Crash happened during compilation of the boost testsuite. It's hard to reduce the testcase, because it appears to be a bug in the garbage-collector. [With --enable-checking=release] % g++ -O0 -std=c++11 -c test.ii test.ii: In member function ‘boost::chrono::duration<Rep, Period>& boost::chrono::duration<Rep, Period>::operator--() [with Rep = double; Period = boost::ratio<1l>]’: test.ii:3207:286: internal compiler error: Segmentation fault [gcc-4.8.1 is fine] % /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.1/g++ -O2 -std=c++11 -c test.i % [Backtrace with --enable-checking] % gdb --args /var/tmp/gcc_test/usr/local/bin/g++ -w -O0 -std=c++11 -Wfatal-errors -c test.ii -pipe -o /dev/null Reading symbols from /var/tmp/gcc_test/usr/local/bin/g++...done. (gdb) run Starting program: /var/tmp/gcc_test/usr/local/bin/g++ -w -O0 -std=c++11 -Wfatal-errors -c test.ii -pipe -o /dev/null [New process 20470] process 20470 is executing new program: /var/tmp/gcc_test/usr/local/libexec/gcc/x86_64-unknown-linux-gnu/4.9.0/cc1plus Program received signal SIGSEGV, Segmentation fault. [Switching to process 20470] 0x0000000000c8e9f8 in tree_class_check_failed (node=<optimized out>, cl=<optimized out>, file=0xff512d "../../gcc/gcc/c-family/c-common.h", line=1063, function=0xff514f "c_tree_chain_next") at ../../gcc/gcc/tree.c:9223 9223 ../../gcc/gcc/tree.c: No such file or directory. (gdb) bt #0 0x0000000000c8e9f8 in tree_class_check_failed (node=<optimized out>, cl=<optimized out>, file=0xff512d "../../gcc/gcc/c-family/c-common.h", line=1063, function=0xff514f "c_tree_chain_next") at ../../gcc/gcc/tree.c:9223 #1 0x00000000006807f1 in tree_class_check (__class=<optimized out>, __f=<optimized out>, __l=<optimized out>, __g=<optimized out>, __t=<optimized out>, __class=<optimized out>, __f=<optimized out>, __l=<optimized out>, __g=<optimized out>) at ../../gcc/gcc/tree.h:2732 #2 c_tree_chain_next (t=<optimized out>) at ../../gcc/gcc/c-family/c-common.h:1063 #3 gt_ggc_mx_lang_tree_node (x_p=<optimized out>) at ./gt-cp-tree.h:158 #4 0x000000000067f79a in gt_ggc_mx_lang_tree_node (x_p=<optimized out>) at ./gt-cp-tree.h:706 #5 0x0000000000680ba3 in gt_ggc_mx_tinst_level (x_p=<optimized out>) at ./gt-cp-tree.h:124 #6 0x000000000057b363 in gt_ggc_mx_pending_template (x_p=<optimized out>) at ./gt-cp-pt.h:44 #7 0x00000000008dfa6b in ggc_mark_root_tab (rt=<optimized out>) at ../../gcc/gcc/ggc-common.c:133 #8 ggc_mark_roots () at ../../gcc/gcc/ggc-common.c:152 #9 0x000000000072d91b in ggc_collect () at ../../gcc/gcc/ggc-page.c:2077 #10 0x000000000079f9c3 in cgraph_finalize_function (decl=<optimized out>, no_collect=<optimized out>) at ../../gcc/gcc/cgraphunit.c:456 #11 0x000000000065c3fc in expand_or_defer_fn (fn=0x7fffeeb57500) at ../../gcc/gcc/cp/semantics.c:3949 #12 0x0000000000574935 in instantiate_decl (d=0x7fffeeb57500, defer_ok=<error reading variable: Cannot access memory at address 0x0>, expl_inst_class_mem_p=<optimized out>) at ../../gcc/gcc/cp/pt.c:19406 #13 0x0000000000577738 in instantiate_pending_templates (retries=<optimized out>) at ../../gcc/gcc/cp/pt.c:19493 #14 0x00000000005b9454 in cp_write_global_declarations () at ../../gcc/gcc/cp/decl2.c:4065 #15 0x0000000000aa2196 in compile_file () at ../../gcc/gcc/toplev.c:560 #16 0x0000000000aa1f67 in do_compile () at ../../gcc/gcc/toplev.c:1893 #17 toplev_main (argc=16, argv=0x7fffffffe028) at ../../gcc/gcc/toplev.c:1969 #18 0x00007ffff74d3a6e in __libc_start_main () from /lib/libc.so.6 #19 0x00000000004e090d in _start ()
Created attachment 30957 [details] testcase
Started with r198099. The following patch apparently "fixes" the issue: diff --git a/gcc/cp/class.c b/gcc/cp/class.c index c587e55ac681..9547da539c57 100644 --- a/gcc/cp/class.c +++ b/gcc/cp/class.c @@ -7436,7 +7436,6 @@ resolve_address_of_overloaded_function (tree target_type, if (same_type_p (target_fn_type, static_fn_type (instantiation))) matches = tree_cons (instantiation, fn, matches); - ggc_free (targs); } /* Now, remove all but the most specialized of the matches. */
Valgrind shows: markus@x4 /tmp % valgrind --track-origins=yes --trace-children=yes g++ -O2 -std=c++11 -c test.ii ==6647== Memcheck, a memory error detector ==6647== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==6647== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==6647== Command: g++ -O2 -std=c++11 -c test.ii ==6647== ==6647== Memcheck, a memory error detector ==6647== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==6647== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==6647== Command: /usr/x86_64-pc-linux-gnu/gcc-bin/4.9.0/g++ -O2 -std=c++11 -c test.ii ==6647== ==6655== Memcheck, a memory error detector ==6655== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==6655== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==6655== Command: /usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.0/cc1plus -fpreprocessed test.ii -quiet -dumpbase test.ii -mtune=generic -march=x86-64 -auxbase test -O2 -std=c++11 -o /tmp/cctcTn3y.s ==6655== ==6655== Invalid read of size 1 ==6655== at 0x5E453A: gt_ggc_mx_lang_tree_node(void*) (c-common.h:1211) ==6655== by 0x5E5AEB: gt_ggc_mx_lang_tree_node(void*) (gt-cp-tree.h:510) ==6655== by 0x5E61AF: gt_ggc_mx_tinst_level(void*) (gt-cp-tree.h:124) ==6655== by 0x533E3F: gt_ggc_mx_pending_template(void*) (gt-cp-pt.h:44) ==6655== by 0x78A8E5: ggc_mark_root_tab(ggc_root_tab const*) (ggc-common.c:133) ==6655== by 0x78AC90: ggc_mark_roots() (ggc-common.c:152) ==6655== by 0x65A9EA: ggc_collect() (ggc-page.c:2077) ==6655== by 0x869A4D: execute_one_pass(opt_pass*) (passes.c:2255) ==6655== by 0x869D65: execute_pass_list(opt_pass*) (passes.c:2267) ==6655== by 0x6AF0EB: analyze_function(cgraph_node*) (cgraphunit.c:650) ==6655== by 0x6B0127: analyze_functions() (cgraphunit.c:1004) ==6655== by 0x6B0F35: finalize_compilation_unit() (cgraphunit.c:2262) ==6655== Address 0x17125d8 is not stack'd, malloc'd or (recently) free'd ==6655== test.ii: In function ‘void fastest_itl_total_icl_quantifier_check_monoid_plus_4_bicremental_types_invoker()’: test.ii:3069:14: internal compiler error: Segmentation fault static void fastest_itl_total_icl_quantifier_check_monoid_plus_4_bicremental_types_invoker() { ::boost::unit_test::unit_test_log.set_checkpoint( ::boost::unit_test::const_string( "../libs/icl/test/fastest_total_icl_quantifier_/../fastest_total_icl_quantifier_cases.hpp", sizeof( "../libs/icl/test/fastest_total_icl_quantifier_/../fastest_total_icl_quantifier_cases.hpp" ) - 1 ), static_cast<std::size_t>( 15 ^ Please submit a full bug report, with preprocessed source if appropriate. See <http://gcc.gnu.org/bugs.html> for instructions.
Seems the crash is because we ggc_free (targs); but it is still reachable. While pop_tinst_level has been called and thus it isn't reachable from current_tinst_level, it is reachable from pending_templates (in particular last_pending_template->tinst->next->next->decl is a TREE_LIST with TREE_VALUE set to the TREE_VEC targs we ggc_free). fn_type_unification has: struct pending_template *old_last_pend = last_pending_template; struct tinst_level *old_error_tinst = last_error_tinst_level; ... /* We can't free this if a pending_template entry or last_error_tinst_level is pointing at it. */ if (last_pending_template == old_last_pend && last_error_tinst_level == old_error_tinst) ggc_free (tinst); so it avoids ggc_free on tinst (the TREE_LIST with TREE_VALUE set to targs), but unfortunately this technique isn't usable in the resolve_address_of_overloaded_function caller, because last_pending_template and current_tinst_level are static vars in pt.c and this is in class.c. So perhaps add some bool * argument to fn_type_unification through which it could optionally tell the caller whether it is safe to ggc_free targs (set to last_pending_template == old_last_pend && last_error_tinst_level == old_error_tinst if non-NULL)? Jason?
*** Bug 59436 has been marked as a duplicate of this bug. ***
Created attachment 31407 [details] gcc49-pr58627.patch Untested fix.
Author: jakub Date: Thu Dec 12 13:35:21 2013 New Revision: 205927 URL: http://gcc.gnu.org/viewcvs?rev=205927&root=gcc&view=rev Log: PR c++/58627 * call.c (add_template_candidate_real): Don't call ggc_free on targs. Modified: trunk/gcc/cp/ChangeLog trunk/gcc/cp/class.c
Fixed.
I've re-run the boost-testsuite today and there were a number of new ICEs. All turned out to be PCH related. For example (checking=release compiler): ... ==17975== Invalid read of size 8 ==17975== at 0x504951: lookup_page_table_entry(void const*) [clone .lto_priv.3354] (in /usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.0/cc1plus) ==17975== by 0xAEEE89: ggc_set_mark(void const*) (in /usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.0/cc1plus) ==17975== by 0x12438A1: gt_ggc_mx_lang_tree_node(void*) (in /usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.0/cc1plus) ==17975== by 0x1246A78: gt_ggc_mx_tree_statement_list_node(void*) (in /usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.0/cc1plus) ==17975== by 0x1244EAE: gt_ggc_mx_lang_tree_node(void*) (in /usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.0/cc1plus) ==17975== by 0x1243A5A: gt_ggc_mx_lang_tree_node(void*) (in /usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.0/cc1plus) ==17975== by 0x1243A5A: gt_ggc_mx_lang_tree_node(void*) (in /usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.0/cc1plus) ==17975== by 0x1243A5A: gt_ggc_mx_lang_tree_node(void*) (in /usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.0/cc1plus) ==17975== by 0x1244EE9: gt_ggc_mx_lang_tree_node(void*) (in /usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.0/cc1plus) ==17975== by 0x1244F29: gt_ggc_mx_lang_tree_node(void*) (in /usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.0/cc1plus) ==17975== by 0x1243D11: gt_ggc_mx_lang_tree_node(void*) (in /usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.0/cc1plus) ==17975== by 0x1246353: gt_ggc_mx_lang_decl(void*) (in /usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.0/cc1plus) ==17975== Address 0x80 is not stack'd, malloc'd or (recently) free'd ==17975== In file included from ../boost/throw_exception.hpp:39:0, from ../boost/smart_ptr/shared_ptr.hpp:31, from ../boost/shared_ptr.hpp:17, from ../boost/test/tools/assertion_result.hpp:24, from ../boost/test/tools/old/impl.hpp:20, from ../boost/test/test_tools.hpp:32, from ../boost/math/tools/test.hpp:16, from ../libs/math/test/pch_light.hpp:10: ../boost/exception/exception.hpp: In member function ‘void boost::exception_detail::clone_impl<T>::rethrow() const [with T = boost::exception_detail::error_info_injector<std::logic_error>]’: ../boost/exception/exception.hpp:473:17: internal compiler error: Segmentation fault } ^ Please submit a full bug report, with preprocessed source if appropriate
Ah, I see PR59436 is more appropriate.