[Bug c++/51459] New: [4.6 Regression] 'double free or corruption' involving std::function, std::vector and lambdas

[Bug c++/51459] New: [4.6 Regression] 'double free or corruption' involving std::function, std::vector and lambdas

[kennytm at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51459

             Bug #: 51459
           Summary: [4.6 Regression] 'double free or corruption' involving
                    std::function, std::vector and lambdas
    Classification: Unclassified
           Product: gcc
           Version: 4.7.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: kennytm@gmail.com


Tested with "gcc version 4.7.0 20111112" on 64-bit Linux.

~~~~~~~~~~~~~~~~~

#include <vector>
#include <functional>

template <typename F>
std::function<void()> animate(F f) { return [=]{ f(); }; }

int main()
{
    std::vector<double> pv {0, 0};
    pv.push_back(0);

    std::function<void()> linear1 = []{};
    std::vector<std::function<void()>> av {animate(linear1), animate(linear1)};
    av[0]();

    return 0;
}

~~~~~~~~~~~~~~~~~

Compiling and running this (`g++-4.7 -std=c++11 x.cpp`) results in:

*** glibc detected *** ./a.out: double free or corruption (fasttop):
0x0000000001c7b1c0 ***
======= Backtrace: =========
/lib/libc.so.6(+0x73466)[0x7fafc7a78466]
/lib/libc.so.6(cfree+0x6c)[0x7fafc7a7c33c]
....

~~~~~~~~~~~~~~~~~

g++-4.7 -v:

Using built-in specs.
COLLECT_GCC=g++-4.7
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-unknown-linux-gnu/4.7.0/lto-wrapper
Target: x86_64-unknown-linux-gnu
Configured with:
/tmp/packerbuild-0/gcc-snapshot/gcc-snapshot/src/gcc-4.7-20111112/configure
--prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man
--infodir=/usr/share/info --datadir=/usr/share/gcc-4.7
--with-bugurl='http://aur.archlinux.org/packages.php?ID=16045'
--enable-languages=c,c++,lto --enable-shared --enable-threads=posix
--with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions
--enable-clocale=gnu --enable-gnu-unique-object --enable-linker-build-id
--with-ppl --enable-cloog-backend=isl --enable-lto --enable-gold
--enable-ld=default --enable-plugin --with-plugin-ld=ld.gold
--with-linker-hash-style=gnu --disable-multilib --disable-libssp
--disable-libstdcxx-pch --enable-checking=release --disable-werror
--program-suffix=-4.7 --enable-version-specific-runtime-libs
--disable-bootstrap
Thread model: posix
gcc version 4.7.0 20111112 (experimental) (GCC)

[Bug c++/51459] [4.6 Regression] 'double free or corruption' involving std::function, std::vector and lambdas

[kennytm at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51459

--- Comment #1 from kennytm at gmail dot com 2011-12-07 22:48:14 UTC ---
Created attachment 26018
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=26018
The .ii file

[Bug c++/51459] [4.7 Regression] 'double free or corruption' involving std::function and lambdas

[paolo.carlini at oracle dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51459

Paolo Carlini <paolo.carlini at oracle dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|[4.6 Regression] 'double    |[4.7 Regression] 'double
                   |free or corruption'         |free or corruption'
                   |involving std::function,    |involving std::function and
                   |std::vector and lambdas     |lambdas

--- Comment #2 from Paolo Carlini <paolo.carlini at oracle dot com> 2011-12-07 23:08:58 UTC ---
This is enough to see the glibc errors, and, unless I'm badly mistaken, *very*
little changed in std::function between 4.6 and 4.7, thus I doubt it's a
library issue:

#include <functional>

template <typename F>
std::function<void()> animate(F f) { return [=]{ f(); }; }

int main()
{
  std::function<void()> linear1 = []{};
  std::function<void()> av(animate(linear1));
  av();
}

[Bug c++/51459] [4.7 Regression] 'double free or corruption' involving std::function and lambdas

[rguenth at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51459

Richard Guenther <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |4.7.0

[Bug c++/51459] [4.7 Regression] 'double free or corruption' involving std::function and lambdas

[redi at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51459

--- Comment #3 from Jonathan Wakely <redi at gcc dot gnu.org> 2011-12-08 11:26:55 UTC ---
sans library:

struct func {
    virtual ~func() { }
    virtual void operator()() const = 0;
    virtual func* clone() const = 0;
};

template<typename T>
struct funcimpl : func {
    explicit funcimpl(T t) : t(t) { }
    void operator()() const { t(); }
    func* clone() const { return new funcimpl(*this); }
    T t;
};

struct function
{
    func* p;

    template<typename T>
        function(T t) : p(new funcimpl<T>(t)) { }

    ~function() { delete p; }

    function(const function& f) : p(f.p->clone()) { }

    function& operator=(const function& ) = delete;

    void operator()() const { (*p)(); }
};

template <typename F>
function animate(F f) { return [=]{ f(); }; }

int main()
{
  function linear1 = []{};
  function av(animate(linear1));
  av();
}

[Bug c++/51459] [4.7 Regression] 'double free or corruption' involving std::function and lambdas

[paolo.carlini at oracle dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51459

Paolo Carlini <paolo.carlini at oracle dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |wrong-code
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2011-12-08
                 CC|                            |jason at gcc dot gnu.org
     Ever Confirmed|0                           |1

--- Comment #4 from Paolo Carlini <paolo.carlini at oracle dot com> 2011-12-08 11:55:05 UTC ---
Thanks a lot Jon, I was hoping for somebody like *you* doing this ;)

Anyway, the issue seems serious.

[Bug c++/51459] [4.7 Regression] 'double free or corruption' involving std::function and lambdas

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51459

--- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> 2011-12-08 11:55:48 UTC ---
Indeed, with 4.6.x preprocessed source for the reduced testcase this started
failing with http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=175158 aka
PR43912.

The only important difference at *.gimple level (except for renaming arguments
and similar debug info only related changes) seems to be:

-animate(F) [with F = std::function<void()>]::<lambda()> (const struct
__lambda0 * this)
+animate(F) [with F = std::function<void()>]::<lambda()> (const struct
__lambda0 * __closure)
 {
-  const struct function * D.9363;
+  const struct function * D.9367;
+  const struct function * D.9368;
+  const struct function f [value-expr: __closure->__f];

-  D.9363 = &this->__f;
-  std::function<void()>::operator() (D.9363);
+  try
+    {
+      D.9367 = &__closure->__f;
+      std::function<void()>::operator() (D.9367);
+    }
+  finally
+    {
+      D.9368 = &__closure->__f;
+      std::function<void()>::~function (D.9368);
+    }
 }

so before this change __closure->__f wouldn't be destructed, now it is, and
supposedly it is destructed in the caller too.

[Bug c++/51459] [4.7 Regression] 'double free or corruption' involving std::function and lambdas

[jason at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51459

Jason Merrill <jason at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
         AssignedTo|unassigned at gcc dot       |jason at gcc dot gnu.org
                   |gnu.org                     |

[Bug c++/51459] [4.7 Regression] 'double free or corruption' involving std::function and lambdas

[jason at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51459

--- Comment #6 from Jason Merrill <jason at gcc dot gnu.org> 2011-12-08 22:28:33 UTC ---
Author: jason
Date: Thu Dec  8 22:28:29 2011
New Revision: 182141

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=182141
Log:
    PR c++/51459
    * pt.c (tsubst_expr) [DECL_EXPR]: Handle capture proxies properly.
    * semantics.c (insert_capture_proxy): No longer static.
    * cp-tree.h: Declare it.

Added:
    trunk/gcc/testsuite/g++.dg/cpp0x/lambda/lambda-template4.C
Modified:
    trunk/gcc/cp/ChangeLog
    trunk/gcc/cp/cp-tree.h
    trunk/gcc/cp/pt.c
    trunk/gcc/cp/semantics.c
    trunk/gcc/testsuite/ChangeLog

[Bug c++/51459] [4.7 Regression] 'double free or corruption' involving std::function and lambdas

[jason at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51459

Jason Merrill <jason at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED

--- Comment #7 from Jason Merrill <jason at gcc dot gnu.org> 2011-12-08 22:29:11 UTC ---
Fixed.