Segmentation fault on gcc caused by lambda wrapper

I've spent quite a few hours today trying to understand why this code segfaults on g++6.2 and g++7.0, while happily working as intended on clang++3.9 (and 4.0).

I reduced the issue to a 85 lines self-contained code snippet, which does not segfault upon normal execution, but always reports an error under UBSAN.

The issue is reproducible on wandbox, by compiling with g++7, enabling optimizations and passing -fsanitize=undefined as an extra flag.

This is what UBSAN reports:

prog.cc: In function 'int main()':
prog.cc:61:49: warning: 'ns#0' is used uninitialized in this function [-Wuninitialized]
         ([&] { ([&] { n.execute(ns...); })(); })();
         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~
prog.cc:28:10: note: 'ns#0' was declared here
     auto execute(TNode& n, TNodes&... ns)
          ^~~~~~~
prog.cc:30:9: runtime error: member call on null pointer of type 'struct node_then'

g++ claims that ns#0 is uninitialized inside the "lambda gibberish" (which simulates the for_tuple from the original snippet). Now, some very interesting things occur:

If I remove the "lambda gibberish", transforming line 61 into
```
 n.execute(ns...);
```
then UBSAN stops complaining.
If I change the capture list from [&] to [&n, &ns...], UBSAN stops complaining as well:
```
 ([&](auto) { ([&n, &ns...] { n.execute(ns...); })(); })(0);
```
...wait what? How is that different from [&]?

Applying the above discoveries to the original code snippet fixes the segfaults.

Is this a g++ bug? Or is there any undefined behavior in my code?

标签： c++ segmentation-fault c++14 undefined-behavior ubsan

1条回答

虎瘦雄心在

2楼-- · 2020-07-03 05:31

This has nothing to do with temporaries: it's a gcc7.0 optimizer bug. This is a simpler reproducer:

#include <utility>

struct root
{
  template <typename TNode, typename... TNodes>
  void start(TNode n, TNodes... ns)
  {
    n->execute(ns...);
  }
};

template <typename TParent>
struct node_then
{
  TParent *_p;

  node_then(TParent *p) : _p{ p }
  {
  }

  auto execute()
  {
  }

  template <typename TNode, typename... TNodes>
  auto execute(TNode n, TNodes... ns)
  {
    n->execute(ns...);
  }

  template <typename... TNodes>
  auto start(TNodes... ns)
  {
    _p->start(this, ns...);
  }
};

template <typename TParent>
struct node_wait_all
{
  TParent *_p;

  node_wait_all(TParent *p) : _p{ p }
  {
  }

  template <typename TNode, typename... TNodes>
  auto execute(TNode n, TNodes... ns)
  {
    ([&] { ([&] { n->execute(ns...); })(); })();
  }

  template <typename... TNodes>
  auto start(TNodes... ns)
  {
    _p->start(this, ns...);
  }
};


int main()
{
  //node_wait_all<root> obj(new root());
  //node_then<node_wait_all<root>> obj2(new node_wait_all<root>(new root()));
  node_then<node_then<node_wait_all<root>>> obj3(new node_then<node_wait_all<root>>(new node_wait_all<root>(new root())));
  obj3.start();
}

Output:

prog.cc: In function 'int main()':
prog.cc:67:1: internal compiler error: in visit_ref_for_mod_analysis, at ipa-prop.c:2308
 }
 ^
0x96c4d6 visit_ref_for_mod_analysis
    /home/heads/gcc/gcc-source/gcc/ipa-prop.c:2308
0x8f615d walk_stmt_load_store_addr_ops(gimple*, void*, bool (*)(gimple*, tree_node*, tree_node*, void*), bool (*)(gimple*, tree_node*, tree_node*, void*), bool (*)(gimple*, tree_node*, tree_node*, void*))
    /home/heads/gcc/gcc-source/gcc/gimple-walk.c:817
0x9761a2 ipa_analyze_params_uses_in_bb
    /home/heads/gcc/gcc-source/gcc/ipa-prop.c:2335
0x9761a2 analysis_dom_walker::before_dom_children(basic_block_def*)
    /home/heads/gcc/gcc-source/gcc/ipa-prop.c:2415
0x10c8472 dom_walker::walk(basic_block_def*)
    /home/heads/gcc/gcc-source/gcc/domwalk.c:265
0x977ceb ipa_analyze_node(cgraph_node*)
    /home/heads/gcc/gcc-source/gcc/ipa-prop.c:2486
0x1108f0a ipcp_generate_summary
    /home/heads/gcc/gcc-source/gcc/ipa-cp.c:5036
0xa4759c execute_ipa_summary_passes(ipa_opt_pass_d*)
    /home/heads/gcc/gcc-source/gcc/passes.c:2167
0x7d6b45 ipa_passes
    /home/heads/gcc/gcc-source/gcc/cgraphunit.c:2311
0x7d6b45 symbol_table::compile()
    /home/heads/gcc/gcc-source/gcc/cgraphunit.c:2425
0x7d8616 symbol_table::compile()
    /home/heads/gcc/gcc-source/gcc/cgraphunit.c:2587
0x7d8616 symbol_table::finalize_compilation_unit()
    /home/heads/gcc/gcc-source/gcc/cgraphunit.c:2584
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <http://gcc.gnu.org/bugs.html> for instructions.

Link: http://melpon.org/wandbox/permlink/E11fOumFJda6OW6m

To aid in this code's comprehension I'm using a powerful debugging tool: paint.exe

0人赞添加讨论(0) 举报

Segmentation fault on gcc caused by lambda wrapper

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间