[Bug c++/123871] New: ICE in finish_expr_stmt, at cp/semantics.cc:1174, Splicer in generic lambda allows out of bounds array access

Wed, 28 Jan 2026 23:27:32 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=123871

            Bug ID: 123871
           Summary: ICE in finish_expr_stmt, at cp/semantics.cc:1174,
                    Splicer in generic lambda allows out of bounds array
                    access
           Product: gcc
           Version: 16.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: nylonhat at gmail dot com
  Target Milestone: ---

Splicer in generic lambda allows out of bounds array access in constant
evaluation, leading to ICE. See: https://godbolt.org/z/z3qr9EaeG

```

#include <meta>

template<class T>
consteval auto test(){

    auto lambda = [](this auto){
        constexpr std::meta::info array[1] = {^^T};
        using X = [: array[100] :];
        sizeof(X);
    };
}

int main(){
    test<int>();
    return 0;
}

<source>: In instantiation of 'consteval auto test() [with T = int]':
required from here
<source>:14:14:   
   14 |     test<int>();
      |     ~~~~~~~~~^~
<source>:9:9: internal compiler error: in finish_expr_stmt, at
cp/semantics.cc:1174
    9 |         sizeof(X);
      |         ^~~~~~
0x2957168 diagnostics::context::diagnostic_impl(rich_location*,
diagnostics::metadata const*, diagnostics::option_id, char const*,
__va_list_tag (*) [1], diagnostics::kind)
        ???:0
0x294beab internal_error(char const*, ...)
        ???:0
0xb1f70a fancy_abort(char const*, int, char const*)
        ???:0
0xd925de tsubst_lambda_expr(tree_node*, tree_node*, int, tree_node*)
        ???:0
0xdcb5dd instantiate_decl(tree_node*, bool, bool)
        ???:0
0xc38eb3 maybe_instantiate_decl(tree_node*)
        ???:0
0xc3ae97 mark_used(tree_node*, int)
        ???:0
0xb5810e build_new_function_call(tree_node*, vec<tree_node*, va_gc,
vl_embed>**, int)
        ???:0
0xe05d85 finish_call_expr(tree_node*, vec<tree_node*, va_gc, vl_embed>**, bool,
bool, int)
        ???:0
0xd69053 c_parse_file()
        ???:0
0xef2369 c_common_parse_file()
        ???:0
/cefs/a3/a35d908bb33eb3b404523ba6_gcc-trunk-20260129/bin/../libexec/gcc/x86_64-linux-gnu/16.0.1/cc1plus
-quiet -imultiarch x86_64-linux-gnu -iprefix
/cefs/a3/a35d908bb33eb3b404523ba6_gcc-trunk-20260129/bin/../lib/gcc/x86_64-linux-gnu/16.0.1/
-D_GNU_SOURCE <source> -quiet -dumpdir /app/ -dumpbase output.cpp -dumpbase-ext
.cpp -masm=intel -mtune=generic -march=x86-64 -g -O3 -std=c++26
-fdiagnostics-color=always -fno-verbose-asm -freflection -o /app/output.s
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
Compiler returned: 1

Reply via email to