https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63296

            Bug ID: 63296
           Summary: g++ reports incomplete type for static template member
                    of template class
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: rogier777 at gmail dot com

G++ fails to compile the following code. IMHO, as 'staticmember' is a static
member, the code is valid and should be accepted.

Moving 'staticmember' outside the class (making it a plain static variable),
makes g++ accept the code.

Making 'myclass' a regular (non-template) class instead makes g++ accept the
code as well.

Code:
---------------------------------------------------
template<class c>
struct list {
    c member;
};

template<class c>
struct myclass {
    static list<myclass> staticmember;
};

myclass<int> myvar;
---------------------------------------------------

Compilation output (extended version with '-v -save-temps' below):
---------------------------------------------------
$ g++ -W -Wall --std=c++11 -o /dev/null try_01c.cc
try_01c.cc: In instantiation of ‘struct list<myclass<int> >’:
try_01c.cc:9:26:   required from ‘struct myclass<int>’
try_01c.cc:12:14:   required from here
try_01c.cc:4:7: error: ‘list<c>::member’ has incomplete type
     c member;
       ^
try_01c.cc:8:8: error: declaration of ‘struct myclass<int>’
 struct myclass {
        ^
---------------------------------------------------

G++ version: 4.9
(Stock debian package version 4.9.1-14)

Detailed compiler output with '-v -save-temps':
---------------------------------------------------
$ g++ -W -Wall --std=c++11 -v -save-temps -o /dev/null try_01c.cc
Using built-in specs.
COLLECT_GCC=/usr/bin/g++-4.9.real
COLLECT_LTO_WRAPPER=/usr/lib/gcc/i586-linux-gnu/4.9/lto-wrapper
Target: i586-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 4.9.1-14'
--with-bugurl=file:///usr/share/doc/gcc-4.9/README.Bugs
--enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr
--program-suffix=-4.9 --enable-shared --enable-linker-build-id
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix
--with-gxx-include-dir=/usr/include/c++/4.9 --libdir=/usr/lib --enable-nls
--with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug
--enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-vtable-verify
--enable-plugin --with-system-zlib --disable-browser-plugin
--enable-java-awt=gtk --enable-gtk-cairo
--with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.9-i386/jre --enable-java-home
--with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.9-i386
--with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.9-i386
--with-arch-directory=i386 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar
--enable-objc-gc --enable-targets=all --enable-multiarch --with-arch-32=i586
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic
--enable-checking=release --build=i586-linux-gnu --host=i586-linux-gnu
--target=i586-linux-gnu
Thread model: posix
gcc version 4.9.1 (Debian 4.9.1-14) 
COLLECT_GCC_OPTIONS='-Wextra' '-Wall' '-std=c++11' '-v' '-save-temps' '-o'
'/dev/null' '-shared-libgcc' '-mtune=generic' '-march=i586'
 /usr/lib/gcc/i586-linux-gnu/4.9/cc1plus -E -quiet -v -imultiarch
i386-linux-gnu -D_GNU_SOURCE try_01c.cc -mtune=generic -march=i586 -std=c++11
-Wextra -Wall -fpch-preprocess -o try_01c.ii
ignoring duplicate directory "/usr/include/i386-linux-gnu/c++/4.9"
ignoring nonexistent directory "/usr/local/include/i386-linux-gnu"
ignoring nonexistent directory
"/usr/lib/gcc/i586-linux-gnu/4.9/../../../../i586-linux-gnu/include"
#include "..." search starts here:
#include <...> search starts here:
 /usr/include/c++/4.9
 /usr/include/i386-linux-gnu/c++/4.9
 /usr/include/c++/4.9/backward
 /usr/lib/gcc/i586-linux-gnu/4.9/include
 /usr/local/include
 /usr/lib/gcc/i586-linux-gnu/4.9/include-fixed
 /usr/include/i386-linux-gnu
 /usr/include
End of search list.
COLLECT_GCC_OPTIONS='-Wextra' '-Wall' '-std=c++11' '-v' '-save-temps' '-o'
'/dev/null' '-shared-libgcc' '-mtune=generic' '-march=i586'
 /usr/lib/gcc/i586-linux-gnu/4.9/cc1plus -fpreprocessed try_01c.ii -quiet
-dumpbase try_01c.cc -mtune=generic -march=i586 -auxbase try_01c -Wextra -Wall
-std=c++11 -version -o try_01c.s
GNU C++ (Debian 4.9.1-14) version 4.9.1 (i586-linux-gnu)
        compiled by GNU C version 4.9.1, GMP version 6.0.0, MPFR version
3.1.2-p3, MPC version 1.0.2
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
GNU C++ (Debian 4.9.1-14) version 4.9.1 (i586-linux-gnu)
        compiled by GNU C version 4.9.1, GMP version 6.0.0, MPFR version
3.1.2-p3, MPC version 1.0.2
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Compiler executable checksum: 4eca7bfa4a918deb01db62dfdef571b2
try_01c.cc: In instantiation of ‘struct list<myclass<int> >’:
try_01c.cc:9:26:   required from ‘struct myclass<int>’
try_01c.cc:12:14:   required from here
try_01c.cc:4:7: error: ‘list<c>::member’ has incomplete type
     c member;
       ^
try_01c.cc:8:8: error: declaration of ‘struct myclass<int>’
 struct myclass {
        ^
---------------------------------------------------
>From gcc-bugs-return-462011-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Thu Sep 18 15:13:55 2014
Return-Path: <gcc-bugs-return-462011-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 20921 invoked by alias); 18 Sep 2014 15:13:54 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 20893 invoked by uid 48); 18 Sep 2014 15:13:50 -0000
From: "chefmax at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug testsuite/63297] New: ASan reported heap-use-after-free in g++.old-deja/g++.law/virtual3.C.
Date: Thu, 18 Sep 2014 15:13:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: testsuite
X-Bugzilla-Version: 5.0
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: chefmax at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cf_gcchost cf_gcctarget attachments.created
Message-ID: <bug-63297-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-09/txt/msg01845.txt.bz2
Content-length: 5039

https://gcc.gnu.org/bugzilla/show_bug.cgi?idc297

            Bug ID: 63297
           Summary: ASan reported heap-use-after-free in
                    g++.old-deja/g++.law/virtual3.C.
           Product: gcc
           Version: 5.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: testsuite
          Assignee: unassigned at gcc dot gnu.org
          Reporter: chefmax at gcc dot gnu.org
              Host: x86_64-pc-linux-gnu
            Target: x86_64-pc-linux-gnu

Created attachment 33512
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id3512&actioníit
This trivial patch seems to fix the issue.

ASan reported heap-use-after-free in g++.old-deja/g++.law/virtual3.C:

$ ~/install/master/bin/g++ gcc/testsuite/g++.old-deja/g++.law/virtual3.C
-fsanitize­dress

$ ./a.out

=================================================================&271==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000eff8
at pc 0x7fd84fbb6470 bp 0x7fff4d8204a0 sp 0x7fff4d81fc60
READ of size 5 at 0x60300000eff8 thread T0
    #0 0x7fd84fbb646f in __interceptor_strlen
/home/max/workspace/downloads/gcc/libsanitizer/asan/asan_interceptors.cc:536
    #1 0x7fd84f8ed2d8 in std::char_traits<char>::length(char const*)
/home/max/build/master-x86_64/x86_64-unknown-linux-gnu/libstdc++-v3/include/bits/char_traits.h:263
    #2 0x7fd84f8ed2d8 in std::basic_ostream<char, std::char_traits<char> >&
std::operator<< <std::char_traits<char> >(std::basic_ostream<char,
std::char_traits<char> >&, char const*)
/home/max/build/master-x86_64/x86_64-unknown-linux-gnu/libstdc++-v3/include/ostream:536
    #3 0x401515 in BugStream::eval()
(/home/max/workspace/downloads/gcc/a.out+0x401515)
    #4 0x4015ef in operator<<(std::ostream&, Eval_)
(/home/max/workspace/downloads/gcc/a.out+0x4015ef)
    #5 0x401699 in main (/home/max/workspace/downloads/gcc/a.out+0x401699)
    #6 0x7fd84efa576c in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #7 0x4013c8 (/home/max/workspace/downloads/gcc/a.out+0x4013c8)

0x60300000eff8 is located 24 bytes inside of 30-byte region
[0x60300000efe0,0x60300000effe)
freed by thread T0 here:
    #0 0x7fd84fbf36a9 in operator delete(void*)
/home/max/workspace/downloads/gcc/libsanitizer/asan/asan_new_delete.cc:85
    #1 0x7fd84f914eef in std::string::_Rep::_M_dispose(std::allocator<char>
const&)
/home/max/build/master-x86_64/x86_64-unknown-linux-gnu/libstdc++-v3/include/bits/basic_string.h:249
    #2 0x7fd84f914eef in std::basic_string<char, std::char_traits<char>,
std::allocator<char> >::~basic_string()
/home/max/build/master-x86_64/x86_64-unknown-linux-gnu/libstdc++-v3/include/bits/basic_string.h:547
    #3 0x4015ef in operator<<(std::ostream&, Eval_)
(/home/max/workspace/downloads/gcc/a.out+0x4015ef)
    #4 0x401699 in main (/home/max/workspace/downloads/gcc/a.out+0x401699)
    #5 0x7fd84efa576c in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2176c)

previously allocated by thread T0 here:
    #0 0x7fd84fbf3169 in operator new(unsigned long)
/home/max/workspace/downloads/gcc/libsanitizer/asan/asan_new_delete.cc:53
    #1 0x7fd84f914d18 in __gnu_cxx::new_allocator<char>::allocate(unsigned
long, void const*)
/home/max/build/master-x86_64/x86_64-unknown-linux-gnu/libstdc++-v3/include/ext/new_allocator.h:104
    #2 0x7fd84f914d18 in std::string::_Rep::_S_create(unsigned long, unsigned
long, std::allocator<char> const&)
/home/max/build/master-x86_64/x86_64-unknown-linux-gnu/libstdc++-v3/include/bits/basic_string.tcc:607

SUMMARY: AddressSanitizer: heap-use-after-free
/home/max/workspace/downloads/gcc/libsanitizer/asan/asan_interceptors.cc:536
__interceptor_strlen
Shadow bytes around the buggy address:
  0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd[fd]
  0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
=&271=«ORTING