From ef83fae50d8f085fe8440bfa595875a2e2329871 Mon Sep 17 00:00:00 2001 From: Nathaniel Shead Date: Mon, 10 Feb 2025 22:15:30 +1100 Subject: [PATCH] c++: Fix use-after-free of replaced friend instantiation [PR118807] When instantiating a friend function, we call register_specialization which adds it to the DECL_TEMPLATE_INSTANTIATIONS of the template. However, in some circumstances we might immediately call pushdecl and find an existing specialisation. In this case, when reregistering the specialisation we also need to update the DECL_TEMPLATE_INSTANTIATIONS list so that we don't try to access the freed spec again later. PR c++/118807 gcc/cp/ChangeLog: * pt.cc (reregister_specialization): Remove spec from DECL_TEMPLATE_INSTANTIATIONS. gcc/testsuite/ChangeLog: * g++.dg/modules/pr118807.C: New test. Signed-off-by: Nathaniel Shead Reviewed-by: Jason Merrill --- gcc/cp/pt.cc | 11 +++++++++++ gcc/testsuite/g++.dg/modules/pr118807.C | 11 +++++++++++ 2 files changed, 22 insertions(+) create mode 100644 gcc/testsuite/g++.dg/modules/pr118807.C diff --git a/gcc/cp/pt.cc b/gcc/cp/pt.cc index 8108bf5de65..f857b3f1180 100644 --- a/gcc/cp/pt.cc +++ b/gcc/cp/pt.cc @@ -1985,6 +1985,17 @@ reregister_specialization (tree spec, tree tinfo, tree new_spec) gcc_assert (entry->spec == spec || entry->spec == new_spec); gcc_assert (new_spec != NULL_TREE); entry->spec = new_spec; + + /* We need to also remove SPEC from DECL_TEMPLATE_INSTANTIATIONS + if it was placed there. */ + for (tree *inst = &DECL_TEMPLATE_INSTANTIATIONS (elt.tmpl); + *inst; inst = &TREE_CHAIN (*inst)) + if (TREE_VALUE (*inst) == spec) + { + *inst = TREE_CHAIN (*inst); + break; + } + return 1; } diff --git a/gcc/testsuite/g++.dg/modules/pr118807.C b/gcc/testsuite/g++.dg/modules/pr118807.C new file mode 100644 index 00000000000..a97afb92699 --- /dev/null +++ b/gcc/testsuite/g++.dg/modules/pr118807.C @@ -0,0 +1,11 @@ +// PR c++/118807 +// { dg-additional-options "-fmodules --param=ggc-min-expand=0 --param=ggc-min-heapsize=0 -Wno-global-module" } + +module; +template class basic_streambuf; +template struct basic_streambuf { + friend void __istream_extract(); +}; +template class basic_streambuf; +template class basic_streambuf; +export module M; -- 2.47.2