http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49322
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jakub at gcc dot gnu.org
--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> 2011-06-08
12:45:07 UTC ---
Indeed, this is caused by
http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=174772
deduction_tsubst_fntype is called, creates a TREE_LIST, pushes it using
push_tinst_level, then during tsubst call (much deeper in the backtrace fact)
add_pending_template is called, which sticks pointer to current_tinst_level
(whose chain goes back to struct tinst_level that points to the TREE_LIST
from deduction_tsubst_fntype), then some pop_tinst_level calls are called
and finally tsubst returns to deduction_tsubst_fntype, which calls
pop_tinst_level (but, all those pop_tinst_level calls just tweak
current_tinst_level, they don't change what add_pending_template remembered)
and then ggc_frees the TREE_LIST, which means that during GC
pending_templates(->next)*->tinst(->next)*->decl suddenly points to
freed memory and thus crashes.
Either it shouldn't be freed, or before calling pop_tinst_level it should be
reset to NULL or something similar (current_tinst_level->decl = NULL;
pop_tinst_level (); ggc_free (tinst); ?), or it is wrong that
add_pending_template has been called or remembered that.
