constexpr.c

trippels at gcc dot gnu.org Tue, 18 Nov 2014 01:16:21 -0800

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63928


            Bug ID: 63928
           Summary: [5 Regression] use after free in cp/constexpr.c
           Product: gcc
           Version: 5.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: trippels at gcc dot gnu.org
                CC: jason at gcc dot gnu.org

bootstrap-asan shows:

==69040==ERROR: AddressSanitizer: heap-use-after-free on address 0x0a8800353c88
at pc 0x000010972e94 bp 0x3fffd9fbb510 sp 0x3fffd9fbb580
READ of size 8 at 0x0a8800353c88 thread T0
    #0 0x10972e90 in cxx_eval_store_expression
../../gcc/gcc/cp/constexpr.c:2541
    #1 0x10972e90 in cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:2913
    #2 0x1096e540 in cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:2924
    #3 0x1096d808 in cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:2918
    #4 0x1096e998 in cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:3188
    #5 0x1096a684 in cxx_eval_call_expression ../../gcc/gcc/cp/constexpr.c:1329
    #6 0x1096ebd8 in cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:2834
    #7 0x1097d4a8 in cxx_eval_outermost_constant_expr
../../gcc/gcc/cp/constexpr.c:3314
    #8 0x1098723c in maybe_constant_value(tree_node*, tree_node*)
../../gcc/gcc/cp/constexpr.c:3427
    #9 0x107e30f8 in finish_static_assert(tree_node*, tree_node*, unsigned int,
bool) ../../gcc/gcc/cp/semantics.c:7046
    #10 0x10658d94 in cp_parser_static_assert ../../gcc/gcc/cp/parser.c:12139
    #11 0x106aa5a8 in cp_parser_member_declaration
../../gcc/gcc/cp/parser.c:20673
    #12 0x1062f158 in cp_parser_member_specification_opt
../../gcc/gcc/cp/parser.c:20542
    #13 0x1062f158 in cp_parser_class_specifier_1
../../gcc/gcc/cp/parser.c:19734
    #14 0x1062f158 in cp_parser_class_specifier ../../gcc/gcc/cp/parser.c:19970
    #15 0x1062f158 in cp_parser_type_specifier ../../gcc/gcc/cp/parser.c:14630
    #16 0x10636e84 in cp_parser_decl_specifier_seq
../../gcc/gcc/cp/parser.c:11864
    #17 0x106a4038 in cp_parser_simple_declaration
../../gcc/gcc/cp/parser.c:11454
    #18 0x106a53e0 in cp_parser_block_declaration
../../gcc/gcc/cp/parser.c:11403
    #19 0x106b2084 in cp_parser_declaration ../../gcc/gcc/cp/parser.c:11300
    #20 0x106b290c in cp_parser_declaration_seq_opt
../../gcc/gcc/cp/parser.c:11186
    #21 0x106b45ec in cp_parser_namespace_body ../../gcc/gcc/cp/parser.c:16166
    #22 0x106b45ec in cp_parser_namespace_definition
../../gcc/gcc/cp/parser.c:16147
    #23 0x106b2254 in cp_parser_declaration ../../gcc/gcc/cp/parser.c:11288
    #24 0x106b290c in cp_parser_declaration_seq_opt
../../gcc/gcc/cp/parser.c:11186
    #25 0x106b45ec in cp_parser_namespace_body ../../gcc/gcc/cp/parser.c:16166
    #26 0x106b45ec in cp_parser_namespace_definition
../../gcc/gcc/cp/parser.c:16147
    #27 0x106b2254 in cp_parser_declaration ../../gcc/gcc/cp/parser.c:11288
    #28 0x106b290c in cp_parser_declaration_seq_opt
../../gcc/gcc/cp/parser.c:11186
    #29 0x106b45ec in cp_parser_namespace_body ../../gcc/gcc/cp/parser.c:16166
    #30 0x106b45ec in cp_parser_namespace_definition
../../gcc/gcc/cp/parser.c:16147
    #31 0x106b2254 in cp_parser_declaration ../../gcc/gcc/cp/parser.c:11288
    #32 0x106b290c in cp_parser_declaration_seq_opt
../../gcc/gcc/cp/parser.c:11186
    #33 0x106b3980 in cp_parser_translation_unit ../../gcc/gcc/cp/parser.c:4101
    #34 0x106b3980 in c_parse_file() ../../gcc/gcc/cp/parser.c:32197
    #35 0x10a7a9fc in c_common_parse_file()
../../gcc/gcc/c-family/c-opts.c:1039
    #36 0x119d855c in compile_file ../../gcc/gcc/toplev.c:570
    #37 0x101edb5c in do_compile ../../gcc/gcc/toplev.c:2040
    #38 0x101edb5c in toplev::main(int, char**) ../../gcc/gcc/toplev.c:2137
    #39 0x101f3098 in main ../../gcc/gcc/main.c:38
    #40 0x3fff817e47a8  (/lib64/libc.so.6+0x447a8)

0x0a8800353c88 is located 200 bytes inside of 208-byte region
[0x0a8800353bc0,0x0a8800353c90)
freed by thread T0 here:
    #0 0x10291710 in __interceptor_free
../../../../gcc/libsanitizer/asan/asan_malloc_linux.cc:28
    #1 0x10501d1c in xcallocator<hash_map<tree_node*, tree_node*,
default_hashmap_traits>::hash_entry>::data_free(hash_map<tree_node*,
tree_node*, default_hashmap_traits>::hash_entry*)
../../gcc/gcc/hash-table.h:233
    #2 0x10501d1c in hash_table<hash_map<tree_node*, tree_node*,
default_hashmap_traits>::hash_entry, xcallocator, true>::expand()
../../gcc/gcc/hash-table.h:1346
    #3 0x10502220 in hash_table<hash_map<tree_node*, tree_node*,
default_hashmap_traits>::hash_entry, xcallocator,
true>::find_slot_with_hash(tree_node* const&, unsigned int, insert_option)
../../gcc/gcc/hash-table.h:1455
    #4 0x10502220 in hash_map<tree_node*, tree_node*,
default_hashmap_traits>::put(tree_node* const&, tree_node* const&)
../../gcc/gcc/hash-map.h:207
    #5 0x109706e0 in cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:2888
    #6 0x1096e5d0 in cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:2958
    #7 0x10969548 in cxx_bind_parameters_in_call
../../gcc/gcc/cp/constexpr.c:1072
    #8 0x10969548 in cxx_eval_call_expression ../../gcc/gcc/cp/constexpr.c:1235
    #9 0x1096ebd8 in cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:2834
    #10 0x10974554 in cxx_eval_binary_expression
../../gcc/gcc/cp/constexpr.c:1485
    #11 0x1096e064 in cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:3064
    #12 0x109716b0 in cxx_eval_store_expression
../../gcc/gcc/cp/constexpr.c:2527
    #13 0x109716b0 in cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:2913
    #14 0x1096e540 in cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:2924
    #15 0x1096d808 in cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:2918
    #16 0x1096e998 in cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:3188
    #17 0x1096a684 in cxx_eval_call_expression
../../gcc/gcc/cp/constexpr.c:1329
    #18 0x1096ebd8 in cxx_eval_constant_expression
../../gcc/gcc/cp/constexpr.c:2834
    #19 0x1097d4a8 in cxx_eval_outermost_constant_expr
../../gcc/gcc/cp/constexpr.c:3314
    #20 0x1098723c in maybe_constant_value(tree_node*, tree_node*)
../../gcc/gcc/cp/constexpr.c:3427
    #21 0x107e30f8 in finish_static_assert(tree_node*, tree_node*, unsigned
int, bool) ../../gcc/gcc/cp/semantics.c:7046
    #22 0x10658d94 in cp_parser_static_assert ../../gcc/gcc/cp/parser.c:12139
    #23 0x106aa5a8 in cp_parser_member_declaration
../../gcc/gcc/cp/parser.c:20673
    #24 0x1062f158 in cp_parser_member_specification_opt
../../gcc/gcc/cp/parser.c:20542
    #25 0x1062f158 in cp_parser_class_specifier_1
../../gcc/gcc/cp/parser.c:19734
    #26 0x1062f158 in cp_parser_class_specifier ../../gcc/gcc/cp/parser.c:19970
    #27 0x1062f158 in cp_parser_type_specifier ../../gcc/gcc/cp/parser.c:14630
    #28 0x10636e84 in cp_parser_decl_specifier_seq
../../gcc/gcc/cp/parser.c:11864
    #29 0x106a4038 in cp_parser_simple_declaration
../../gcc/gcc/cp/parser.c:11454
    #30 0x106a53e0 in cp_parser_block_declaration
../../gcc/gcc/cp/parser.c:11403
    #31 0x106b2084 in cp_parser_declaration ../../gcc/gcc/cp/parser.c:11300
    #32 0x106b290c in cp_parser_declaration_seq_opt
../../gcc/gcc/cp/parser.c:11186
    #33 0x106b45ec in cp_parser_namespace_body ../../gcc/gcc/cp/parser.c:16166
    #34 0x106b45ec in cp_parser_namespace_definition
../../gcc/gcc/cp/parser.c:16147
    #35 0x106b2254 in cp_parser_declaration ../../gcc/gcc/cp/parser.c:11288
    #36 0x106b290c in cp_parser_declaration_seq_opt
../../gcc/gcc/cp/parser.c:11186

previously allocated by thread T0 here:
    #0 0x10291c80 in __interceptor_calloc
../../../../gcc/libsanitizer/asan/asan_malloc_linux.cc:54
    #1 0x12bfff50 in xcalloc ../../gcc/libiberty/xmalloc.c:162

SUMMARY: AddressSanitizer: heap-use-after-free
../../gcc/gcc/cp/constexpr.c:2541 cxx_eval_store_expression
Shadow bytes around the buggy address:
  0x03510006a740: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x03510006a750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03510006a760: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x03510006a770: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x03510006a780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x03510006a790: fd[fd]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x03510006a7a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03510006a7b0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x03510006a7c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x03510006a7d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03510006a7e0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe

[Bug c++/63928] New: [5 Regression] use after free in cp/constexpr.c

Reply via email to