Bug 69327

Summary:	[6 Regression] constexpr leaves reference member var uninitialized
Product:	gcc	Reporter:	Stephan Bergmann <sberg.fun>
Component:	c++	Assignee:	Not yet assigned to anyone <unassigned>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	daniel.kruegler, doko, jakub, jason, webrown.cpp
Priority:	P1	Keywords:	wrong-code
Version:	6.0
Target Milestone:	6.0
Host:		Target:
Build:		Known to work:	5.3.1
Known to fail:	6.0	Last reconfirmed:	2016-01-22 00:00:00

Description Stephan Bergmann 2016-01-17 09:34:54 UTC

With recent trunk GCC,

> $ cat test.cc
> struct S {
>     constexpr S(int & x): n(x) {}
>     int & n;
> };
> constexpr S f1(int & x) { return S(x); }
> constexpr S f2(int & x) { return f1(x); }
> S f3(int & x) { return f2(x); }
> int main() {
>     int n = 1;
>     return f3(n).n;
> }

> $ g++ test.cc && ./a.out
> Segmentation fault

typically causes a SEGV, as S::n remains uninitialized; x86-64 code generated for f3 is

> 0000000000000000 <_Z2f3Ri>:
>    0:   55                      push   %rbp
>    1:   48 89 e5                mov    %rsp,%rbp
>    4:   48 89 7d e8             mov    %rdi,-0x18(%rbp)
>    8:   48 8b 45 f8             mov    -0x8(%rbp),%rax
>    c:   5d                      pop    %rbp
>    d:   c3                      retq

This is a stripped-down version of code in boost::fusion (calling boost::fusion::begin on a boost::fusion::cons, as used by boost::spirit, in turn used by libetonyek and LibreOffice), causing LibreOffice to fail.

Comment 1 Matthias Klose 2016-01-22 12:45:00 UTC

$ cat tst.cc 
struct S {
    constexpr S(int & x): n(x) {}
    int & n;
};
constexpr S f1(int & x) { return S(x); }
constexpr S f2(int & x) { return f1(x); }
S f3(int & x) { return f2(x); }
int main() {
  int n = 1;
  return f3(n).n;
}

$ g++ -std=c++11 tst.cc && ./a.out
Segmentation fault (core dumped)

Comment 2 Matthias Klose 2016-01-22 13:11:16 UTC

r232725

Comment 3 Jonathan Wakely 2016-01-22 13:21:37 UTC

(In reply to Matthias Klose from comment #2)
> r232725

That commit is newer than Stephan's original report.

Comment 4 Matthias Klose 2016-01-22 13:30:31 UTC

more verbose: still seen with r232725

Comment 5 Jakub Jelinek 2016-01-22 14:09:40 UTC

Started with r230365. In the testcase for testsuite you want f3(n).n == 1 instead, otherwise it will fail with non-zero return code even if not miscompiled.

Comment 6 Andrew Pinski 2016-01-22 19:32:37 UTC

I think there is a dup of this bug somewhere too.

Comment 7 Jason Merrill 2016-01-26 20:28:48 UTC

Dup.

*** This bug has been marked as a duplicate of bug 68782 ***