https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63961
Bug ID: 63961
Summary: Use-after-free in constexpr.c
Product: gcc
Version: 5.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: y.gribov at samsung dot com
CC: jason at redhat dot com
Host: x86_64-unknown-linux-gnu
/home/ygribov/build/gcc-master/./gcc/xgcc -shared-libgcc
-B/home/ygribov/build/gcc-master/./gcc -nostdinc++
-L/home/ygribov/build/gcc-master/x86_64-unknown-linux-gnu/libstdc++-v3/src
-L/home/ygribov/build/gcc-master/x86_64-unknown-linux-gnu/libstdc++-v3/src/.libs
-L/home/ygribov/build/gcc-master/x86_64-unknown-linux-gnu/libstdc++-v3/libsupc++/.libs
-B/home/ygribov/install/gcc-master/x86_64-unknown-linux-gnu/bin/
-B/home/ygribov/install/gcc-master/x86_64-unknown-linux-gnu/lib/ -isystem
/home/ygribov/install/gcc-master/x86_64-unknown-linux-gnu/include -isystem
/home/ygribov/install/gcc-master/x86_64-unknown-linux-gnu/sys-include -x
c++-header -nostdinc++ -g -O2 -D_GNU_SOURCE
-I/home/ygribov/build/gcc-master/x86_64-unknown-linux-gnu/libstdc++-v3/include/x86_64-unknown-linux-gnu
-I/home/ygribov/build/gcc-master/x86_64-unknown-linux-gnu/libstdc++-v3/include
-I/home/ygribov/src/gcc-master/libstdc++-v3/libsupc++ -O2 -g -std=gnu++0x
/home/ygribov/src/gcc-master/libstdc++-v3/include/precompiled/stdc++.h \
-o x86_64-unknown-linux-gnu/bits/stdc++.h.gch/O2ggnu++0x.gch
=================================================================
==26744==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000d21788
at pc 0x000000cde441 bp 0x7fffc3426c90 sp 0x7fffc3426c88
READ of size 8 at 0x611000d21788 thread T0
#0 0xcde440 in cxx_eval_store_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2552
#1 0xcd6bcf in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2942
#2 0xcd6749 in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2953
#3 0xcd46ce in cxx_eval_call_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:1328
#4 0xcd6d9a in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2864
#5 0xcd962a in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2922
#6 0xcd6988 in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2985
#7 0xcd7d9f in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:3173
#8 0xcd2b6b in cxx_bind_parameters_in_call
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:1071
#9 0xcd2b6b in cxx_eval_call_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:1234
#10 0xcd6d9a in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2864
#11 0xcd962a in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2922
#12 0xcd95e8 in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:3035
#13 0xcde225 in cxx_eval_store_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2538
#14 0xcd6bcf in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2942
#15 0xcd6749 in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2953
#16 0xcd665d in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2966
#17 0xcd46ce in cxx_eval_call_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:1328
#18 0xcd6d9a in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2864
#19 0xcd962a in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2922
#20 0xcd6988 in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2985
#21 0xcd7d9f in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:3173
#22 0xcd7d9f in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:3173
#23 0xcd2b6b in cxx_bind_parameters_in_call
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:1071
#24 0xcd2b6b in cxx_eval_call_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:1234
#25 0xcd6d9a in cxx_eval_constant_expression
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2864
#26 0xce5189 in cxx_eval_outermost_constant_expr
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:3340
#27 0xcec547 in maybe_constant_value(tree_node*, tree_node*)
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:3453
#28 0xb93653 in finish_static_assert(tree_node*, tree_node*, unsigned int,
bool) /home/ygribov/src/gcc-master/gcc/cp/semantics.c:7046
#29 0xa477fb in cp_parser_static_assert
/home/ygribov/src/gcc-master/gcc/cp/parser.c:12139
#30 0xa7f2ec in cp_parser_member_declaration
/home/ygribov/src/gcc-master/gcc/cp/parser.c:20673
#31 0xa1ad11 in cp_parser_member_specification_opt
/home/ygribov/src/gcc-master/gcc/cp/parser.c:20542
#32 0xa1ad11 in cp_parser_class_specifier_1
/home/ygribov/src/gcc-master/gcc/cp/parser.c:19734
#33 0xa1ad11 in cp_parser_class_specifier
/home/ygribov/src/gcc-master/gcc/cp/parser.c:19970
#34 0xa1ad11 in cp_parser_type_specifier
/home/ygribov/src/gcc-master/gcc/cp/parser.c:14630
#35 0xa21cc2 in cp_parser_decl_specifier_seq
/home/ygribov/src/gcc-master/gcc/cp/parser.c:11864
#36 0xa798d3 in cp_parser_simple_declaration
/home/ygribov/src/gcc-master/gcc/cp/parser.c:11454
#37 0xa7aa6b in cp_parser_block_declaration
/home/ygribov/src/gcc-master/gcc/cp/parser.c:11403
#38 0xa25e51 in cp_parser_declaration
/home/ygribov/src/gcc-master/gcc/cp/parser.c:11300
#39 0xa9826e in cp_parser_declaration_seq_opt
/home/ygribov/src/gcc-master/gcc/cp/parser.c:11186
#40 0xa999a4 in cp_parser_namespace_body
/home/ygribov/src/gcc-master/gcc/cp/parser.c:16166
#41 0xa999a4 in cp_parser_namespace_definition
/home/ygribov/src/gcc-master/gcc/cp/parser.c:16147
#42 0xa26127 in cp_parser_declaration
/home/ygribov/src/gcc-master/gcc/cp/parser.c:11288
#43 0xa9826e in cp_parser_declaration_seq_opt
/home/ygribov/src/gcc-master/gcc/cp/parser.c:11186
#44 0xa999a4 in cp_parser_namespace_body
/home/ygribov/src/gcc-master/gcc/cp/parser.c:16166
#45 0xa999a4 in cp_parser_namespace_definition
/home/ygribov/src/gcc-master/gcc/cp/parser.c:16147
#46 0xa26127 in cp_parser_declaration
/home/ygribov/src/gcc-master/gcc/cp/parser.c:11288
#47 0xa9826e in cp_parser_declaration_seq_opt
/home/ygribov/src/gcc-master/gcc/cp/parser.c:11186
#48 0xa999a4 in cp_parser_namespace_body
/home/ygribov/src/gcc-master/gcc/cp/parser.c:16166
#49 0xa999a4 in cp_parser_namespace_definition
/home/ygribov/src/gcc-master/gcc/cp/parser.c:16147
#50 0xa26127 in cp_parser_declaration
/home/ygribov/src/gcc-master/gcc/cp/parser.c:11288
#51 0xa9826e in cp_parser_declaration_seq_opt
/home/ygribov/src/gcc-master/gcc/cp/parser.c:11186
#52 0xa98f88 in cp_parser_translation_unit
/home/ygribov/src/gcc-master/gcc/cp/parser.c:4101
#53 0xa98f88 in c_parse_file()
/home/ygribov/src/gcc-master/gcc/cp/parser.c:32197
#54 0xdaffde in c_common_parse_file()
/home/ygribov/src/gcc-master/gcc/c-family/c-opts.c:1039
#55 0x195c1ae in compile_file /home/ygribov/src/gcc-master/gcc/toplev.c:570
#56 0x6ab813 in do_compile /home/ygribov/src/gcc-master/gcc/toplev.c:2040
#57 0x6ab813 in toplev::main(int, char**)
/home/ygribov/src/gcc-master/gcc/toplev.c:2137
#58 0x6af382 in main /home/ygribov/src/gcc-master/gcc/main.c:38
#59 0x2b18a6d7376c in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
#60 0x6aff30 (/home/ygribov/build/gcc-master/gcc/cc1plus+0x6aff30)
0x611000d21788 is located 200 bytes inside of 208-byte region
[0x611000d216c0,0x611000d21790)
freed by thread T0 here:
#0 0x725a1a in __interceptor_free
/home/ygribov/src/gcc-master/libsanitizer/asan/asan_malloc_linux.cc:28
#1 0xcee8b9 in hash_table<hash_map<tree_node*, tree_node*,
default_hashmap_traits>::hash_entry, xcallocator,
true>::find_slot_with_hash(tree_node* const&, unsigned int, insert_option)
/home/ygribov/src/gcc-master/gcc/hash-table.h:1455
previously allocated by thread T0 here:
#0 0x725e21 in __interceptor_calloc
/home/ygribov/src/gcc-master/libsanitizer/asan/asan_malloc_linux.cc:54
#1 0x2c299a0 in xcalloc
/home/ygribov/src/gcc-master/libiberty/xmalloc.c:162
SUMMARY: AddressSanitizer: heap-use-after-free
/home/ygribov/src/gcc-master/gcc/cp/constexpr.c:2552 cxx_eval_store_expression
Shadow bytes around the buggy address:
0x0c228019c2a0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c228019c2b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228019c2c0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c228019c2d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c228019c2e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c228019c2f0: fd[fd]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c228019c300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228019c310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228019c320: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c228019c330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228019c340: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==26744==ABORTING
