From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id B59503857C72; Wed, 26 Oct 2022 10:04:19 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B59503857C72 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1666778659; bh=zS1yvsE69wnP5I8veapxS/4I/I2uH4nO2eOgAoKNs10=; h=From:To:Subject:Date:In-Reply-To:References:From; b=SnsC/QK2i8VXv4MpXhyXeyDvudUcG458grk2RtbMDvMnTXHa1L8KP/7rjo/mnQGOI Q0DeMmKWK37HwGryvb8SekLN67EdW7rTifIUYTvq9qNB8iEiENLjYhJUD/pxEs6m+w Q/QBsY3PoZQQkf7CRMhsiuGbU7cz/Nhf55lEwYAg= From: "jakub at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug other/107379] [13 regression] g++.dg/modules/adl-3_c.C and adl-4_b.C break as of r13-2887-gb04208895fed34 Date: Wed, 26 Oct 2022 10:04:17 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: other X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: ice-on-valid-code, testsuite-fail X-Bugzilla-Severity: normal X-Bugzilla-Who: jakub at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: 13.0 X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D107379 Jakub Jelinek changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nathan at gcc dot gnu.org, | |ppalka at gcc dot gnu.org --- Comment #1 from Jakub Jelinek --- I can reproduce, but I think this has really nothing to do with the changes except bad luck. The bug is in tree *slot =3D find_namespace_slot (current_namespace, name, false); if (slot) ns =3D reuse_namespace (slot, current_namespace, name); if (!ns) ns =3D make_namespace (current_namespace, name, input_location, make_inline); if (pushdecl (ns) =3D=3D error_mark_node) ns =3D NULL_TREE; else { /* Finish up making the namespace. */ add_decl_to_level (NAMESPACE_LEVEL (current_namespace), ns); if (!slot) { slot =3D find_namespace_slot (current_namespace, name); /* This should find the slot created by pushdecl. */ gcc_checking_assert (slot && *slot =3D=3D ns); } make_namespace_finish (ns, slot); find_namespace_slot will tree *slot =3D DECL_NAMESPACE_BINDINGS (ns) ->find_slot_with_hash (name, name ? IDENTIFIER_HASH_VALUE (name) : 0, create_p ? INSERT : NO_INSERT); In the ns case, slot is non-NULL a= bove with a binding_vector in it. Then pushdecl is called and this does: 3659 slot =3D find_namespace_slot (ns, name, ns =3D=3D current_namespace); where ns =3D=3D current_namespace (ns is :: and name is details) is true. So this again calls 122 tree *slot =3D DECL_NAMESPACE_BINDINGS (ns) 123 ->find_slot_with_hash (name, name ? IDENTIFIER_HASH_VALUE (name= ) : 0, 124 create_p ? INSERT : NO_INSERT); but this time with create_p and so INSERT. At this point we reach 966 if (insert =3D=3D INSERT && m_size * 3 <=3D m_n_elements * 4) 967 expand (); and when we are unlucky and the occupancy of the hash table just reached 3/= 4, expand () is called and the hash table is reallocated. But when that happe= ns, it means the slot pointer in the pushdecl caller points to freed memory and= so any accesses to it in make_namespace_finish will be UB. Perhaps a fix would be to do else slot =3D find_namespace_slot (current_namespace, name); again before make_namespace_finish (with some assertion that at least slot is non-NULL)?=