[Bug c++/107379] [13 regression] g++.dg/modules/adl-3_c.C and adl-4_b.C break as of r13-2887-gb04208895fed34

cvs-commit at gcc dot gnu.org gcc-bugzilla@gcc.gnu.org
Thu Oct 27 18:11:04 GMT 2022 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107379

--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Jakub Jelinek <jakub@gcc.gnu.org>:

https://gcc.gnu.org/g:a33d623d2d3a78f5ef6f9e854946303e063eef63

commit r13-3528-ga33d623d2d3a78f5ef6f9e854946303e063eef63
Author: Jakub Jelinek <jakub@redhat.com>
Date:   Thu Oct 27 20:10:18 2022 +0200

    c++: Fix ICE on g++.dg/modules/adl-3_c.C [PR107379]

    As mentioned in the PR, apparently my r13-2887 P1467R9 changes
    regressed these tests on powerpc64le-linux with IEEE quad by default.

    I believe my changes just uncovered a latent bug.
    The problem is that push_namespace calls find_namespace_slot,
    which does:
      tree *slot = DECL_NAMESPACE_BINDINGS (ns)
        ->find_slot_with_hash (name, name ? IDENTIFIER_HASH_VALUE (name) : 0,
                               create_p ? INSERT : NO_INSERT);
    In the <identifier_node 0x7fffe9f55ac0 details> ns case, slot is non-NULL
    above with a binding_vector in it.
    Then pushdecl is called and this does:
                      slot = find_namespace_slot (ns, name, ns ==
current_namespace);
    where ns == current_namespace (ns is :: and name is details) is true.
    So this again calls
              tree *slot = DECL_NAMESPACE_BINDINGS (ns)
                ->find_slot_with_hash (name, name ? IDENTIFIER_HASH_VALUE
(name) : 0,
                                       create_p ? INSERT : NO_INSERT);
    but this time with create_p and so INSERT.
    At this point we reach
              if (insert == INSERT && m_size * 3 <= m_n_elements * 4)
                expand ();
    and when we are unlucky and the occupancy of the hash table just reached
3/4,
    expand () is called and the hash table is reallocated.  But when that
happens,
    it means the slot pointer in the pushdecl caller (push_namespace) points to
    freed memory and so any accesses to it in make_namespace_finish will be UB.

    The following patch fixes it by calling find_namespace_slot again even if
it
    was non-NULL, just doesn't assert it is *slot == ns in that case (because
    it often is not).

    2022-10-27  Jakub Jelinek  <jakub@redhat.com>

            PR c++/107379
            * name-lookup.cc (push_namespace): Call find_namespace_slot again
            after pushdecl as the hash table might be expanded during pushdecl.

More information about the Gcc-bugs mailing list