[Bug c/59362] Abort in fini_object_sizes

octoploid at yandex dot com Sun, 01 Dec 2013 11:35:05 -0800

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59362


Markus Trippelsdorf <octoploid at yandex dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |octoploid at yandex dot com

--- Comment #1 from Markus Trippelsdorf <octoploid at yandex dot com> ---
Valgrind shows:

==3073== Invalid write of size 8
==3073==    at 0x8C60BF: collect_object_sizes_for(object_size_info*,
tree_node*) (tree-object-size.c:913)
==3073==    by 0x8C6CA4: merge_object_sizes(object_size_info*, tree_node*,
tree_node*, unsigned long) [clone .isra.26] (tree-object-size.c:745)
==3073==    by 0x8C68BA: collect_object_sizes_for(object_size_info*,
tree_node*) (tree-object-size.c:956)
==3073==    by 0x8C5188: compute_builtin_object_size(tree_node*, int)
(tree-object-size.c:539)
==3073==    by 0x5BACA7: fold_builtin_2(unsigned int, tree_node*, tree_node*,
tree_node*, bool) (builtins.c:12721)
==3073==    by 0x5BBBAB: fold_builtin_n(unsigned int, tree_node*, tree_node**,
int, bool) (builtins.c:11118)
==3073==    by 0x5C3F54: fold_call_stmt(gimple_statement_base*, bool)
(builtins.c:14252)
==3073==    by 0x8C43A6: (anonymous namespace)::pass_object_sizes::execute()
(tree-object-size.c:1224)
==3073==    by 0x7CC189: execute_one_pass(opt_pass*) (passes.c:2215)
==3073==    by 0x7CC3F5: execute_pass_list(opt_pass*) (passes.c:2268)
==3073==    by 0x7CC407: execute_pass_list(opt_pass*) (passes.c:2269)
==3073==    by 0x5FCB95: expand_function(cgraph_node*) (cgraphunit.c:1763)
==3073==  Address 0x53a8bc8 is 0 bytes after a block of size 856 alloc'd
==3073==    at 0x40274F0: malloc (vg_replace_malloc.c:291)
==3073==    by 0xD38CC7: xmalloc (xmalloc.c:147)
==3073==    by 0x8C4182: init_object_sizes() [clone .part.28]
(tree-object-size.c:1183)
==3073==    by 0x8C4B83: (anonymous namespace)::pass_object_sizes::execute()
(ssa-iterators.h:498)
==3073==    by 0x7CC189: execute_one_pass(opt_pass*) (passes.c:2215)
==3073==    by 0x7CC3F5: execute_pass_list(opt_pass*) (passes.c:2268)
==3073==    by 0x7CC407: execute_pass_list(opt_pass*) (passes.c:2269)
==3073==    by 0x5FCB95: expand_function(cgraph_node*) (cgraphunit.c:1763)
==3073==    by 0x5FE477: compile() (cgraphunit.c:1868)
==3073==    by 0x5FE7D4: finalize_compilation_unit() (cgraphunit.c:2280)
==3073==    by 0x51E92B: c_write_global_declarations() (c-decl.c:10388)
==3073==    by 0x866B7C: compile_file() (toplev.c:561)
==3073== 
==3073== Invalid read of size 8
==3073==    at 0x8C6535: collect_object_sizes_for(object_size_info*,
tree_node*) (tree-object-size.c:799)
==3073==    by 0x8C6CA4: merge_object_sizes(object_size_info*, tree_node*,
tree_node*, unsigned long) [clone .isra.26] (tree-object-size.c:745)
==3073==    by 0x8C68BA: collect_object_sizes_for(object_size_info*,
tree_node*) (tree-object-size.c:956)
==3073==    by 0x8C5188: compute_builtin_object_size(tree_node*, int)
(tree-object-size.c:539)
==3073==    by 0x5BACA7: fold_builtin_2(unsigned int, tree_node*, tree_node*,
tree_node*, bool) (builtins.c:12721)
==3073==    by 0x5BBBAB: fold_builtin_n(unsigned int, tree_node*, tree_node**,
int, bool) (builtins.c:11118)
==3073==    by 0x5C3F54: fold_call_stmt(gimple_statement_base*, bool)
(builtins.c:14252)
==3073==    by 0x8C43A6: (anonymous namespace)::pass_object_sizes::execute()
(tree-object-size.c:1224)
==3073==    by 0x7CC189: execute_one_pass(opt_pass*) (passes.c:2215)
==3073==    by 0x7CC3F5: execute_pass_list(opt_pass*) (passes.c:2268)
==3073==    by 0x7CC407: execute_pass_list(opt_pass*) (passes.c:2269)
==3073==    by 0x5FCB95: expand_function(cgraph_node*) (cgraphunit.c:1763)
==3073==  Address 0x53a8bc8 is 0 bytes after a block of size 856 alloc'd
==3073==    at 0x40274F0: malloc (vg_replace_malloc.c:291)
==3073==    by 0xD38CC7: xmalloc (xmalloc.c:147)
==3073==    by 0x8C4182: init_object_sizes() [clone .part.28]
(tree-object-size.c:1183)
==3073==    by 0x8C4B83: (anonymous namespace)::pass_object_sizes::execute()
(ssa-iterators.h:498)
==3073==    by 0x7CC189: execute_one_pass(opt_pass*) (passes.c:2215)
==3073==    by 0x7CC3F5: execute_pass_list(opt_pass*) (passes.c:2268)
==3073==    by 0x7CC407: execute_pass_list(opt_pass*) (passes.c:2269)
==3073==    by 0x5FCB95: expand_function(cgraph_node*) (cgraphunit.c:1763)
==3073==    by 0x5FE477: compile() (cgraphunit.c:1868)
==3073==    by 0x5FE7D4: finalize_compilation_unit() (cgraphunit.c:2280)
==3073==    by 0x51E92B: c_write_global_declarations() (c-decl.c:10388)
==3073==    by 0x866B7C: compile_file() (toplev.c:561)
==3073== 

AddressSanitizer:

markus@x4 tmp % /var/tmp/gcc_sani/usr/local/bin/gcc -c -O2 -std=gnu99 bug124.c
=================================================================
==2994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180001343d8
at pc 0x133f0e8 bp 0x7fffe70fc990 sp 0x7fffe70fc988
WRITE of size 8 at 0x6180001343d8 thread T0
    #0 0x133f0e7 in collect_object_sizes_for(object_size_info*, tree_node*)
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-object-size.c:913
    #1 0x133f7d9 in merge_object_sizes(object_size_info*, tree_node*,
tree_node*, unsigned long)
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-object-size.c:745
    #2 0x133d495 in collect_object_sizes_for(object_size_info*, tree_node*)
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-object-size.c:956
    #3 0x13363b3 in compute_builtin_object_size(tree_node*, int)
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-object-size.c:539
    #4 0x7f8a05 in fold_builtin_object_size(tree_node*, tree_node*)
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/builtins.c:12721
    #5 0x827a3e in fold_builtin_2(unsigned int, tree_node*, tree_node*,
tree_node*, bool) /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/builtins.c:10905
    #6 0x82aa3e in fold_builtin_n(unsigned int, tree_node*, tree_node**, int,
bool) /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/builtins.c:11118
    #7 0x855478 in fold_call_stmt(gimple_statement_base*, bool)
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/builtins.c:14252
    #8 0x13322c8 in compute_object_sizes
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-object-size.c:1224
    #9 0x13322c8 in (anonymous namespace)::pass_object_sizes::execute()
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-object-size.c:1309
    #10 0xfe37f9 in execute_one_pass(opt_pass*)
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/passes.c:2215
    #11 0xfe41b8 in execute_pass_list(opt_pass*)
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/passes.c:2268
    #12 0xfe41de in execute_pass_list(opt_pass*)
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/passes.c:2269
    #13 0x918b09 in expand_function(cgraph_node*)
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:1763
    #14 0x91de51 in expand_all_functions
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:1868
    #15 0x91de51 in compile()
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:2203
    #16 0x91f66a in finalize_compilation_unit()
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:2280
    #17 0x5e0a6c in c_write_global_declarations()
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/c/c-decl.c:10388
    #18 0x11c8c44 in compile_file()
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/toplev.c:561
    #19 0x11cd6d3 in do_compile
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/toplev.c:1893
    #20 0x11cd6d3 in toplev_main(int, char**)
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/toplev.c:1969
    #21 0x7fde5bff3f8f in __libc_start_main (/lib/libc.so.6+0x1ff8f)
    #22 0x5996d0 in _start
(/var/tmp/gcc_sani/usr/local/libexec/gcc/x86_64-unknown-linux-gnu/4.9.0/cc1+0x5996d0)
0x6180001343d8 is located 0 bytes to the right of 856-byte region
[0x618000134080,0x6180001343d8)
allocated by thread T0 here:
    #0 0x7fde5c815824 in __interceptor_malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.0/libasan.so.1+0x38824)
    #1 0x222c717 in xmalloc
/var/tmp/gcc_build_dir/libiberty/../../gcc/libiberty/xmalloc.c:147
SUMMARY: AddressSanitizer: heap-buffer-overflow
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-object-size.c:913
collect_object_sizes_for(object_size_info*, tree_node*)
Shadow bytes around the buggy address:
  0x0c308001e820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c308001e830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c308001e840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c308001e850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c308001e860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c308001e870: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c308001e880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c308001e890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c308001e8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c308001e8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c308001e8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==2994==ABORTING

[Bug c/59362] Abort in fini_object_sizes

Reply via email to