public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "jakub at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug other/107379] [13 regression] g++.dg/modules/adl-3_c.C and adl-4_b.C break as of r13-2887-gb04208895fed34 Date: Wed, 26 Oct 2022 10:04:17 +0000 [thread overview] Message-ID: <bug-107379-4-ce52xOTENO@http.gcc.gnu.org/bugzilla/> (raw) In-Reply-To: <bug-107379-4@http.gcc.gnu.org/bugzilla/> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107379 Jakub Jelinek <jakub at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nathan at gcc dot gnu.org, | |ppalka at gcc dot gnu.org --- Comment #1 from Jakub Jelinek <jakub at gcc dot gnu.org> --- I can reproduce, but I think this has really nothing to do with the changes except bad luck. The bug is in tree *slot = find_namespace_slot (current_namespace, name, false); if (slot) ns = reuse_namespace (slot, current_namespace, name); if (!ns) ns = make_namespace (current_namespace, name, input_location, make_inline); if (pushdecl (ns) == error_mark_node) ns = NULL_TREE; else { /* Finish up making the namespace. */ add_decl_to_level (NAMESPACE_LEVEL (current_namespace), ns); if (!slot) { slot = find_namespace_slot (current_namespace, name); /* This should find the slot created by pushdecl. */ gcc_checking_assert (slot && *slot == ns); } make_namespace_finish (ns, slot); find_namespace_slot will tree *slot = DECL_NAMESPACE_BINDINGS (ns) ->find_slot_with_hash (name, name ? IDENTIFIER_HASH_VALUE (name) : 0, create_p ? INSERT : NO_INSERT); In the <identifier_node 0x7fffe9f55ac0 details> ns case, slot is non-NULL above with a binding_vector in it. Then pushdecl is called and this does: 3659 slot = find_namespace_slot (ns, name, ns == current_namespace); where ns == current_namespace (ns is :: and name is details) is true. So this again calls 122 tree *slot = DECL_NAMESPACE_BINDINGS (ns) 123 ->find_slot_with_hash (name, name ? IDENTIFIER_HASH_VALUE (name) : 0, 124 create_p ? INSERT : NO_INSERT); but this time with create_p and so INSERT. At this point we reach 966 if (insert == INSERT && m_size * 3 <= m_n_elements * 4) 967 expand (); and when we are unlucky and the occupancy of the hash table just reached 3/4, expand () is called and the hash table is reallocated. But when that happens, it means the slot pointer in the pushdecl caller points to freed memory and so any accesses to it in make_namespace_finish will be UB. Perhaps a fix would be to do else slot = find_namespace_slot (current_namespace, name); again before make_namespace_finish (with some assertion that at least slot is non-NULL)?
next prev parent reply other threads:[~2022-10-26 10:04 UTC|newest] Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-10-24 16:48 [Bug other/107379] New: " seurer at gcc dot gnu.org 2022-10-24 16:50 ` [Bug other/107379] " pinskia at gcc dot gnu.org 2022-10-26 10:04 ` jakub at gcc dot gnu.org [this message] 2022-10-26 10:17 ` jakub at gcc dot gnu.org 2022-10-27 18:11 ` [Bug c++/107379] " cvs-commit at gcc dot gnu.org 2022-12-21 13:52 ` rguenth at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-107379-4-ce52xOTENO@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).