public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug c++/62052] New: function parameter has wrong address in lambda converted to pointer-to-function
@ 2014-08-07 16:48 redi at gcc dot gnu.org
  2014-08-07 17:19 ` [Bug c++/62052] " redi at gcc dot gnu.org
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: redi at gcc dot gnu.org @ 2014-08-07 16:48 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62052

            Bug ID: 62052
           Summary: function parameter has wrong address in lambda
                    converted to pointer-to-function
           Product: gcc
           Version: 4.10.0
            Status: UNCONFIRMED
          Keywords: wrong-code
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: redi at gcc dot gnu.org
                CC: jason at gcc dot gnu.org
            Blocks: 54367

extern "C" int printf(const char*, ...);

const char* locn = nullptr;

struct X
{
  X() {
    printf("%p cons in %s\n", this, locn);
  }
  X(X const& x) {
    printf("%p copy %p in %s\n", this, &x, locn);
  }
  ~X() {
    printf("%p dest\n", this);
  }
};

int main()
{
  locn = "main";
  auto f = [] (X xx)
  {
    locn = "lambda";
    printf("%p is &xx in lambda\n", &xx);
    return xx;
  };
  X (*ff) (X) = f;
  ff ( X{} );
}


Compiled with -std=c++11 this prints:

0x7fff50eed717 cons in main
0x7fff50eed6e0 is &xx in lambda
0x7fff50eed716 copy 0x7fff50eed6e0 in lambda
0x7fff50eed716 dest
0x7fff50eed717 dest

The second line shows the function parameter xx is at 0x7fff50eed6e0 but no
object is ever constructed (or destroyed) at that address, it should be
0x7fff50eed717.

If the lambda is invoked directly the parameter has the right address, it only
happens when converted to a pointer-to-function.

The same bug occurs with -fno-elide-constructors, there are just more
intermediate objects.

As shown at https://bugzilla.redhat.com/show_bug.cgi?id=1079788 this can cause
two unique_ptr objects to own the same memory and lead to a double free
(because the move constructor called for the lambda's return value zeros out
the wrong location)


^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug c++/62052] function parameter has wrong address in lambda converted to pointer-to-function
  2014-08-07 16:48 [Bug c++/62052] New: function parameter has wrong address in lambda converted to pointer-to-function redi at gcc dot gnu.org
@ 2014-08-07 17:19 ` redi at gcc dot gnu.org
  2014-09-12 19:02 ` redi at gcc dot gnu.org
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: redi at gcc dot gnu.org @ 2014-08-07 17:19 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62052

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
      Known to fail|                            |4.10.0, 4.7.4, 4.8.2, 4.9.1

--- Comment #1 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Smaller testcase that aborts on error instead of printing addresses to stdout:

extern "C" void __attribute((noreturn)) abort();

struct X;

X const* objects[10];

int find(X const* x)
{
  for (int i=0; i<10; ++i)
    if (objects[i] == x)
      return i;
  abort();
}

struct X
{
  X() {
    objects[ find(nullptr) ] = this;
  }

  X(X const& x) {
    find(&x);
    objects[ find(nullptr) ] = this;
  }

  ~X() {
    objects[ find(this) ] = nullptr;
  }
};

int main()
{
  auto f = [] (X xx) { return xx; };
  X (*ff) (X) = f;
  ff ( X{} );
}


^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug c++/62052] function parameter has wrong address in lambda converted to pointer-to-function
  2014-08-07 16:48 [Bug c++/62052] New: function parameter has wrong address in lambda converted to pointer-to-function redi at gcc dot gnu.org
  2014-08-07 17:19 ` [Bug c++/62052] " redi at gcc dot gnu.org
@ 2014-09-12 19:02 ` redi at gcc dot gnu.org
  2015-03-09 10:13 ` redi at gcc dot gnu.org
  2015-03-09 10:15 ` redi at gcc dot gnu.org
  3 siblings, 0 replies; 5+ messages in thread
From: redi at gcc dot gnu.org @ 2014-09-12 19:02 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62052

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2014-09-12
     Ever confirmed|0                           |1
      Known to fail|4.10.0                      |5.0


^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug c++/62052] function parameter has wrong address in lambda converted to pointer-to-function
  2014-08-07 16:48 [Bug c++/62052] New: function parameter has wrong address in lambda converted to pointer-to-function redi at gcc dot gnu.org
  2014-08-07 17:19 ` [Bug c++/62052] " redi at gcc dot gnu.org
  2014-09-12 19:02 ` redi at gcc dot gnu.org
@ 2015-03-09 10:13 ` redi at gcc dot gnu.org
  2015-03-09 10:15 ` redi at gcc dot gnu.org
  3 siblings, 0 replies; 5+ messages in thread
From: redi at gcc dot gnu.org @ 2015-03-09 10:13 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62052

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |charlie at charliedyson dot net

--- Comment #2 from Jonathan Wakely <redi at gcc dot gnu.org> ---
*** Bug 65354 has been marked as a duplicate of this bug. ***


^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug c++/62052] function parameter has wrong address in lambda converted to pointer-to-function
  2014-08-07 16:48 [Bug c++/62052] New: function parameter has wrong address in lambda converted to pointer-to-function redi at gcc dot gnu.org
                   ` (2 preceding siblings ...)
  2015-03-09 10:13 ` redi at gcc dot gnu.org
@ 2015-03-09 10:15 ` redi at gcc dot gnu.org
  3 siblings, 0 replies; 5+ messages in thread
From: redi at gcc dot gnu.org @ 2015-03-09 10:15 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62052

--- Comment #3 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Segfaulting testcase from PR 65354:

#include <iostream>

int main ()
{
    auto f = +[] (std::string s)
    {
      return std::string (std::move (s));
    };
    std::string s ("hello");
    f (std::move (s));
}


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-03-09 10:15 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-07 16:48 [Bug c++/62052] New: function parameter has wrong address in lambda converted to pointer-to-function redi at gcc dot gnu.org
2014-08-07 17:19 ` [Bug c++/62052] " redi at gcc dot gnu.org
2014-09-12 19:02 ` redi at gcc dot gnu.org
2015-03-09 10:13 ` redi at gcc dot gnu.org
2015-03-09 10:15 ` redi at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).