http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58627

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2013-11-28
                 CC|                            |jakub at gcc dot gnu.org
     Ever confirmed|0                           |1

--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Seems the crash is because we ggc_free (targs); but it is still reachable. 
While
pop_tinst_level has been called and thus it isn't reachable from
current_tinst_level, it is reachable from pending_templates
(in particular last_pending_template->tinst->next->next->decl is a TREE_LIST
with
TREE_VALUE set to the TREE_VEC targs we ggc_free).

fn_type_unification has:
  struct pending_template *old_last_pend = last_pending_template;
  struct tinst_level *old_error_tinst = last_error_tinst_level;
...
  /* We can't free this if a pending_template entry or last_error_tinst_level
     is pointing at it.  */
  if (last_pending_template == old_last_pend
      && last_error_tinst_level == old_error_tinst)
    ggc_free (tinst);
so it avoids ggc_free on tinst (the TREE_LIST with TREE_VALUE set to targs),
but unfortunately this technique isn't usable in the
resolve_address_of_overloaded_function caller, because last_pending_template
and
current_tinst_level are static vars in pt.c and this is in class.c.
So perhaps add some bool * argument to fn_type_unification through which it
could optionally tell the caller whether it is safe to ggc_free targs
(set to last_pending_template == old_last_pend && last_error_tinst_level ==
old_error_tinst if non-NULL)?  Jason?

Reply via email to