10-27 18:11 ` [Bug c++/107379] " cvs-commit at gcc dot gnu.org
@ 2022-12-21 13:52 ` rguenth at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: rguenth at gcc dot gnu.org @ 2022-12-21 13:52 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107379
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Richard Biener <rguenth at gcc dot gnu.org> ---
Fixed.
^ permalink raw reply [flat|nested] 6+ messages in thread