gcc 15+ miscompiles structured bindings in coroutine loops (tracking upstream gcc PR 124584)

[travisdowns]

Tracking issue for upstream gcc bug PR 124584 - [C++20 Coroutines] Destructor of tuple-protocol structured binding from co_await skipped at -O1+ (regression in 15) - as it affects seastar.

The bug, in one line: gcc 15+ miscompiles tuple-protocol structured bindings in coroutine loops. When auto [...] = co_await ...; sits in a while / for body inside a coroutine, gcc's lifetime tracking of the hidden tuple that backs the binding is broken across loop iterations, so the destructor either gets skipped (leaks) or runs on memory that was never tuple-constructed (UBSan / ASan aborts).

Credit: Avi root-caused this class of failure to the gcc bug while investigating the pollable_fd_state leak in the cross-shard accept path (see #3394). Several other seastar failures are downstream of the same compiler bug.

Symptoms seen in seastar

1. Destructor skipped between loop iterations - the structured-binding-captured object (a pollable_fd wrapper, an intrusive_ptr, etc.) is never destroyed at end-of-iteration, surfacing as a memory leak. Seen on the accept loops.
2. Destructor runs on uninitialized memory - at end-of-iteration the hidden tuple's destructor fires on stack that was never tuple-constructed, hitting ASan/UBSan. In sanitize mode this aborts both rpc client and server loops at startup:

   /usr/include/c++/15/optional:337:12: runtime error:
     load of value 190, which is not a valid value for type 'bool'
   

Reproduced with gcc-15.2 on ubuntu 26.04, sanitize+C++23, detect_stack_use_after_return=1. Clang appears unaffected.

Affected sites in seastar

All four are structured bindings decomposed from a co_await inside a coroutine loop, all introduced ~Aug 2025 when these loops were coroutinized:

• src/net/posix-stack.cc:705 auto [fd, sa] = co_await _lfd.accept(); in posix_server_socket_impl::accept - worked around in net: posix: fix pollable_fd_state leak on cross-shard connection forwarding #3394 by explicitly closing fd after extracting the raw file_desc
• src/net/posix-stack.cc:709 the proxy-protocol branch reached from the same accept coroutine - addressed in net: posix: close abandoned proxy protocol connection early #3393 by closing abandoned connections eagerly rather than relying on coroutine-frame destruction
• src/rpc/rpc.cc:998 auto&& [msg_id, ht, data] = co_await read_response_frame_compressed(...) in client::loop (587096a)
• src/rpc/rpc.cc:1236 auto [expire, type, msg_id, data] = co_await read_request_frame_compressed(...) in server::connection::process() (ee2007f)

Replacing either rpc structured binding with a named local variable + std::get<> makes the UBSan abort disappear, confirming the structured-binding hidden-tuple lifetime is the cause.

Related work already in flight in this repo

• net: posix: close abandoned proxy protocol connection early #3393 (draft, Avi) - net: posix: close abandoned proxy protocol connection early. Works around the missed end-of-iteration destructor.
• net: posix: fix pollable_fd_state leak on cross-shard connection forwarding #3394 (draft, Avi) - net: posix: fix pollable_fd_state leak on cross-shard connection forwarding. PR description identifies the trigger as "the coroutine frame did not destroy the structured binding variable between iterations".
• build: don't recover from sanitizer failures #2924 (draft) - build: don't recover from sanitizer failures. Cannot land while sanitize mode trips on this bug.
• github: revamp test matrix (allpairs, containers, arm) #3412 (draft) - github: revamp test matrix; first PR to attempt running g++ + sanitize in CI and the one that surfaced the rpc UBSan symptom above.

Workaround in this repo until gcc fixes 124584

.github/workflows/gen-matrix.py excludes g++ + debug and g++ + sanitize from the CI matrix. To be reverted once a fixed gcc is in the CI containers:

• Drop the g++ + debug and g++ + sanitize rows from EXCLUDED_PAIRS in .github/workflows/gen-matrix.py.

(Add further items here if other workarounds accumulate.)