Created attachment 31344 [details] C source code I just tried to compile the attached source code with trunk of 20131130 and it said lens.c:1063:7: internal compiler error: Aborted 0xa8ed5f crash_signal ../../src/trunk/gcc/toplev.c:336 0xb18fe4 fini_object_sizes ../../src/trunk/gcc/tree-object-size.c:1200 0xb18fe4 compute_object_sizes ../../src/trunk/gcc/tree-object-size.c:1279 0xb18fe4 execute ../../src/trunk/gcc/tree-object-size.c:1309 Please submit a full bug report, with preprocessed source if appropriate. Please include the complete backtrace with any bug report. See <http://gcc.gnu.org/bugs.html> for instructions. Preprocessed source code attached. Flags -O2 -std=gnu99 required. ~
Valgrind shows: ==3073== Invalid write of size 8 ==3073== at 0x8C60BF: collect_object_sizes_for(object_size_info*, tree_node*) (tree-object-size.c:913) ==3073== by 0x8C6CA4: merge_object_sizes(object_size_info*, tree_node*, tree_node*, unsigned long) [clone .isra.26] (tree-object-size.c:745) ==3073== by 0x8C68BA: collect_object_sizes_for(object_size_info*, tree_node*) (tree-object-size.c:956) ==3073== by 0x8C5188: compute_builtin_object_size(tree_node*, int) (tree-object-size.c:539) ==3073== by 0x5BACA7: fold_builtin_2(unsigned int, tree_node*, tree_node*, tree_node*, bool) (builtins.c:12721) ==3073== by 0x5BBBAB: fold_builtin_n(unsigned int, tree_node*, tree_node**, int, bool) (builtins.c:11118) ==3073== by 0x5C3F54: fold_call_stmt(gimple_statement_base*, bool) (builtins.c:14252) ==3073== by 0x8C43A6: (anonymous namespace)::pass_object_sizes::execute() (tree-object-size.c:1224) ==3073== by 0x7CC189: execute_one_pass(opt_pass*) (passes.c:2215) ==3073== by 0x7CC3F5: execute_pass_list(opt_pass*) (passes.c:2268) ==3073== by 0x7CC407: execute_pass_list(opt_pass*) (passes.c:2269) ==3073== by 0x5FCB95: expand_function(cgraph_node*) (cgraphunit.c:1763) ==3073== Address 0x53a8bc8 is 0 bytes after a block of size 856 alloc'd ==3073== at 0x40274F0: malloc (vg_replace_malloc.c:291) ==3073== by 0xD38CC7: xmalloc (xmalloc.c:147) ==3073== by 0x8C4182: init_object_sizes() [clone .part.28] (tree-object-size.c:1183) ==3073== by 0x8C4B83: (anonymous namespace)::pass_object_sizes::execute() (ssa-iterators.h:498) ==3073== by 0x7CC189: execute_one_pass(opt_pass*) (passes.c:2215) ==3073== by 0x7CC3F5: execute_pass_list(opt_pass*) (passes.c:2268) ==3073== by 0x7CC407: execute_pass_list(opt_pass*) (passes.c:2269) ==3073== by 0x5FCB95: expand_function(cgraph_node*) (cgraphunit.c:1763) ==3073== by 0x5FE477: compile() (cgraphunit.c:1868) ==3073== by 0x5FE7D4: finalize_compilation_unit() (cgraphunit.c:2280) ==3073== by 0x51E92B: c_write_global_declarations() (c-decl.c:10388) ==3073== by 0x866B7C: compile_file() (toplev.c:561) ==3073== ==3073== Invalid read of size 8 ==3073== at 0x8C6535: collect_object_sizes_for(object_size_info*, tree_node*) (tree-object-size.c:799) ==3073== by 0x8C6CA4: merge_object_sizes(object_size_info*, tree_node*, tree_node*, unsigned long) [clone .isra.26] (tree-object-size.c:745) ==3073== by 0x8C68BA: collect_object_sizes_for(object_size_info*, tree_node*) (tree-object-size.c:956) ==3073== by 0x8C5188: compute_builtin_object_size(tree_node*, int) (tree-object-size.c:539) ==3073== by 0x5BACA7: fold_builtin_2(unsigned int, tree_node*, tree_node*, tree_node*, bool) (builtins.c:12721) ==3073== by 0x5BBBAB: fold_builtin_n(unsigned int, tree_node*, tree_node**, int, bool) (builtins.c:11118) ==3073== by 0x5C3F54: fold_call_stmt(gimple_statement_base*, bool) (builtins.c:14252) ==3073== by 0x8C43A6: (anonymous namespace)::pass_object_sizes::execute() (tree-object-size.c:1224) ==3073== by 0x7CC189: execute_one_pass(opt_pass*) (passes.c:2215) ==3073== by 0x7CC3F5: execute_pass_list(opt_pass*) (passes.c:2268) ==3073== by 0x7CC407: execute_pass_list(opt_pass*) (passes.c:2269) ==3073== by 0x5FCB95: expand_function(cgraph_node*) (cgraphunit.c:1763) ==3073== Address 0x53a8bc8 is 0 bytes after a block of size 856 alloc'd ==3073== at 0x40274F0: malloc (vg_replace_malloc.c:291) ==3073== by 0xD38CC7: xmalloc (xmalloc.c:147) ==3073== by 0x8C4182: init_object_sizes() [clone .part.28] (tree-object-size.c:1183) ==3073== by 0x8C4B83: (anonymous namespace)::pass_object_sizes::execute() (ssa-iterators.h:498) ==3073== by 0x7CC189: execute_one_pass(opt_pass*) (passes.c:2215) ==3073== by 0x7CC3F5: execute_pass_list(opt_pass*) (passes.c:2268) ==3073== by 0x7CC407: execute_pass_list(opt_pass*) (passes.c:2269) ==3073== by 0x5FCB95: expand_function(cgraph_node*) (cgraphunit.c:1763) ==3073== by 0x5FE477: compile() (cgraphunit.c:1868) ==3073== by 0x5FE7D4: finalize_compilation_unit() (cgraphunit.c:2280) ==3073== by 0x51E92B: c_write_global_declarations() (c-decl.c:10388) ==3073== by 0x866B7C: compile_file() (toplev.c:561) ==3073== AddressSanitizer: markus@x4 tmp % /var/tmp/gcc_sani/usr/local/bin/gcc -c -O2 -std=gnu99 bug124.c ================================================================= ==2994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180001343d8 at pc 0x133f0e8 bp 0x7fffe70fc990 sp 0x7fffe70fc988 WRITE of size 8 at 0x6180001343d8 thread T0 #0 0x133f0e7 in collect_object_sizes_for(object_size_info*, tree_node*) /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-object-size.c:913 #1 0x133f7d9 in merge_object_sizes(object_size_info*, tree_node*, tree_node*, unsigned long) /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-object-size.c:745 #2 0x133d495 in collect_object_sizes_for(object_size_info*, tree_node*) /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-object-size.c:956 #3 0x13363b3 in compute_builtin_object_size(tree_node*, int) /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-object-size.c:539 #4 0x7f8a05 in fold_builtin_object_size(tree_node*, tree_node*) /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/builtins.c:12721 #5 0x827a3e in fold_builtin_2(unsigned int, tree_node*, tree_node*, tree_node*, bool) /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/builtins.c:10905 #6 0x82aa3e in fold_builtin_n(unsigned int, tree_node*, tree_node**, int, bool) /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/builtins.c:11118 #7 0x855478 in fold_call_stmt(gimple_statement_base*, bool) /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/builtins.c:14252 #8 0x13322c8 in compute_object_sizes /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-object-size.c:1224 #9 0x13322c8 in (anonymous namespace)::pass_object_sizes::execute() /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-object-size.c:1309 #10 0xfe37f9 in execute_one_pass(opt_pass*) /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/passes.c:2215 #11 0xfe41b8 in execute_pass_list(opt_pass*) /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/passes.c:2268 #12 0xfe41de in execute_pass_list(opt_pass*) /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/passes.c:2269 #13 0x918b09 in expand_function(cgraph_node*) /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:1763 #14 0x91de51 in expand_all_functions /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:1868 #15 0x91de51 in compile() /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:2203 #16 0x91f66a in finalize_compilation_unit() /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:2280 #17 0x5e0a6c in c_write_global_declarations() /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/c/c-decl.c:10388 #18 0x11c8c44 in compile_file() /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/toplev.c:561 #19 0x11cd6d3 in do_compile /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/toplev.c:1893 #20 0x11cd6d3 in toplev_main(int, char**) /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/toplev.c:1969 #21 0x7fde5bff3f8f in __libc_start_main (/lib/libc.so.6+0x1ff8f) #22 0x5996d0 in _start (/var/tmp/gcc_sani/usr/local/libexec/gcc/x86_64-unknown-linux-gnu/4.9.0/cc1+0x5996d0) 0x6180001343d8 is located 0 bytes to the right of 856-byte region [0x618000134080,0x6180001343d8) allocated by thread T0 here: #0 0x7fde5c815824 in __interceptor_malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.0/libasan.so.1+0x38824) #1 0x222c717 in xmalloc /var/tmp/gcc_build_dir/libiberty/../../gcc/libiberty/xmalloc.c:147 SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-object-size.c:913 collect_object_sizes_for(object_size_info*, tree_node*) Shadow bytes around the buggy address: 0x0c308001e820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c308001e830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c308001e840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c308001e850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c308001e860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c308001e870: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa 0x0c308001e880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c308001e890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c308001e8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c308001e8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c308001e8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==2994==ABORTING
Reduced: markus@x4 tmp % cat test.i char *a; long int b; void enc_format() { b = __builtin_object_size(0, 0); a = __builtin___stpcpy_chk(0, "", b); b = __builtin_object_size(a, 0); } markus@x4 tmp % gcc -c -O2 test.i *** Error in `/usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.0/cc1': free(): invalid next size (fast): 0x00000000029aaab0 *** ======= Backtrace: ========= ...
It is caused by r204966.
Created attachment 31345 [details] gcc49-pr59362.patch The problem is that the new stmt folding in the objsz pass can create new SSA_NAMEs and the code wasn't prepared for that.
Author: jakub Date: Tue Dec 3 07:48:58 2013 New Revision: 205623 URL: http://gcc.gnu.org/viewcvs?rev=205623&root=gcc&view=rev Log: PR tree-optimization/59362 * tree-object-size.c (object_sizes): Change into array of vec<unsigned HOST_WIDE_INT>. (compute_builtin_object_size): Check computed bitmap for non-NULL instead of object_sizes. Call safe_grow on object_sizes vector if new SSA_NAMEs appeared. (init_object_sizes): Check computed bitmap for non-NULL. Call safe_grow on object_sizes elements instead of initializing it with XNEWVEC. (fini_object_sizes): Call release on object_sizes elements, don't set it to NULL. * gcc.c-torture/compile/pr59362.c: New test. Added: trunk/gcc/testsuite/gcc.c-torture/compile/pr59362.c Modified: trunk/gcc/ChangeLog trunk/gcc/testsuite/ChangeLog trunk/gcc/tree-object-size.c
Fixed.
Author: rguenth Date: Thu Jan 9 15:25:34 2014 New Revision: 206467 URL: http://gcc.gnu.org/viewcvs?rev=206467&root=gcc&view=rev Log: 2014-01-09 Richard Biener <rguenther@suse.de> Backport from mainline 2013-11-18 Richard Biener <rguenther@suse.de> PR tree-optimization/59125 PR tree-optimization/54570 * tree-ssa-sccvn.c (copy_reference_ops_from_ref): When inlining is not complete do not treat component-references with offset zero but different fields as equal. * tree-object-size.c: Include tree-phinodes.h and ssa-iterators.h. (compute_object_sizes): Apply TLC. Propagate the constant results into all uses and fold their stmts. * passes.def (pass_all_optimizations): Move pass_object_sizes after the first pass_forwprop and before pass_fre. * gcc.dg/builtin-object-size-8.c: Un-xfail. * gcc.dg/builtin-object-size-14.c: New testcase. * gcc.dg/strlenopt-14gf.c: Adjust. * gcc.dg/strlenopt-1f.c: Likewise. * gcc.dg/strlenopt-4gf.c: Likewise. 2013-12-03 Jakub Jelinek <jakub@redhat.com> PR tree-optimization/59362 * tree-object-size.c (object_sizes): Change into array of vec<unsigned HOST_WIDE_INT>. (compute_builtin_object_size): Check computed bitmap for non-NULL instead of object_sizes. Call safe_grow on object_sizes vector if new SSA_NAMEs appeared. (init_object_sizes): Check computed bitmap for non-NULL. Call safe_grow on object_sizes elements instead of initializing it with XNEWVEC. (fini_object_sizes): Call release on object_sizes elements, don't set it to NULL. * gcc.c-torture/compile/pr59362.c: New test. Added: branches/gcc-4_8-branch/gcc/testsuite/gcc.c-torture/compile/pr59362.c branches/gcc-4_8-branch/gcc/testsuite/gcc.dg/builtin-object-size-14.c Modified: branches/gcc-4_8-branch/gcc/ChangeLog branches/gcc-4_8-branch/gcc/passes.c branches/gcc-4_8-branch/gcc/testsuite/ChangeLog branches/gcc-4_8-branch/gcc/testsuite/gcc.dg/builtin-object-size-8.c branches/gcc-4_8-branch/gcc/testsuite/gcc.dg/strlenopt-14gf.c branches/gcc-4_8-branch/gcc/testsuite/gcc.dg/strlenopt-1f.c branches/gcc-4_8-branch/gcc/testsuite/gcc.dg/strlenopt-4gf.c branches/gcc-4_8-branch/gcc/tree-object-size.c branches/gcc-4_8-branch/gcc/tree-ssa-sccvn.c