From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id B72183858D20; Mon, 30 Oct 2023 16:14:41 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B72183858D20 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1698682481; bh=doqm6s4GVjdkvUTduT5WA+MGKRcytrp+Nalv7T7+/x8=; h=From:To:Subject:Date:From; b=NipOyYY83t4lSkFwadcub5geKSsdL+RhQstMMpa4ZGR5UmppAjDxJwLORfhRzd/uT ktX2N4N60JC51EDQDcPSwH4k2cQHydhpWDTuzCjPr6GrpmJ4RU9qPz4J9PaL0K7Xm7 1FVD6aq3bx5fXt26lnE1jrqbPO13ICwwD+ydAPl0= From: "alexander.grund@tu-dresden.de" To: gcc-bugs@gcc.gnu.org Subject: [Bug c++/112301] New: Double destruction of returned object when exiting the scope causes an exception which gets rethrown Date: Mon, 30 Oct 2023 16:14:40 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c++ X-Bugzilla-Version: 12.3.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: alexander.grund@tu-dresden.de X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D112301 Bug ID: 112301 Summary: Double destruction of returned object when exiting the scope causes an exception which gets rethrown Product: gcc Version: 12.3.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c++ Assignee: unassigned at gcc dot gnu.org Reporter: alexander.grund@tu-dresden.de Target Milestone: --- Created attachment 56476 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=3D56476&action=3Dedit More complete example with logging pointers I debugged a heap corruption I traced back to a use-after-free caused by an extra destructor call. I suspect the cause could be the fix for https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D33799 where a throwing destr= uctor led to a missing destructor call. It could be similar to https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D12751= which also had an extra destructor call generated for an already destructed insta= nce. Minimized code sample: #include #include int num =3D 0; struct ptr{ ptr(){ ++num; } ptr(ptr&&){ ++num; } ~ptr(){ assert(num-- > 0); } }; struct ThrowOnExit{ ~ThrowOnExit() noexcept(false){ throw std::runtime_error(""); } }; ptr foo(ptr x){ try{ ThrowOnExit _; return x; }catch (const std::exception&) { throw; } } void wrapper(){ try{ foo(ptr{}); }catch(const std::exception&){} } int main(){ wrapper(); } The assertion fails, although it should not. Logging the constructions and destructions and removing the assert gives me this: construct 0x7ffd4538088e move construct 0x7ffd4538088f free 0x7ffd4538088f free 0x7ffd4538088f free 0x7ffd4538088e=