tree-ssa-strlen.c:2971

marxin at gcc dot gnu.org Mon, 13 Nov 2017 13:54:07 -0800

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82977


            Bug ID: 82977
           Summary: [8 Regression] AddressSanitizer: heap-use-after-free
                    in strlen_optimize_stmt
                    .././../gcc/tree-ssa-strlen.c:2971
           Product: gcc
           Version: 7.0
            Status: UNCONFIRMED
          Keywords: ice-on-valid-code
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marxin at gcc dot gnu.org
  Target Milestone: ---

Probably starting from Martin's r254630 sanitizer compiler produces:

$ gcc -g -O2 cp-demangle.i

==22482==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000000448
at pc 0x000000779828 bp 0x7fffec942150 sp 0x7fffec942148
READ of size 4 at 0x611000000448 thread T0
    #0 0x779827 in std::pair<int, unsigned int>::operator=(std::pair<int,
unsigned int> const&)
/home/marxin/BIG/buildbot/slave/gcc-master-bootstrap-asan/build/builddir/prev-x86_64-pc-linux-gnu/libstdc++-v3/include/bits/stl_pair.h:372
    #1 0x779827 in hash_map<tree_node*, std::pair<int, unsigned int>,
simple_hashmap_traits<default_hash_traits<tree_node*>, std::pair<int, unsigned
int> > >::put(tree_node* const&, std::pair<int, unsigned int> const&)
.././../gcc/hash-map.h:142
    #2 0x779827 in strlen_optimize_stmt .././../gcc/tree-ssa-strlen.c:2971
    #3 0x779827 in strlen_dom_walker::before_dom_children(basic_block_def*)
.././../gcc/tree-ssa-strlen.c:3137
    #4 0x2fc26b7 in dom_walker::walk(basic_block_def*)
.././../gcc/domwalk.c:308
    #5 0x1efb4c9 in execute .././../gcc/tree-ssa-strlen.c:3209
    #6 0x174c5eb in execute_one_pass(opt_pass*) .././../gcc/passes.c:2497
    #7 0x174ddc2 in execute_pass_list_1 .././../gcc/passes.c:2586
    #8 0x174ddec in execute_pass_list_1 .././../gcc/passes.c:2587
    #9 0x174de6b in execute_pass_list(function*, opt_pass*)
.././../gcc/passes.c:2597
    #10 0xea9e27 in cgraph_node::expand() .././../gcc/cgraphunit.c:2139
    #11 0xeacb2a in expand_all_functions .././../gcc/cgraphunit.c:2275
    #12 0xeacb2a in symbol_table::compile() .././../gcc/cgraphunit.c:2623
    #13 0xeb3470 in symbol_table::compile() .././../gcc/cgraphunit.c:2719
    #14 0xeb3470 in symbol_table::finalize_compilation_unit()
.././../gcc/cgraphunit.c:2716
    #15 0x1a04bcd in compile_file .././../gcc/toplev.c:480
    #16 0x97ecd7 in do_compile .././../gcc/toplev.c:2060
    #17 0x97ecd7 in toplev::main(int, char**) .././../gcc/toplev.c:2195
    #18 0x9893c4 in main .././../gcc/main.c:39
    #19 0x7fe5161e0f49 in __libc_start_main (/lib64/libc.so.6+0x20f49)
    #20 0x98a5c9 in _start
(/home/marxin/BIG/buildbot/slave/gcc-master-bootstrap-asan/build/builddir/gcc/cc1+0x98a5c9)

0x611000000448 is located 72 bytes inside of 208-byte region
[0x611000000400,0x6110000004d0)
freed by thread T0 here:
    #0 0xa51240 in __interceptor_free
../../.././../libsanitizer/asan/asan_malloc_linux.cc:66
    #1 0x1f10fcb in xcallocator<hash_map<tree_node*, std::pair<int, unsigned
int>, simple_hashmap_traits<default_hash_traits<tree_node*>, std::pair<int,
unsigned int> > >::hash_entry>::data_free(hash_map<tree_node*, std::pair<int,
unsigned int>, simple_hashmap_traits<default_hash_traits<tree_node*>,
std::pair<int, unsigned int> > >::hash_entry*) .././../gcc/hash-table.h:273
    #2 0x1f10fcb in hash_table<hash_map<tree_node*, std::pair<int, unsigned
int>, simple_hashmap_traits<default_hash_traits<tree_node*>, std::pair<int,
unsigned int> > >::hash_entry, xcallocator>::expand()
.././../gcc/hash-table.h:765

previously allocated by thread T0 here:
    #0 0xa5175c in __interceptor_calloc
../../.././../libsanitizer/asan/asan_malloc_linux.cc:95
    #1 0x33f8e50 in xcalloc .././../libiberty/xmalloc.c:162

SUMMARY: AddressSanitizer: heap-use-after-free
/home/marxin/BIG/buildbot/slave/gcc-master-bootstrap-asan/build/builddir/prev-x86_64-pc-linux-gnu/libstdc++-v3/include/bits/stl_pair.h:372
in std::pair<int, unsigned int>::operator=(std::pair<int, unsigned int> const&)
Shadow bytes around the buggy address:
  0x0c227fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8040: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c227fff8050: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8070: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c227fff8080: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x0c227fff8090: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c227fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff80c0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22482==ABORTING

[Bug tree-optimization/82977] New: [8 Regression] AddressSanitizer: heap-use-after-free in strlen_optimize_stmt .././../gcc/tree-ssa-strlen.c:2971

Reply via email to