[Bug c++/62052] New: function parameter has wrong address in lambda converted to pointer-to-function

["redi at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62052

            Bug ID: 62052
           Summary: function parameter has wrong address in lambda
                    converted to pointer-to-function
           Product: gcc
           Version: 4.10.0
            Status: UNCONFIRMED
          Keywords: wrong-code
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: redi at gcc dot gnu.org
                CC: jason at gcc dot gnu.org
            Blocks: 54367

extern "C" int printf(const char*, ...);

const char* locn = nullptr;

struct X
{
  X() {
    printf("%p cons in %s\n", this, locn);
  }
  X(X const& x) {
    printf("%p copy %p in %s\n", this, &x, locn);
  }
  ~X() {
    printf("%p dest\n", this);
  }
};

int main()
{
  locn = "main";
  auto f = [] (X xx)
  {
    locn = "lambda";
    printf("%p is &xx in lambda\n", &xx);
    return xx;
  };
  X (*ff) (X) = f;
  ff ( X{} );
}


Compiled with -std=c++11 this prints:

0x7fff50eed717 cons in main
0x7fff50eed6e0 is &xx in lambda
0x7fff50eed716 copy 0x7fff50eed6e0 in lambda
0x7fff50eed716 dest
0x7fff50eed717 dest

The second line shows the function parameter xx is at 0x7fff50eed6e0 but no
object is ever constructed (or destroyed) at that address, it should be
0x7fff50eed717.

If the lambda is invoked directly the parameter has the right address, it only
happens when converted to a pointer-to-function.

The same bug occurs with -fno-elide-constructors, there are just more
intermediate objects.

As shown at https://bugzilla.redhat.com/show_bug.cgi?id=1079788 this can cause
two unique_ptr objects to own the same memory and lead to a double free
(because the move constructor called for the lambda's return value zeros out
the wrong location)