[Bug other/107379] [13 regression] g++.dg/modules/adl-3_c.C and adl-4_b.C break as of r13-2887-gb04208895fed34

["jakub at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107379

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |nathan at gcc dot gnu.org,
                   |                            |ppalka at gcc dot gnu.org

--- Comment #1 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
I can reproduce, but I think this has really nothing to do with the changes
except bad luck.
The bug is in
      tree *slot = find_namespace_slot (current_namespace, name, false);
      if (slot)
        ns = reuse_namespace (slot, current_namespace, name);
      if (!ns)
        ns = make_namespace (current_namespace, name,
                             input_location, make_inline);

      if (pushdecl (ns) == error_mark_node)
        ns = NULL_TREE;
      else
        {
          /* Finish up making the namespace.  */
          add_decl_to_level (NAMESPACE_LEVEL (current_namespace), ns);
          if (!slot)
            {
              slot = find_namespace_slot (current_namespace, name);
              /* This should find the slot created by pushdecl.  */
              gcc_checking_assert (slot && *slot == ns);
            }
          make_namespace_finish (ns, slot);
find_namespace_slot will
  tree *slot = DECL_NAMESPACE_BINDINGS (ns)
    ->find_slot_with_hash (name, name ? IDENTIFIER_HASH_VALUE (name) : 0,
                           create_p ? INSERT : NO_INSERT);
In the <identifier_node 0x7fffe9f55ac0 details> ns case, slot is non-NULL above
with a binding_vector in it.
Then pushdecl is called and this does:
3659              slot = find_namespace_slot (ns, name, ns ==
current_namespace);
where ns == current_namespace (ns is :: and name is details) is true.
So this again calls
122       tree *slot = DECL_NAMESPACE_BINDINGS (ns)
123         ->find_slot_with_hash (name, name ? IDENTIFIER_HASH_VALUE (name) :
0,
124                                create_p ? INSERT : NO_INSERT);
but this time with create_p and so INSERT.
At this point we reach
966       if (insert == INSERT && m_size * 3 <= m_n_elements * 4)
967         expand ();
and when we are unlucky and the occupancy of the hash table just reached 3/4,
expand () is called and the hash table is reallocated.  But when that happens,
it means the slot pointer in the pushdecl caller points to freed memory and so
any accesses to it in make_namespace_finish will be UB.
Perhaps a fix would be to do else slot = find_namespace_slot
(current_namespace, name); again before make_namespace_finish (with some
assertion that at least slot is non-NULL)?