http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58627
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Last reconfirmed| |2013-11-28
CC| |jakub at gcc dot gnu.org
Ever confirmed|0 |1
--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Seems the crash is because we ggc_free (targs); but it is still reachable.
While
pop_tinst_level has been called and thus it isn't reachable from
current_tinst_level, it is reachable from pending_templates
(in particular last_pending_template->tinst->next->next->decl is a TREE_LIST
with
TREE_VALUE set to the TREE_VEC targs we ggc_free).
fn_type_unification has:
struct pending_template *old_last_pend = last_pending_template;
struct tinst_level *old_error_tinst = last_error_tinst_level;
...
/* We can't free this if a pending_template entry or last_error_tinst_level
is pointing at it. */
if (last_pending_template == old_last_pend
&& last_error_tinst_level == old_error_tinst)
ggc_free (tinst);
so it avoids ggc_free on tinst (the TREE_LIST with TREE_VALUE set to targs),
but unfortunately this technique isn't usable in the
resolve_address_of_overloaded_function caller, because last_pending_template
and
current_tinst_level are static vars in pt.c and this is in class.c.
So perhaps add some bool * argument to fn_type_unification through which it
could optionally tell the caller whether it is safe to ggc_free targs
(set to last_pending_template == old_last_pend && last_error_tinst_level ==
old_error_tinst if non-NULL)? Jason?
