https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97419
Bug ID: 97419
Summary: crash in decl_as_string(TFF_DECL_SPECIFIERS |
TFF_CHASE_TYPEDEF) from plugin using std::declval()
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: sphink at gmail dot com
Target Milestone: ---
Created attachment 49368
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49368&action=edit
gcc -v -save-temps output
I cannot trigger this crash without a plugin, but the plugin in this case is
merely calling
decl_as_string(decl, TFF_DECL_SPECIFIERS | TFF_CHASE_TYPEDEF). Removing either
of the TFF_ parameters makes it go away.
Given that this requires a plugin to trigger, I'm going to try to give as much
detail as I can here. (I have an rr recording of this crash, fwiw.)
More specifically, finish_decltype_type() in cp/semantics.c is calling:
type = unlowered_expr_type (expr);
gcc_assert (!TYPE_REF_P (type));
unlowered_expr_type has:
tree etype = TREE_TYPE (exp);
type = is_bitfield_expr_with_lowered_type (exp);
if (type)
type = cp_build_qualified_type (type, cp_type_quals (etype));
else
type = etype;
TREE_CODE(exp) is INDIRECT_REF. TREE_TYPE(exp) is NULL_TREE, so this returns
NULL_TREE and crashes when it attempts to dereference for TYPE_REF_P (type).
I'm attaching a minimal C++ test case that only #includes <utility> (for
std::declval()). The files I'm attaching are for gcc 9.1.0, but the same thing
happens on gcc 9.3.0. The crash occurs when decl_as_string is called on the
`get` decl, which is:
<function_decl 0x7fdbbf74bb00 get
type <method_type 0x7fdbbf74d1f8
type <reference_type 0x7fdbbf74d9d8 Elem type <record_type
0x7fdbc9faf9d8 UniquePtr>
asm_written unsigned DI
size <integer_cst 0x7fdbdfab4e28 constant 64>
unit-size <integer_cst 0x7fdbdfab4e40 constant 8>
align:64 warn_if_not_align:0 symtab:-1082851088 alias-set -1
canonical-type 0x7fdbc9fafa80>
QI
size <integer_cst 0x7fdbdfab4f18 constant 8>
unit-size <integer_cst 0x7fdbdfab4f30 constant 1>
align:8 warn_if_not_align:0 symtab:0 alias-set -1 canonical-type
0x7fdbbf74d2a0 method basetype <record_type 0x7fdbbf714348 ContainerIter>
arg-types <tree_list 0x7fdbc5e49550 value <pointer_type 0x7fdbbf74ddc8>
chain <tree_list 0x7fdbdfac8848 value <void_type 0x7fdbdfad2f18
void>>>
pointer_to_this <pointer_type 0x7fdbbf74ed20>>
addressable used public external autoinline QI defer-output
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5939:8 align:16 warn_if_not_align:0
context <record_type 0x7fdbbf714348 ContainerIter>
full-name "ContainerIter<Container>::Elem ContainerIter<Container>::get()
const [with Container = mozilla::Vector<mozilla::UniquePtr<js::gc::SweepAction,
JS::DeletePolicy<js::gc::SweepAction> >, 0, js::SystemAllocPolicy>;
ContainerIter<Container>::Elem = const mozilla::UniquePtr<js::gc::SweepAction,
JS::DeletePolicy<js::gc::SweepAction> >&; ContainerIter<Container>::Iter =
const mozilla::UniquePtr<js::gc::SweepAction,
JS::DeletePolicy<js::gc::SweepAction> >*]"
not-really-extern template-info 0x7fdbbf749e60 chain <function_decl
0x7fdbbf74bc00 next>>
----
The INDIRECT_REF tree is:
<indirect_ref 0x7fdbba0da6e0
arg:0 <call_expr 0x7fdbba0d9300
fn <template_id_expr 0x7fdbba0dd168 type <lang_type 0x7fdbdfc09d20
unknown type>
arg:0 <overload 0x7fdbd7992e40 type <lang_type 0x7fdbdfc09d20
unknown type>
function <template_decl 0x7fdbd799c580 declval>>
arg:1 <tree_vec 0x7fdbba0da6c0 length:1 elt:0 <decltype_type
0x7fdbbf6e70a8>>
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:31 start:
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:26 finish:
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:43>
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:44 start:
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:26 finish:
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:45>
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:25 start:
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:25 finish:
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:45>
