[Bug target/94482] Inserting into vector with optimization enabled on x86 generates incorrect result

marxin at gcc dot gnu.org Sun, 05 Apr 2020 07:46:28 -0700

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94482


--- Comment #6 from Martin Liška <marxin at gcc dot gnu.org> ---
But I bet it's invalid code:

$ gcc -fsanitize=undefined pr94482.c -O2  && ./a.out 
pr94482.c:14:11: runtime error: index 2 out of bounds for type 'long int [2]'
pr94482.c:14:15: runtime error: store to address 0x7fffffffe2f0 with
insufficient space for an object of type 'long int'
0x7fffffffe2f0: note: pointer points here
 00 00 00 00  00 00 00 00 00 00 00 00  eb 4c 48 f7 ff 7f 00 00  e0 d9 61 f7 ff
7f 00 00  e8 e3 ff ff
              ^ 
pr94482.c:14:11: runtime error: index 3 out of bounds for type 'long int [2]'
pr94482.c:14:15: runtime error: store to address 0x7fffffffe2f8 with
insufficient space for an object of type 'long int'
0x7fffffffe2f8: note: pointer points here
 00 00 00 00  eb 4c 48 f7 ff 7f 00 00  e0 d9 61 f7 ff 7f 00 00  e8 e3 ff ff ff
7f 00 00  00 1c 01 00
              ^ 
pr94482.c:14:11: runtime error: index 4 out of bounds for type 'long int [2]'
pr94482.c:14:15: runtime error: store to address 0x7fffffffe300 with
insufficient space for an object of type 'long int'
0x7fffffffe300: note: pointer points here
 00 00 00 00  e0 d9 61 f7 ff 7f 00 00  e8 e3 ff ff ff 7f 00 00  00 1c 01 00 01
00 00 00  70 10 40 00
              ^ 
pr94482.c:14:11: runtime error: index 5 out of bounds for type 'long int [2]'
pr94482.c:14:15: runtime error: store to address 0x7fffffffe308 with
insufficient space for an object of type 'long int'
0x7fffffffe308: note: pointer points here
 00 00 00 00  e8 e3 ff ff ff 7f 00 00  00 1c 01 00 01 00 00 00  70 10 40 00 00
00 00 00  60 15 40 00
              ^ 
pr94482.c:14:11: runtime error: index 6 out of bounds for type 'long int [2]'
pr94482.c:14:15: runtime error: store to address 0x7fffffffe310 with
insufficient space for an object of type 'long int'
0x7fffffffe310: note: pointer points here
 00 00 00 00  00 1c 01 00 01 00 00 00  70 10 40 00 00 00 00 00  60 15 40 00 00
00 00 00  1d 45 5c 9d
              ^ 
pr94482.c:14:11: runtime error: index 7 out of bounds for type 'long int [2]'
pr94482.c:14:15: runtime error: store to address 0x7fffffffe318 with
insufficient space for an object of type 'long int'
0x7fffffffe318: note: pointer points here
 00 00 00 00  70 10 40 00 00 00 00 00  60 15 40 00 00 00 00 00  1d 45 5c 9d 3a
72 cd ab  60 12 40 00
              ^ 
Segmentation fault (core dumped)

$ gcc -fsanitize=address pr94482.c -O2  && ./a.out 
=================================================================
==18733==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffffffe290 at pc 0x0000004015d1 bp 0x7fffffffe150 sp 0x7fffffffe148
WRITE of size 8 at 0x7fffffffe290 thread T0
    #0 0x4015d0 in main (/home/marxin/Programming/testcases/a.out+0x4015d0)
    #1 0x7ffff73c3cea in __libc_start_main ../csu/libc-start.c:308
    #2 0x401659 in _start (/home/marxin/Programming/testcases/a.out+0x401659)

Address 0x7fffffffe290 is located in stack of thread T0 at offset 304 in frame
    #0 0x40111f in main (/home/marxin/Programming/testcases/a.out+0x40111f)

  This frame has 11 object(s):
    [32, 48) 'n' (line 42)
    [64, 80) 'o' (line 43)
    [96, 112) 'r_' (line 47)
    [128, 144) 'n' (line 23)
    [160, 176) 'o' (line 24)
    [192, 208) 'r_' (line 26)
    [224, 240) 'n' (line 29)
    [256, 272) 'o' (line 30)
    [288, 304) 'r_' (line 12) <== Memory access at offset 304 overflows this
variable
    [320, 336) 'n' (line 15)
    [352, 368) 'o' (line 16)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/home/marxin/Programming/testcases/a.out+0x4015d0) in main
Shadow bytes around the buggy address:
  0x10007fff7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c20: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10007fff7c30: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2
  0x10007fff7c40: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2
=>0x10007fff7c50: 00 00[f2]f2 00 00 f2 f2 00 00 f3 f3 00 00 00 00
  0x10007fff7c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==18733==ABORTING

[Bug target/94482] Inserting into vector with optimization enabled on x86 generates incorrect result

Reply via email to