* [Bug c++/65970] [C++14] Endless loop with constexpr
2015-05-01 19:39 [Bug c++/65970] New: [C++14] Endless loop with constexpr reichelt at gcc dot gnu.org
@ 2015-08-29 16:35 ` trippels at gcc dot gnu.org
0 siblings, 0 replies; 2+ messages in thread
From: trippels at gcc dot gnu.org @ 2015-08-29 16:35 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65970
Markus Trippelsdorf <trippels at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Last reconfirmed| |2015-08-29
CC| |trippels at gcc dot gnu.org
Ever confirmed|0 |1
--- Comment #1 from Markus Trippelsdorf <trippels at gcc dot gnu.org> ---
Confirmed. Loops in:
3014 static tree
3015 cxx_eval_loop_expr (const constexpr_ctx *ctx, tree t,
3016 bool *non_constant_p, bool *overflow_p,
3017 tree *jump_target)
3018 {
3019 tree body = TREE_OPERAND (t, 0);
3020 while (true)
3021 {
3022 cxx_eval_statement_list (ctx, body,
3023 non_constant_p, overflow_p, jump_target);
3024 if (returns (jump_target) || breaks (jump_target) ||
*non_constant_p)
3025 break;
3026 }
3027 if (breaks (jump_target))
3028 *jump_target = NULL_TREE;
3029 return NULL_TREE;
3030 }
A variant ICEs:
markus@x4 tmp % cat const.ii
constexpr int foo() {
while (true)
;
return 0;
}
int i = foo();
markus@x4 tmp % g++ -std=c++14 -c const.ii
const.ii:7:12: in constexpr expansion of ‘foo()’
const.ii:7:13: internal compiler error: tree check: expected statement_list,
have nop_expr in tsi_start, at tree-iterator.h:42
int i = foo();
^
0xeef92c tree_check_failed(tree_node const*, char const*, int, char const*,
...)
../../gcc/gcc/tree.c:9499
0x59db9a tree_check(tree_node*, char const*, int, char const*, tree_code)
../../gcc/gcc/tree.h:2858
0x59db9a tsi_start
../../gcc/gcc/tree-iterator.h:42
0x7f085f tsi_start
../../gcc/gcc/cp/constexpr.c:2949
0x7f085f cxx_eval_statement_list
../../gcc/gcc/cp/constexpr.c:2980
0x7eacb6 cxx_eval_loop_expr
../../gcc/gcc/cp/constexpr.c:3023
0x7eacb6 cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:3646
0x7f06e6 cxx_eval_statement_list
../../gcc/gcc/cp/constexpr.c:2996
0x7eb3a4 cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:3580
0x7ea3ba cxx_eval_call_expression
../../gcc/gcc/cp/constexpr.c:1379
0x7eb191 cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:3205
0x7f0991 cxx_eval_outermost_constant_expr
../../gcc/gcc/cp/constexpr.c:3740
0x7f2b3f maybe_constant_init(tree_node*, tree_node*)
../../gcc/gcc/cp/constexpr.c:3943
0x67f5dc store_init_value(tree_node*, tree_node*, vec<tree_node*, va_gc,
vl_embed>**, int)
../../gcc/gcc/cp/typeck2.c:826
0x5e83df check_initializer
../../gcc/gcc/cp/decl.c:6089
0x607884 cp_finish_decl(tree_node*, tree_node*, bool, tree_node*, int)
../../gcc/gcc/cp/decl.c:6714
0x704895 cp_parser_init_declarator
../../gcc/gcc/cp/parser.c:17846
0x707155 cp_parser_simple_declaration
../../gcc/gcc/cp/parser.c:11681
0x7008f3 cp_parser_block_declaration
../../gcc/gcc/cp/parser.c:11555
0x70c737 cp_parser_declaration
../../gcc/gcc/cp/parser.c:11452
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <http://gcc.gnu.org/bugs.html> for instructions.
markus@x4 tmp % clang++ -Wall -Wextra -std=c++14 -c const.ii
const.ii:1:15: error: constexpr function never produces a constant expression
[-Winvalid-constexpr]
constexpr int foo() {
^
const.ii:3:5: note: constexpr evaluation hit maximum step limit; possible
infinite loop?
;
^
1 error generated.
>From gcc-bugs-return-495867-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Sat Aug 29 17:04:14 2015
Return-Path: <gcc-bugs-return-495867-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 29507 invoked by alias); 29 Aug 2015 17:04:13 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 29272 invoked by uid 48); 29 Aug 2015 17:04:10 -0000
From: "brian.carpenter at gmail dot com" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug c++/67393] New: segfault in cxxfilt in d_unqualified_name () at ./cp-demangle.c:1547
Date: Sat, 29 Aug 2015 17:04:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: c++
X-Bugzilla-Version: 4.9.2
X-Bugzilla-Keywords:
X-Bugzilla-Severity: critical
X-Bugzilla-Who: brian.carpenter at gmail dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone
Message-ID: <bug-67393-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-08/txt/msg02009.txt.bz2
Content-length: 4090
https://gcc.gnu.org/bugzilla/show_bug.cgi?idg393
Bug ID: 67393
Summary: segfault in cxxfilt in d_unqualified_name () at
./cp-demangle.c:1547
Product: gcc
Version: 4.9.2
Status: UNCONFIRMED
Severity: critical
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: brian.carpenter at gmail dot com
Target Milestone: ---
I was fuzzing binutils/cxxfilt with AFL (http://lcamtuf.coredump.cx/afl/) and
came across a crash and was told that it was a gcc bug not a cxxfilt bug. This
is with GCC 4.9.2 on Debian 7 (x64).
./cxxfilt _Z6600000000
Valgrind:
=5143== Invalid read of size 1
=5143== at 0x80CDBF: d_unqualified_name (cp-demangle.c:1547)
=5143== by 0x813F87: d_name (cp-demangle.c:1391)
=5143== by 0x815BE7: d_encoding (cp-demangle.c:1257)
=5143== by 0x8189F4: cplus_demangle_mangled_name (cp-demangle.c:1172)
=5143== by 0x81AD60: d_demangle_callback (cp-demangle.c:5886)
=5143== by 0x81AD60: d_demangle (cp-demangle.c:5937)
=5143== by 0x81AD60: cplus_demangle_v3 (cp-demangle.c:6094)
=5143== by 0x783A73: cplus_demangle (cplus-dem.c:864)
=5143== by 0x408192: demangle_it (cxxfilt.c:62)
=5143== by 0x407618: main (cxxfilt.c:227)
=5143== Address 0xffffffff8ae0ae97 is not stack'd, malloc'd or (recently)
free'd
=5143==5143==5143== Process terminating with default action of signal 11 (SIGSEGV)
=5143== Access not within mapped region at address 0xFFFFFFFF8AE0AE97
=5143== at 0x80CDBF: d_unqualified_name (cp-demangle.c:1547)
=5143== by 0x813F87: d_name (cp-demangle.c:1391)
=5143== by 0x815BE7: d_encoding (cp-demangle.c:1257)
=5143== by 0x8189F4: cplus_demangle_mangled_name (cp-demangle.c:1172)
=5143== by 0x81AD60: d_demangle_callback (cp-demangle.c:5886)
=5143== by 0x81AD60: d_demangle (cp-demangle.c:5937)
=5143== by 0x81AD60: cplus_demangle_v3 (cp-demangle.c:6094)
=5143== by 0x783A73: cplus_demangle (cplus-dem.c:864)
=5143== by 0x408192: demangle_it (cxxfilt.c:62)
=5143== by 0x407618: main (cxxfilt.c:227)
=5143== If you believe this happened as a result of a stack
=5143== overflow in your program's main thread (unlikely but
=5143== possible), you can try to increase the size of the
=5143== main thread stack using the --main-stacksize= flag.
=5143== The main thread stack size used in this run was 8388608.
Segmentation fault
GDB:
Program received signal SIGSEGV, Segmentation fault.
0x000000000080cdbf in d_unqualified_name () at ./cp-demangle.c:1547
1547 ret = d_source_name (di);
(gdb) bt
#0 0x000000000080cdbf in d_unqualified_name () at ./cp-demangle.c:1547
#1 0x0000000000813f88 in d_name () at ./cp-demangle.c:1391
#2 0x0000000000815be8 in d_encoding () at ./cp-demangle.c:1257
#3 0x00000000008189f5 in cplus_demangle_mangled_name () at
./cp-demangle.c:1172
#4 0x000000000081ad61 in cplus_demangle_v3 () at ./cp-demangle.c:5886
#5 0x0000000000783a74 in cplus_demangle ()
#6 0x0000000000408193 in demangle_it () at cxxfilt.c:62
#7 0x0000000000407619 in main () at cxxfilt.c:227
(gdb) i r
rax 0x7fffffffde30 140737488346672
rbx 0x7fffffffe0c0 140737488347328
rcx 0xabe2e1 11264737
rdx 0x0 0
rsi 0xffffffff8a0fe4ec -1978669844
rdi 0x0 0
rbp 0x7fffffffde30 0x7fffffffde30
rsp 0x7fffffffdcf0 0x7fffffffdcf0
r8 0xffffffd0 4294967248
r9 0x0 0
r10 0xffffffff8a0fe4ec -1978669844
r11 0x18 24
r12 0x1 1
r13 0x7fffffffe080 140737488347264
r14 0x10b 267
r15 0xffffffffbc6 17592186043334
rip 0x80cdbf 0x80cdbf <d_unqualified_name+1439>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
^ permalink raw reply [flat|nested] 2+ messages in thread