http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58627
Jakub Jelinek <jakub at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Last reconfirmed| |2013-11-28 CC| |jakub at gcc dot gnu.org Ever confirmed|0 |1 --- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> --- Seems the crash is because we ggc_free (targs); but it is still reachable. While pop_tinst_level has been called and thus it isn't reachable from current_tinst_level, it is reachable from pending_templates (in particular last_pending_template->tinst->next->next->decl is a TREE_LIST with TREE_VALUE set to the TREE_VEC targs we ggc_free). fn_type_unification has: struct pending_template *old_last_pend = last_pending_template; struct tinst_level *old_error_tinst = last_error_tinst_level; ... /* We can't free this if a pending_template entry or last_error_tinst_level is pointing at it. */ if (last_pending_template == old_last_pend && last_error_tinst_level == old_error_tinst) ggc_free (tinst); so it avoids ggc_free on tinst (the TREE_LIST with TREE_VALUE set to targs), but unfortunately this technique isn't usable in the resolve_address_of_overloaded_function caller, because last_pending_template and current_tinst_level are static vars in pt.c and this is in class.c. So perhaps add some bool * argument to fn_type_unification through which it could optionally tell the caller whether it is safe to ggc_free targs (set to last_pending_template == old_last_pend && last_error_tinst_level == old_error_tinst if non-NULL)? Jason?