http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53136
Bug #: 53136
Summary: Use after free in ipa_make_edge_direct_to_target,
cxx_printable_name_internal problem
Classification: Unclassified
Product: gcc
Version: 4.8.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
AssignedTo: unassig...@gcc.gnu.org
ReportedBy: ubiz...@gmail.com
Target: x86_64-pc-linux-gnu
Running compilation of iinline-2.C from gcc/testsuite/g++.dg/ipa test directory
under valgrind on x86_64-pc-linux-gnu, I got:
$ valgrind ~/gcc-build/gcc/cc1plus -O3 -fdump-ipa-inline -fno-early-inlining
-quiet iinline-2.C
[uros@localhost ipa]$ valgrind ~/gcc-build/gcc/cc1plus -O3 -fdump-ipa-inline
-fno-early-inlining -quiet iinline-2.C
==15980== Memcheck, a memory error detector
==15980== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==15980== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==15980== Command: /home/uros/gcc-build/gcc/cc1plus -O3 -fdump-ipa-inline
-fno-early-inlining -quiet iinline-2.C
==15980==
==15980== Invalid read of size 8
==15980== at 0xFB8954: search_line_sse42(unsigned char const*, unsigned char
const*) (lex.c:461)
==15980== by 0xFB8E61: _cpp_clean_line (lex.c:739)
==15980== by 0xFB9887: _cpp_get_fresh_line (lex.c:2000)
==15980== by 0xFBAFC0: _cpp_lex_direct (lex.c:2065)
==15980== by 0xFBBD4B: _cpp_lex_token (lex.c:1939)
==15980== by 0xFBFE8F: cpp_get_token_1(cpp_reader*, unsigned int*)
(macro.c:2245)
==15980== by 0x717582: c_lex_with_flags(tree_node**, unsigned int*, unsigned
char*, int) (c-lex.c:302)
==15980== by 0x5EFADF: cp_lexer_get_preprocessor_token(cp_lexer*, cp_token*)
(parser.c:721)
==15980== by 0x61D998: c_parse_file() (parser.c:600)
==15980== by 0x71D684: c_common_parse_file() (c-opts.c:1124)
==15980== by 0xA6005F: toplev_main(int, char**) (toplev.c:555)
==15980== by 0x322F62169C: (below main) (libc-start.c:226)
==15980== Address 0x4cf8ba8 is 0 bytes after a block of size 1,128 alloc'd
==15980== at 0x4A075B2: realloc (vg_replace_malloc.c:525)
==15980== by 0xFE4E7C: xrealloc (xmalloc.c:179)
==15980== by 0xFAD973: _cpp_convert_input (charset.c:1734)
==15980== by 0xFB61EA: read_file(cpp_reader*, _cpp_file*) (files.c:652)
==15980== by 0xFB6D9D: _cpp_stack_file (files.c:723)
==15980== by 0xFB86F7: cpp_read_main_file(cpp_reader*, char const*)
(init.c:593)
==15980== by 0x71CCEB: c_common_post_options(char const**) (c-opts.c:1056)
==15980== by 0xA5F9FA: toplev_main(int, char**) (toplev.c:1228)
==15980== by 0x322F62169C: (below main) (libc-start.c:226)
==15980==
==15980== Invalid read of size 1
==15980== at 0x322F64B3C6: vfprintf (vfprintf.c:1571)
==15980== by 0x322F651F46: fprintf (fprintf.c:33)
==15980== by 0x93FB69: ipa_make_edge_direct_to_target(cgraph_edge*,
tree_node*) (ipa-prop.c:1784)
==15980== by 0x9400FC: propagate_info_to_inlined_callees(cgraph_edge*,
cgraph_node*, VEC_cgraph_edge_p_heap**) (ipa-prop.c:1813)
==15980== by 0x940318: ipa_propagate_indirect_call_infos(cgraph_edge*,
VEC_cgraph_edge_p_heap**) (ipa-prop.c:1969)
==15980== by 0xF2886E: ipa_inline() (ipa-inline.c:1519)
==15980== by 0x9BBBD4: execute_one_pass(opt_pass*) (passes.c:2176)
==15980== by 0x9BC3E9: execute_ipa_pass_list(opt_pass*) (passes.c:2543)
==15980== by 0x7B006D: cgraph_optimize() (cgraphunit.c:1856)
==15980== by 0x7B03AE: cgraph_finalize_compilation_unit()
(cgraphunit.c:2435)
==15980== by 0x5DD8FA: cp_write_global_declarations() (decl2.c:4030)
==15980== by 0xA600AB: toplev_main(int, char**) (toplev.c:571)
==15980== Address 0xb7bac50 is 0 bytes inside a block of size 31 free'd
==15980== at 0x4A0662E: free (vg_replace_malloc.c:366)
==15980== by 0x68C540: cxx_printable_name_internal(tree_node*, int, bool)
(tree.c:1615)
==15980== by 0x93FB33: ipa_make_edge_direct_to_target(cgraph_edge*,
tree_node*) (cgraph.h:755)
==15980== by 0x9400FC: propagate_info_to_inlined_callees(cgraph_edge*,
cgraph_node*, VEC_cgraph_edge_p_heap**) (ipa-prop.c:1813)
==15980== by 0x940318: ipa_propagate_indirect_call_infos(cgraph_edge*,
VEC_cgraph_edge_p_heap**) (ipa-prop.c:1969)
==15980== by 0xF2886E: ipa_inline() (ipa-inline.c:1519)
==15980== by 0x9BBBD4: execute_one_pass(opt_pass*) (passes.c:2176)
==15980== by 0x9BC3E9: execute_ipa_pass_list(opt_pass*) (passes.c:2543)
==15980== by 0x7B006D: cgraph_optimize() (cgraphunit.c:1856)
==15980== by 0x7B03AE: cgraph_finalize_compilation_unit()
(cgraphunit.c:2435)
==15980== by 0x5DD8FA: cp_write_global_declarations() (decl2.c:4030)
==15980== by 0xA600AB: toplev_main(int, char**) (toplev.c:571)
==15980==
==15980== Invalid read of size 2
==15980== at 0x322F68BF7B: __GI_mempcpy (memcpy.S:84)
==15980== by 0x322F679375: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1350)
==15980== by 0x322F64B3A7: vfprintf (vfprintf.c:1571)
==15980== by 0x322F651F46: fprintf (fprintf.c:33)
==15980== by 0x93FB69: ipa_make_edge_direct_to_target(cgraph_edge*,
tree_node*) (ipa-prop.c:1784)
==15980== by 0x9400FC: propagate_info_to_inlined_callees(cgraph_edge*,
cgraph_node*, VEC_cgraph_edge_p_heap**) (ipa-prop.c:1813)
==15980== by 0x940318: ipa_propagate_indirect_call_infos(cgraph_edge*,
VEC_cgraph_edge_p_heap**) (ipa-prop.c:1969)
==15980== by 0xF2886E: ipa_inline() (ipa-inline.c:1519)
==15980== by 0x9BBBD4: execute_one_pass(opt_pass*) (passes.c:2176)
==15980== by 0x9BC3E9: execute_ipa_pass_list(opt_pass*) (passes.c:2543)
==15980== by 0x7B006D: cgraph_optimize() (cgraphunit.c:1856)
==15980== by 0x7B03AE: cgraph_finalize_compilation_unit()
(cgraphunit.c:2435)
==15980== Address 0xb7bac50 is 0 bytes inside a block of size 31 free'd
==15980== at 0x4A0662E: free (vg_replace_malloc.c:366)
==15980== by 0x68C540: cxx_printable_name_internal(tree_node*, int, bool)
(tree.c:1615)
==15980== by 0x93FB33: ipa_make_edge_direct_to_target(cgraph_edge*,
tree_node*) (cgraph.h:755)
==15980== by 0x9400FC: propagate_info_to_inlined_callees(cgraph_edge*,
cgraph_node*, VEC_cgraph_edge_p_heap**) (ipa-prop.c:1813)
==15980== by 0x940318: ipa_propagate_indirect_call_infos(cgraph_edge*,
VEC_cgraph_edge_p_heap**) (ipa-prop.c:1969)
==15980== by 0xF2886E: ipa_inline() (ipa-inline.c:1519)
==15980== by 0x9BBBD4: execute_one_pass(opt_pass*) (passes.c:2176)
==15980== by 0x9BC3E9: execute_ipa_pass_list(opt_pass*) (passes.c:2543)
==15980== by 0x7B006D: cgraph_optimize() (cgraphunit.c:1856)
==15980== by 0x7B03AE: cgraph_finalize_compilation_unit()
(cgraphunit.c:2435)
==15980== by 0x5DD8FA: cp_write_global_declarations() (decl2.c:4030)
==15980== by 0xA600AB: toplev_main(int, char**) (toplev.c:571)
==15980==
==15980== Invalid read of size 4
==15980== at 0x322F68BF8E: __GI_mempcpy (memcpy.S:96)
==15980== by 0x322F679375: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1350)
==15980== by 0x322F64B3A7: vfprintf (vfprintf.c:1571)
==15980== by 0x322F651F46: fprintf (fprintf.c:33)
==15980== by 0x93FB69: ipa_make_edge_direct_to_target(cgraph_edge*,
tree_node*) (ipa-prop.c:1784)
==15980== by 0x9400FC: propagate_info_to_inlined_callees(cgraph_edge*,
cgraph_node*, VEC_cgraph_edge_p_heap**) (ipa-prop.c:1813)
==15980== by 0x940318: ipa_propagate_indirect_call_infos(cgraph_edge*,
VEC_cgraph_edge_p_heap**) (ipa-prop.c:1969)
==15980== by 0xF2886E: ipa_inline() (ipa-inline.c:1519)
==15980== by 0x9BBBD4: execute_one_pass(opt_pass*) (passes.c:2176)
==15980== by 0x9BC3E9: execute_ipa_pass_list(opt_pass*) (passes.c:2543)
==15980== by 0x7B006D: cgraph_optimize() (cgraphunit.c:1856)
==15980== by 0x7B03AE: cgraph_finalize_compilation_unit()
(cgraphunit.c:2435)
==15980== Address 0xb7bac52 is 2 bytes inside a block of size 31 free'd
==15980== at 0x4A0662E: free (vg_replace_malloc.c:366)
==15980== by 0x68C540: cxx_printable_name_internal(tree_node*, int, bool)
(tree.c:1615)
==15980== by 0x93FB33: ipa_make_edge_direct_to_target(cgraph_edge*,
tree_node*) (cgraph.h:755)
==15980== by 0x9400FC: propagate_info_to_inlined_callees(cgraph_edge*,
cgraph_node*, VEC_cgraph_edge_p_heap**) (ipa-prop.c:1813)
==15980== by 0x940318: ipa_propagate_indirect_call_infos(cgraph_edge*,
VEC_cgraph_edge_p_heap**) (ipa-prop.c:1969)
==15980== by 0xF2886E: ipa_inline() (ipa-inline.c:1519)
==15980== by 0x9BBBD4: execute_one_pass(opt_pass*) (passes.c:2176)
==15980== by 0x9BC3E9: execute_ipa_pass_list(opt_pass*) (passes.c:2543)
==15980== by 0x7B006D: cgraph_optimize() (cgraphunit.c:1856)
==15980== by 0x7B03AE: cgraph_finalize_compilation_unit()
(cgraphunit.c:2435)
==15980== by 0x5DD8FA: cp_write_global_declarations() (decl2.c:4030)
==15980== by 0xA600AB: toplev_main(int, char**) (toplev.c:571)
==15980==
==15980== Invalid read of size 8
==15980== at 0x322F68BF9F: __GI_mempcpy (memcpy.S:108)
==15980== by 0x322F679375: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1350)
==15980== by 0x322F64B3A7: vfprintf (vfprintf.c:1571)
==15980== by 0x322F651F46: fprintf (fprintf.c:33)
==15980== by 0x93FB69: ipa_make_edge_direct_to_target(cgraph_edge*,
tree_node*) (ipa-prop.c:1784)
==15980== by 0x9400FC: propagate_info_to_inlined_callees(cgraph_edge*,
cgraph_node*, VEC_cgraph_edge_p_heap**) (ipa-prop.c:1813)
==15980== by 0x940318: ipa_propagate_indirect_call_infos(cgraph_edge*,
VEC_cgraph_edge_p_heap**) (ipa-prop.c:1969)
==15980== by 0xF2886E: ipa_inline() (ipa-inline.c:1519)
==15980== by 0x9BBBD4: execute_one_pass(opt_pass*) (passes.c:2176)
==15980== by 0x9BC3E9: execute_ipa_pass_list(opt_pass*) (passes.c:2543)
==15980== by 0x7B006D: cgraph_optimize() (cgraphunit.c:1856)
==15980== by 0x7B03AE: cgraph_finalize_compilation_unit()
(cgraphunit.c:2435)
==15980== Address 0xb7bac56 is 6 bytes inside a block of size 31 free'd
==15980== at 0x4A0662E: free (vg_replace_malloc.c:366)
==15980== by 0x68C540: cxx_printable_name_internal(tree_node*, int, bool)
(tree.c:1615)
==15980== by 0x93FB33: ipa_make_edge_direct_to_target(cgraph_edge*,
tree_node*) (cgraph.h:755)
==15980== by 0x9400FC: propagate_info_to_inlined_callees(cgraph_edge*,
cgraph_node*, VEC_cgraph_edge_p_heap**) (ipa-prop.c:1813)
==15980== by 0x940318: ipa_propagate_indirect_call_infos(cgraph_edge*,
VEC_cgraph_edge_p_heap**) (ipa-prop.c:1969)
==15980== by 0xF2886E: ipa_inline() (ipa-inline.c:1519)
==15980== by 0x9BBBD4: execute_one_pass(opt_pass*) (passes.c:2176)
==15980== by 0x9BC3E9: execute_ipa_pass_list(opt_pass*) (passes.c:2543)
==15980== by 0x7B006D: cgraph_optimize() (cgraphunit.c:1856)
==15980== by 0x7B03AE: cgraph_finalize_compilation_unit()
(cgraphunit.c:2435)
==15980== by 0x5DD8FA: cp_write_global_declarations() (decl2.c:4030)
==15980== by 0xA600AB: toplev_main(int, char**) (toplev.c:571)
==15980==
==15980== Invalid read of size 8
==15980== at 0x322F68BFC0: __GI_mempcpy (memcpy.S:123)
==15980== by 0x322F679375: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1350)
==15980== by 0x322F64B3A7: vfprintf (vfprintf.c:1571)
==15980== by 0x322F651F46: fprintf (fprintf.c:33)
==15980== by 0x93FB69: ipa_make_edge_direct_to_target(cgraph_edge*,
tree_node*) (ipa-prop.c:1784)
==15980== by 0x9400FC: propagate_info_to_inlined_callees(cgraph_edge*,
cgraph_node*, VEC_cgraph_edge_p_heap**) (ipa-prop.c:1813)
==15980== by 0x940318: ipa_propagate_indirect_call_infos(cgraph_edge*,
VEC_cgraph_edge_p_heap**) (ipa-prop.c:1969)
==15980== by 0xF2886E: ipa_inline() (ipa-inline.c:1519)
==15980== by 0x9BBBD4: execute_one_pass(opt_pass*) (passes.c:2176)
==15980== by 0x9BC3E9: execute_ipa_pass_list(opt_pass*) (passes.c:2543)
==15980== by 0x7B006D: cgraph_optimize() (cgraphunit.c:1856)
==15980== by 0x7B03AE: cgraph_finalize_compilation_unit()
(cgraphunit.c:2435)
==15980== Address 0xb7bac5e is 14 bytes inside a block of size 31 free'd
==15980== at 0x4A0662E: free (vg_replace_malloc.c:366)
==15980== by 0x68C540: cxx_printable_name_internal(tree_node*, int, bool)
(tree.c:1615)
==15980== by 0x93FB33: ipa_make_edge_direct_to_target(cgraph_edge*,
tree_node*) (cgraph.h:755)
==15980== by 0x9400FC: propagate_info_to_inlined_callees(cgraph_edge*,
cgraph_node*, VEC_cgraph_edge_p_heap**) (ipa-prop.c:1813)
==15980== by 0x940318: ipa_propagate_indirect_call_infos(cgraph_edge*,
VEC_cgraph_edge_p_heap**) (ipa-prop.c:1969)
==15980== by 0xF2886E: ipa_inline() (ipa-inline.c:1519)
==15980== by 0x9BBBD4: execute_one_pass(opt_pass*) (passes.c:2176)
==15980== by 0x9BC3E9: execute_ipa_pass_list(opt_pass*) (passes.c:2543)
==15980== by 0x7B006D: cgraph_optimize() (cgraphunit.c:1856)
==15980== by 0x7B03AE: cgraph_finalize_compilation_unit()
(cgraphunit.c:2435)
==15980== by 0x5DD8FA: cp_write_global_declarations() (decl2.c:4030)
==15980== by 0xA600AB: toplev_main(int, char**) (toplev.c:571)
==15980==
==15980== Invalid read of size 8
==15980== at 0x322F68BFC3: __GI_mempcpy (memcpy.S:124)
==15980== by 0x322F679375: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1350)
==15980== by 0x322F64B3A7: vfprintf (vfprintf.c:1571)
==15980== by 0x322F651F46: fprintf (fprintf.c:33)
==15980== by 0x93FB69: ipa_make_edge_direct_to_target(cgraph_edge*,
tree_node*) (ipa-prop.c:1784)
==15980== by 0x9400FC: propagate_info_to_inlined_callees(cgraph_edge*,
cgraph_node*, VEC_cgraph_edge_p_heap**) (ipa-prop.c:1813)
==15980== by 0x940318: ipa_propagate_indirect_call_infos(cgraph_edge*,
VEC_cgraph_edge_p_heap**) (ipa-prop.c:1969)
==15980== by 0xF2886E: ipa_inline() (ipa-inline.c:1519)
==15980== by 0x9BBBD4: execute_one_pass(opt_pass*) (passes.c:2176)
==15980== by 0x9BC3E9: execute_ipa_pass_list(opt_pass*) (passes.c:2543)
==15980== by 0x7B006D: cgraph_optimize() (cgraphunit.c:1856)
==15980== by 0x7B03AE: cgraph_finalize_compilation_unit()
(cgraphunit.c:2435)
==15980== Address 0xb7bac66 is 22 bytes inside a block of size 31 free'd
==15980== at 0x4A0662E: free (vg_replace_malloc.c:366)
==15980== by 0x68C540: cxx_printable_name_internal(tree_node*, int, bool)
(tree.c:1615)
==15980== by 0x93FB33: ipa_make_edge_direct_to_target(cgraph_edge*,
tree_node*) (cgraph.h:755)
==15980== by 0x9400FC: propagate_info_to_inlined_callees(cgraph_edge*,
cgraph_node*, VEC_cgraph_edge_p_heap**) (ipa-prop.c:1813)
==15980== by 0x940318: ipa_propagate_indirect_call_infos(cgraph_edge*,
VEC_cgraph_edge_p_heap**) (ipa-prop.c:1969)
==15980== by 0xF2886E: ipa_inline() (ipa-inline.c:1519)
==15980== by 0x9BBBD4: execute_one_pass(opt_pass*) (passes.c:2176)
==15980== by 0x9BC3E9: execute_ipa_pass_list(opt_pass*) (passes.c:2543)
==15980== by 0x7B006D: cgraph_optimize() (cgraphunit.c:1856)
==15980== by 0x7B03AE: cgraph_finalize_compilation_unit()
(cgraphunit.c:2435)
==15980== by 0x5DD8FA: cp_write_global_declarations() (decl2.c:4030)
==15980== by 0xA600AB: toplev_main(int, char**) (toplev.c:571)
==15980==
==15980==
==15980== HEAP SUMMARY:
==15980== in use at exit: 634,303 bytes in 2,360 blocks
==15980== total heap usage: 34,102 allocs, 31,742 frees, 18,152,263 bytes
allocated
The search_line_sse42 failure is not problematic, but others look like there is
something wrong with the caching in cxx_printable_name_internal (this is the
reason for c++ component in the report). Indeed, returning early from this
function via:
return lang_decl_name (decl, v, translate);
"fixes" all these use-after-free problems.
This problem looks related to a testsuite assembly scan failure in iinline-2.C
function on alpha [1], where a garbage is output a related dump:
_ZNK6String7funcOneEi/13 (int String::funcOne(int) const) @0x20006c28c30
Type: function
Visibility: public
References:
Referring:
Function pn� /13 is inline copy in int main(int, char**)/6 <<< *here*
Clone of _ZNK6String7funcOneEi/3
Availability: local
[1] http://gcc.gnu.org/ml/gcc-testresults/2012-04/msg02722.html
