From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 17596 invoked by alias); 7 Aug 2014 16:48:57 -0000 Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-bugs-owner@gcc.gnu.org Received: (qmail 17546 invoked by uid 48); 7 Aug 2014 16:48:50 -0000 From: "redi at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug c++/62052] New: function parameter has wrong address in lambda converted to pointer-to-function Date: Thu, 07 Aug 2014 16:48:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c++ X-Bugzilla-Version: 4.10.0 X-Bugzilla-Keywords: wrong-code X-Bugzilla-Severity: normal X-Bugzilla-Who: redi at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status keywords bug_severity priority component assigned_to reporter cc blocked Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2014-08/txt/msg00469.txt.bz2 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62052 Bug ID: 62052 Summary: function parameter has wrong address in lambda converted to pointer-to-function Product: gcc Version: 4.10.0 Status: UNCONFIRMED Keywords: wrong-code Severity: normal Priority: P3 Component: c++ Assignee: unassigned at gcc dot gnu.org Reporter: redi at gcc dot gnu.org CC: jason at gcc dot gnu.org Blocks: 54367 extern "C" int printf(const char*, ...); const char* locn = nullptr; struct X { X() { printf("%p cons in %s\n", this, locn); } X(X const& x) { printf("%p copy %p in %s\n", this, &x, locn); } ~X() { printf("%p dest\n", this); } }; int main() { locn = "main"; auto f = [] (X xx) { locn = "lambda"; printf("%p is &xx in lambda\n", &xx); return xx; }; X (*ff) (X) = f; ff ( X{} ); } Compiled with -std=c++11 this prints: 0x7fff50eed717 cons in main 0x7fff50eed6e0 is &xx in lambda 0x7fff50eed716 copy 0x7fff50eed6e0 in lambda 0x7fff50eed716 dest 0x7fff50eed717 dest The second line shows the function parameter xx is at 0x7fff50eed6e0 but no object is ever constructed (or destroyed) at that address, it should be 0x7fff50eed717. If the lambda is invoked directly the parameter has the right address, it only happens when converted to a pointer-to-function. The same bug occurs with -fno-elide-constructors, there are just more intermediate objects. As shown at https://bugzilla.redhat.com/show_bug.cgi?id=1079788 this can cause two unique_ptr objects to own the same memory and lead to a double free (because the move constructor called for the lambda's return value zeros out the wrong location)