D issues are now tracked on GitHub. This Bugzilla instance remains as a read-only archive.
Issue 13459 - segfault in two auto opSlices()
Summary: segfault in two auto opSlices()
Status: RESOLVED FIXED
Alias: None
Product: D
Classification: Unclassified
Component: dmd (show other issues)
Version: D2
Hardware: All All
: P1 normal
Assignee: No Owner
URL:
Keywords: ice, pull
: 14377 (view as issue list)
Depends on:
Blocks:
 
Reported: 2014-09-11 19:13 UTC by Ketmar Dark
Modified: 2015-03-30 20:24 UTC (History)
2 users (show)

See Also:

Attachments
dustmited testcase (129 bytes, text/plain)
2014-09-11 19:13 UTC, Ketmar Dark 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description Ketmar Dark 2014-09-11 19:13:51 UTC 
Created attachment 1422 [details]
dustmited testcase

dmd segfaults on the given sample. actually, it goes to infinite recursion and OS kills it.

sample usage: dmd -c -o- dmdsf.d
Comment 1 hsteoh 2014-09-12 20:35:53 UTC 
For short code samples, you can just paste the code into the bug report, like this:
------
struct A {
  auto opSlice () {}
  auto opSlice () { return B; }
}

void main () {
  auto df = A();
  foreach (fi; df[0..0]) {}
}
------

On Linux/x86_64, it doesn't actually go into infinite recursion, but segfaults on an invalid pointer:
------
(gdb) bt
#0  Parameter::foreach (args=args@entry=0x29, dg=dg@entry=0x40a000 <dimDg(void*, size_t, Parameter*)>, 
    ctx=ctx@entry=0x7fffffffe198, pn=pn@entry=0x0) at mtype.c:9182
#1  0x000000000041c3ce in Parameter::dim (args=args@entry=0x29) at mtype.c:9131
#2  0x000000000046c768 in PrettyPrintVisitor::parametersToBuffer (this=this@entry=0x7fffffffe200, 
    parameters=parameters@entry=0x29, varargs=varargs@entry=9087320) at hdrgen.c:2909
#3  0x00000000004659bf in parametersTypeToChars (parameters=0x29, varargs=9087320) at hdrgen.c:3106
#4  0x00000000004f70a7 in FuncCandidateWalker::fp (param=0x7fffffffe3b0, s=<optimized out>)
    at func.c:3091
#5  0x00000000004ecd8f in overloadApply (fstart=0x7ffff7edab70, param=0x7fffffffe3b0, 
    fp=0x4f7070 <FuncCandidateWalker::fp(void*, Dsymbol*)>) at func.c:2786
#6  0x00000000004edc20 in resolveFuncCall (loc=..., sc=0x7fffffffe198, s=0x0, tiargs=0x3, 
    tthis=0x7ffff7395be0 <_IO_helper_jumps>, fargs=0x7ffff7f698a0, flags=0) at func.c:3252
#7  0x00000000004d6251 in CallExp::semantic (this=0x7ffff7f69910, sc=0x7ffff7f67740)
    at expression.c:8279
#8  0x00000000004e5a71 in semantic (sc=0x7ffff7f67740, this=<optimized out>) at expression.c:7801
#9  SliceExp::semantic (this=<optimized out>, sc=0x7ffff7f67740) at expression.c:9716
#10 0x000000000041f8d3 in OpOverload::visit (this=0x7fffffffe590, ae=0x7ffff7edb970) at opover.c:501
#11 0x000000000041f4a6 in op_overload (e=e@entry=0x7ffff7edb970, sc=sc@entry=0x7ffff7f67740)
    at opover.c:1220
#12 0x00000000004dfd3d in op_overload (sc=0x7ffff7f67740, this=0x7ffff7edb970) at expression.h:221
#13 ArrayExp::semantic (this=0x7ffff7edb970, sc=0x7ffff7f67740) at expression.c:10153
#14 0x0000000000422778 in inferAggregate (fes=fes@entry=0x7ffff7edba10, sc=sc@entry=0x7ffff7f67740, 
    sapply=@0x7fffffffe6f8: 0x0) at opover.c:1454
#15 0x000000000044673e in ForeachStatement::semantic (this=0x7ffff7edba10, sc=0x7ffff7f67740)
    at statement.c:1592
#16 0x0000000000442d4a in CompoundStatement::semantic (this=0x7ffff7edba70, sc=0x7ffff7f67740)
    at statement.c:1030
#17 0x00000000004ef6f3 in FuncDeclaration::semantic3 (this=0x7ffff7edb2f0, 
    sc=0x40a000 <dimDg(void*, size_t, Parameter*)>) at func.c:1615
#18 0x0000000000407400 in Module::semantic3 (this=this@entry=0x7ffff7eda420) at module.c:783
#19 0x0000000000404b5c in tryMain (argc=9, argv=0x899600) at mars.c:1517
#20 0x00007ffff7016b45 in __libc_start_main (main=0x4024d0 <main(int, char const**)>, argc=2, 
    argv=0x7fffffffeb78, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffeb68) at libc-start.c:287
#21 0x0000000000402a05 in _start ()
(gdb) p args
$2 = (Parameters *) 0x29
------

The value 0x29 is invalid for a Parameters pointer. Going up the stack, this bad pointer seems to have come from FuncCandidateWalker::fp(), which is trying to coerce f->type into a TypeFunction*, but it's actually a pointer to TypeError. Now, going to investigate how it got to this point without a valid TypeFunction object...
Comment 2 Kenji Hara 2014-09-13 08:38:29 UTC 
(In reply to hsteoh from comment #1)
[snip]
>
> The value 0x29 is invalid for a Parameters pointer. Going up the stack, this
> bad pointer seems to have come from FuncCandidateWalker::fp(), which is
> trying to coerce f->type into a TypeFunction*, but it's actually a pointer
> to TypeError. Now, going to investigate how it got to this point without a
> valid TypeFunction object...

Good analysis!

https://github.com/D-Programming-Language/dmd/pull/3983
Comment 3 github-bugzilla 2014-09-14 05:46:13 UTC 
Commits pushed to master at https://github.com/D-Programming-Language/dmd

https://github.com/D-Programming-Language/dmd/commit/5ef348bb426bc57fc2af84bfa24d44da2e57790b
fix Issue 13459 - segfault in two auto opSlices()

https://github.com/D-Programming-Language/dmd/commit/90edf53c218822c7f0aa74233df4c33553cfbcff
Merge pull request #3983 from 9rnsr/fix13459

Issue 13459 - segfault in two auto opSlices()
Comment 5 Kenji Hara 2015-03-30 20:24:28 UTC 
*** Issue 14377 has been marked as a duplicate of this issue. ***