This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug middle-end/55407] New: stack-buffer-overflow in compute_working_sets
- From: "hjl.tools at gmail dot com" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Tue, 20 Nov 2012 01:54:08 +0000
- Subject: [Bug middle-end/55407] New: stack-buffer-overflow in compute_working_sets
- Auto-submitted: auto-generated
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55407
Bug #: 55407
Summary: stack-buffer-overflow in compute_working_sets
Classification: Unclassified
Product: gcc
Version: 4.8.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
AssignedTo: unassigned@gcc.gnu.org
ReportedBy: hjl.tools@gmail.com
hjl@gnu-mic-2 gcc]$ cat /tmp/y.i
extern void abort (void);
extern void exit (int);
int expect_do1 = 1, expect_do2 = 2;
static int doit(int x){
__label__ lbl1;
__label__ lbl2;
static int jtab_init = 0;
static void *jtab[2];
if(!jtab_init) {
jtab[0] = &&lbl1;
jtab[1] = &&lbl2;
jtab_init = 1;
}
goto *jtab[x];
lbl1:
return 1;
lbl2:
return 2;
}
static void do1(void) {
if (doit(0) != expect_do1)
abort ();
}
static void do2(void){
if (doit(1) != expect_do2)
abort ();
}
int main(void){
do1();
do2();
exit(0);
}
[hjl@gnu-mic-2 gcc]$ ./xgcc -B./ -O3 -fprofile-arcs /tmp/y.i
[hjl@gnu-mic-2 gcc]$ ./a.out
[hjl@gnu-mic-2 gcc]$ ./xgcc -B./ -O3 -S -fbranch-probabilities /tmp/y.i
=================================================================
==18365== ERROR: AddressSanitizer stack-buffer-overflow on address
0x7ffff9a5ee70 at pc 0xeeef8a bp 0x7ffff9a5e950 sp 0x7ffff9a5e948
READ of size 8 at 0x7ffff9a5ee70 thread T0
#0 0xeeef89
(/export/build/gnu/gcc-asan/build-x86_64-linux/gcc/cc1+0xeeef89)
Address 0x7ffff9a5ee70 is located at offset 1184 in frame
<compute_branch_probabilities> of T0's stack:
This frame has 2 object(s):
[32, 112) 'hist_br_prob'
[160, 1184) 'working_set_cum_values'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism
(longjmp and C++ exceptions *are* supported)
Shadow byte and word:
0x1fffff34bdce: f3
0x1fffff34bdc8: 00 00 00 00 00 00 f3 f3
More shadow bytes:
0x1fffff34bda8: 00 00 00 00 00 00 00 00
0x1fffff34bdb0: 00 00 00 00 00 00 00 00
0x1fffff34bdb8: 00 00 00 00 00 00 00 00
0x1fffff34bdc0: 00 00 00 00 00 00 00 00
=>0x1fffff34bdc8: 00 00 00 00 00 00 f3 f3
0x1fffff34bdd0: f3 f3 00 00 00 00 00 00
0x1fffff34bdd8: 00 00 00 00 00 00 00 00
0x1fffff34bde0: 00 00 00 00 00 00 00 00
0x1fffff34bde8: 00 00 00 00 00 00 00 00
Stats: 2M malloced (2M for red zones) by 5642 calls
Stats: 0M realloced by 344 calls
Stats: 2M freed by 3566 calls
Stats: 0M really freed by 0 calls
Stats: 8M (2059 full pages) mmaped in 16 calls
mmaps by size class: 7:4095; 8:2047; 9:1023; 10:511; 11:255; 12:384;
13:128; 14:32; 15:48; 16:8; 18:2;
mallocs by size class: 7:3557; 8:1180; 9:156; 10:80; 11:213; 12:305; 13:89;
14:17; 15:43; 16:1; 18:1;
frees by size class: 7:2011; 8:794; 9:122; 10:73; 11:142; 12:301; 13:64;
14:17; 15:42;
rfrees by size class:
Stats: malloc large: 45 small slow: 115
==18365== ABORTING
[hjl@gnu-mic-2 gcc]$
(gdb) bt
#0 __asan_report_error (pc=15658890, bp=140737488343840, sp=140737488343832,
addr=140737488345152, is_write=<optimized out>, access_size=8)
at /export/gnu/import/git/gcc/libsanitizer/asan/asan_report.cc:464
#1 0x0000000001f2b2a4 in __asan::__asan_report_load8 (addr=<optimized out>)
at /export/gnu/import/git/gcc/libsanitizer/asan/asan_rtl.cc:195
#2 0x0000000000eeef8a in compute_working_sets ()
at /export/gnu/import/git/gcc/gcc/profile.c:294
#3 get_exec_counts (lineno_checksum=0, cfg_checksum=0)
at /export/gnu/import/git/gcc/gcc/profile.c:377
#4 compute_branch_probabilities (cfg_checksum=cfg_checksum@entry=4088700122,
lineno_checksum=lineno_checksum@entry=728892799)
at /export/gnu/import/git/gcc/gcc/profile.c:611
#5 0x0000000000ef1e76 in branch_prob ()
at /export/gnu/import/git/gcc/gcc/profile.c:1371
#6 0x0000000001207d7b in tree_profiling ()
at /export/gnu/import/git/gcc/gcc/tree-profile.c:483
#7 0x0000000000eb4f84 in execute_one_pass (
pass=pass@entry=0x264a680 <pass_ipa_tree_profile>)
at /export/gnu/import/git/gcc/gcc/passes.c:2339
#8 0x0000000000eb6653 in execute_ipa_pass_list (
pass=0x264a680 <pass_ipa_tree_profile>)
at /export/gnu/import/git/gcc/gcc/passes.c:2705
#9 0x000000000087cf79 in ipa_passes ()
---Type <return> to continue, or q <return> to quit---
at /export/gnu/import/git/gcc/gcc/cgraphunit.c:1871
#10 compile () at /export/gnu/import/git/gcc/gcc/cgraphunit.c:1994
#11 0x000000000087e58a in finalize_compilation_unit ()
at /export/gnu/import/git/gcc/gcc/cgraphunit.c:2122
#12 0x000000000059aec1 in c_write_global_declarations ()
at /export/gnu/import/git/gcc/gcc/c/c-decl.c:10128
#13 0x000000000107b11a in compile_file ()
at /export/gnu/import/git/gcc/gcc/toplev.c:559
#14 0x000000000107f407 in do_compile ()
at /export/gnu/import/git/gcc/gcc/toplev.c:1881
#15 toplev_main (argc=15, argv=0x7fffffffe0d8)
at /export/gnu/import/git/gcc/gcc/toplev.c:1957
#16 0x00000038f3a21675 in __libc_start_main () from /lib64/libc.so.6
#17 0x000000000055c761 in _start ()
(gdb)