This C++ code snippet aborts on amd64 and i386 if compiled with -O[23]: (Note: tree dumps are correct) ------------------------------------------------------------------------------- extern "C" void abort (void); struct T {}; struct U : T {}; int main () { int i; U *p; T **q; for (i = 0; i < 2; i++) { q = (T **) &p; *q = 0; if (p) abort (); } return 0; } ------------------------------------------------------------------------------- The above bug shows as Mozilla Firefox segfault in function imgRequest::NotifyProxyListener(imgRequestProxy *) when pressing 'reload' button, and the testcase was reduced from function imgCacheValidator::OnStartRequest(nsIRequest *, nsISupports *), here is part of original code: NS_IMETHODIMP imgCacheValidator::OnStartRequest(nsIRequest *aRequest, nsISupports *ctxt) { ... for (PRInt32 i = count-1; i>=0; i--) { imgRequestProxy *proxy; mProxies.GetElementAt(i, (nsISupports**)&proxy); mRequest->NotifyProxyListener(proxy); NS_RELEASE(proxy); } ...
Confirmed, here is a testcase which makes it fail with 3.4.0: extern "C" void abort (void) throw(); struct T {}; struct U : T {}; int size = 2; int main () { struct T * * pretmp3; struct U * p; int i; int size1 = size; p =(U*)1 ; pretmp3 = (struct T * *) &p; i = 0; L0:; *pretmp3 = 0; if (p != 0) abort(); i = i + 1; if (i != 2) goto L0; L4:; return 0; }
I guess I'm missing something in here. *q accesses an object of type U* (namely p). The type of the lvalue *q is T*. Right? Which case in 3.10/15 covers this?
Yes the code is invalid after I thought about it and looked for another bug which has the same issue, see PR 11376. *** This bug has been marked as a duplicate of 11376 ***