https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62119
Jonathan Wakely <redi at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Last reconfirmed| |2018-05-14
Ever confirmed|0 |1
--- Comment #2 from Jonathan Wakely <redi at gcc dot gnu.org> ---
I can't reproduce a segfault but ASan shows the problem:
=================================================================
==12423==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000000b0
at pc 0x00000040276f bp 0x7fff6678eb50 sp 0x7fff6678eb48
READ of size 8 at 0x6060000000b0 thread T0
#0 0x40276e in std::valarray<unsigned long>::size() const
/home/jwakely/gcc/9/include/c++/9.0.0/valarray:938
#1 0x40232f in std::gslice_array<int>::operator=(int const&) const
/home/jwakely/gcc/9/include/c++/9.0.0/bits/gslice_array.h:165
#2 0x401616 in main /tmp/gs.cc:17
#3 0x7f01d4f65f29 in __libc_start_main ../csu/libc-start.c:308
#4 0x401159 in _start (/tmp/a.out+0x401159)
0x6060000000b0 is located 48 bytes inside of 64-byte region
[0x606000000080,0x6060000000c0)
freed by thread T0 here:
#0 0x7f01d5ccbe78 in operator delete(void*, unsigned long)
/home/jwakely/src/gcc/gcc/libsanitizer/asan/asan_new_delete.cc:151
#1 0x401b65 in std::gslice::~gslice()
/home/jwakely/gcc/9/include/c++/9.0.0/bits/gslice.h:166
#2 0x40159c in main /tmp/gs.cc:15
#3 0x7f01d4f65f29 in __libc_start_main ../csu/libc-start.c:308
previously allocated by thread T0 here:
#0 0x7f01d5ccaa80 in operator new(unsigned long)
/home/jwakely/src/gcc/gcc/libsanitizer/asan/asan_new_delete.cc:90
#1 0x401a18 in std::gslice::gslice(unsigned long, std::valarray<unsigned
long> const&, std::valarray<unsigned long> const&)
/home/jwakely/gcc/9/include/c++/9.0.0/bits/gslice.h:155
#2 0x40154e in main /tmp/gs.cc:15
#3 0x7f01d4f65f29 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free
/home/jwakely/gcc/9/include/c++/9.0.0/valarray:938 in std::valarray<unsigned
long>::size() const
Shadow bytes around the buggy address:
0x0c0c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00 00 04 fa fa fa fa
=>0x0c0c7fff8010: fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa
0x0c0c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12423==ABORTING
