[Issue 13459] segfault in two auto opSlices()

[via Digitalmars-d-bugs]

https://issues.dlang.org/show_bug.cgi?id=13459

hsteoh at quickfur.ath.cx changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hsteoh at quickfur.ath.cx

--- Comment #1 from hsteoh at quickfur.ath.cx ---
For short code samples, you can just paste the code into the bug report, like
this:
------
struct A {
  auto opSlice () {}
  auto opSlice () { return B; }
}

void main () {
  auto df = A();
  foreach (fi; df[0..0]) {}
}
------

On Linux/x86_64, it doesn't actually go into infinite recursion, but segfaults
on an invalid pointer:
------
(gdb) bt
#0  Parameter::foreach (args=args at entry=0x29, dg=dg at entry=0x40a000
<dimDg(void*, size_t, Parameter*)>, 
    ctx=ctx at entry=0x7fffffffe198, pn=pn at entry=0x0) at mtype.c:9182
#1  0x000000000041c3ce in Parameter::dim (args=args at entry=0x29) at mtype.c:9131
#2  0x000000000046c768 in PrettyPrintVisitor::parametersToBuffer
(this=this at entry=0x7fffffffe200, 
    parameters=parameters at entry=0x29, varargs=varargs at entry=9087320) at
hdrgen.c:2909
#3  0x00000000004659bf in parametersTypeToChars (parameters=0x29,
varargs=9087320) at hdrgen.c:3106
#4  0x00000000004f70a7 in FuncCandidateWalker::fp (param=0x7fffffffe3b0,
s=<optimized out>)
    at func.c:3091
#5  0x00000000004ecd8f in overloadApply (fstart=0x7ffff7edab70,
param=0x7fffffffe3b0, 
    fp=0x4f7070 <FuncCandidateWalker::fp(void*, Dsymbol*)>) at func.c:2786
#6  0x00000000004edc20 in resolveFuncCall (loc=..., sc=0x7fffffffe198, s=0x0,
tiargs=0x3, 
    tthis=0x7ffff7395be0 <_IO_helper_jumps>, fargs=0x7ffff7f698a0, flags=0) at
func.c:3252
#7  0x00000000004d6251 in CallExp::semantic (this=0x7ffff7f69910,
sc=0x7ffff7f67740)
    at expression.c:8279
#8  0x00000000004e5a71 in semantic (sc=0x7ffff7f67740, this=<optimized out>) at
expression.c:7801
#9  SliceExp::semantic (this=<optimized out>, sc=0x7ffff7f67740) at
expression.c:9716
#10 0x000000000041f8d3 in OpOverload::visit (this=0x7fffffffe590,
ae=0x7ffff7edb970) at opover.c:501
#11 0x000000000041f4a6 in op_overload (e=e at entry=0x7ffff7edb970,
sc=sc at entry=0x7ffff7f67740)
    at opover.c:1220
#12 0x00000000004dfd3d in op_overload (sc=0x7ffff7f67740, this=0x7ffff7edb970)
at expression.h:221
#13 ArrayExp::semantic (this=0x7ffff7edb970, sc=0x7ffff7f67740) at
expression.c:10153
#14 0x0000000000422778 in inferAggregate (fes=fes at entry=0x7ffff7edba10,
sc=sc at entry=0x7ffff7f67740, 
    sapply=@0x7fffffffe6f8: 0x0) at opover.c:1454
#15 0x000000000044673e in ForeachStatement::semantic (this=0x7ffff7edba10,
sc=0x7ffff7f67740)
    at statement.c:1592
#16 0x0000000000442d4a in CompoundStatement::semantic (this=0x7ffff7edba70,
sc=0x7ffff7f67740)
    at statement.c:1030
#17 0x00000000004ef6f3 in FuncDeclaration::semantic3 (this=0x7ffff7edb2f0, 
    sc=0x40a000 <dimDg(void*, size_t, Parameter*)>) at func.c:1615
#18 0x0000000000407400 in Module::semantic3 (this=this at entry=0x7ffff7eda420) at
module.c:783
#19 0x0000000000404b5c in tryMain (argc=9, argv=0x899600) at mars.c:1517
#20 0x00007ffff7016b45 in __libc_start_main (main=0x4024d0 <main(int, char
const**)>, argc=2, 
    argv=0x7fffffffeb78, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, 
    stack_end=0x7fffffffeb68) at libc-start.c:287
#21 0x0000000000402a05 in _start ()
(gdb) p args
$2 = (Parameters *) 0x29
------

The value 0x29 is invalid for a Parameters pointer. Going up the stack, this
bad pointer seems to have come from FuncCandidateWalker::fp(), which is trying
to coerce f->type into a TypeFunction*, but it's actually a pointer to
TypeError. Now, going to investigate how it got to this point without a valid
TypeFunction object...

--