由 lambda 包装器对可变参数模板函数调用引起的 gcc 分段错误

我今天花了好几个小时试图理解为什么这段代码 http://melpon.org/wandbox/permlink/HfrjVkob1QP476QT出现段错误g++6.2 and g++7.0，同时按预期愉快地工作clang++3.9 (and 4.0).

我将问题简化为85 行独立代码片段 http://melpon.org/wandbox/permlink/ACW1w5CDsyK6rSB6, which 没有段错误正常执行时，但是always在 UBSAN 下报告错误。

问题可在 wandbox 上重现 http://melpon.org/wandbox/permlink/ACW1w5CDsyK6rSB6，通过编译g++7，实现优化和传递-fsanitize=undefined作为额外的标志。

这是 UBSAN 的报道：

prog.cc: In function 'int main()':
prog.cc:61:49: warning: 'ns#0' is used uninitialized in this function [-Wuninitialized]
         ([&] { ([&] { n.execute(ns...); })(); })();
         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~
prog.cc:28:10: note: 'ns#0' was declared here
     auto execute(TNode& n, TNodes&... ns)
          ^~~~~~~
prog.cc:30:9: runtime error: member call on null pointer of type 'struct node_then'

g++声称ns#0在“lambda 乱码”中未初始化（它模拟了for_tuple来自原始片段）。现在，发生了一些非常有趣的事情：

• 如果我删除“lambda 胡言乱语”，则转换line 61 into

   n.execute(ns...);
  

  然后 UBSAN 就不再抱怨了。

• If 我将捕获列表更改为[&] to [&n, &ns...]，UBSAN 也停止抱怨：

   ([&](auto) { ([&n, &ns...] { n.execute(ns...); })(); })(0);
  

  ...等等什么？这和有什么不同[&]?

将上述发现应用到原始代码片段中修复段错误 http://melpon.org/wandbox/permlink/pEs8JcvKpp723vd3.

这是一个g++漏洞？或者我的代码中有任何未定义的行为？

这无关与临时的 http://melpon.org/wandbox/permlink/dT6dHxuaEqgvA3Be：这是一个 gcc7.0 优化器错误。这是一个更简单的再现器：

#include <utility>

struct root
{
  template <typename TNode, typename... TNodes>
  void start(TNode n, TNodes... ns)
  {
    n->execute(ns...);
  }
};

template <typename TParent>
struct node_then
{
  TParent *_p;

  node_then(TParent *p) : _p{ p }
  {
  }

  auto execute()
  {
  }

  template <typename TNode, typename... TNodes>
  auto execute(TNode n, TNodes... ns)
  {
    n->execute(ns...);
  }

  template <typename... TNodes>
  auto start(TNodes... ns)
  {
    _p->start(this, ns...);
  }
};

template <typename TParent>
struct node_wait_all
{
  TParent *_p;

  node_wait_all(TParent *p) : _p{ p }
  {
  }

  template <typename TNode, typename... TNodes>
  auto execute(TNode n, TNodes... ns)
  {
    ([&] { ([&] { n->execute(ns...); })(); })();
  }

  template <typename... TNodes>
  auto start(TNodes... ns)
  {
    _p->start(this, ns...);
  }
};


int main()
{
  //node_wait_all<root> obj(new root());
  //node_then<node_wait_all<root>> obj2(new node_wait_all<root>(new root()));
  node_then<node_then<node_wait_all<root>>> obj3(new node_then<node_wait_all<root>>(new node_wait_all<root>(new root())));
  obj3.start();
}

Output:

prog.cc: In function 'int main()':
prog.cc:67:1: internal compiler error: in visit_ref_for_mod_analysis, at ipa-prop.c:2308
 }
 ^
0x96c4d6 visit_ref_for_mod_analysis
    /home/heads/gcc/gcc-source/gcc/ipa-prop.c:2308
0x8f615d walk_stmt_load_store_addr_ops(gimple*, void*, bool (*)(gimple*, tree_node*, tree_node*, void*), bool (*)(gimple*, tree_node*, tree_node*, void*), bool (*)(gimple*, tree_node*, tree_node*, void*))
    /home/heads/gcc/gcc-source/gcc/gimple-walk.c:817
0x9761a2 ipa_analyze_params_uses_in_bb
    /home/heads/gcc/gcc-source/gcc/ipa-prop.c:2335
0x9761a2 analysis_dom_walker::before_dom_children(basic_block_def*)
    /home/heads/gcc/gcc-source/gcc/ipa-prop.c:2415
0x10c8472 dom_walker::walk(basic_block_def*)
    /home/heads/gcc/gcc-source/gcc/domwalk.c:265
0x977ceb ipa_analyze_node(cgraph_node*)
    /home/heads/gcc/gcc-source/gcc/ipa-prop.c:2486
0x1108f0a ipcp_generate_summary
    /home/heads/gcc/gcc-source/gcc/ipa-cp.c:5036
0xa4759c execute_ipa_summary_passes(ipa_opt_pass_d*)
    /home/heads/gcc/gcc-source/gcc/passes.c:2167
0x7d6b45 ipa_passes
    /home/heads/gcc/gcc-source/gcc/cgraphunit.c:2311
0x7d6b45 symbol_table::compile()
    /home/heads/gcc/gcc-source/gcc/cgraphunit.c:2425
0x7d8616 symbol_table::compile()
    /home/heads/gcc/gcc-source/gcc/cgraphunit.c:2587
0x7d8616 symbol_table::finalize_compilation_unit()
    /home/heads/gcc/gcc-source/gcc/cgraphunit.c:2584
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <http://gcc.gnu.org/bugs.html> for instructions.

Link: http://melpon.org/wandbox/permlink/E11fOumFJda6OW6m http://melpon.org/wandbox/permlink/E11fOumFJda6OW6m

为了帮助理解这段代码，我使用了一个强大的调试工具：paint.exe