This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug sanitizer/59258] New: usan: ICE(segfault): stack-buffer-overflow with -fsanitize=undefined
- From: "burnus at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Sat, 23 Nov 2013 00:44:38 +0000
- Subject: [Bug sanitizer/59258] New: usan: ICE(segfault): stack-buffer-overflow with -fsanitize=undefined
- Auto-submitted: auto-generated
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59258
Bug ID: 59258
Summary: usan: ICE(segfault): stack-buffer-overflow with
-fsanitize=undefined
Product: gcc
Version: 4.9.0
Status: UNCONFIRMED
Keywords: ice-on-valid-code
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: burnus at gcc dot gnu.org
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org,
mpolacek at gcc dot gnu.org
I run into this with a bigger code and GCC 4.9 r205287 on x86-64-gnu-linux.
Using an about one-week old GCC, it compiled successfully - but now it
segfaults.
I have now created a -fsanitize=address GCC build, which allowed me to reduce
the code (before, I couldn't go smaller than about 64k).
In any case, GCC now fails for:
cc1plus -fsanitize=undefined
for this 5-line program:
class Parent { };
class RefNameDict : public Parent {
explicit RefNameDict (bool uniqueNames);
};
RefNameDict::RefNameDict (bool uniqueNames) { }
Address sanitizer prints:
==8820==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffcc257f58 at pc 0x1768edf bp 0x7fffcc257e60 sp 0x7fffcc257e58
WRITE of size 8 at 0x7fffcc257f58 thread T0
#0 ubsan_create_data(char const*, unsigned int, ubsan_mismatch_data const*,
...) + 2493 in section .text
#1 ubsan_expand_null_ifn(gimple_stmt_iterator_d) + 2283 in section .text
#2 execute_sanopt() + 838 in section .text
#3 (anonymous namespace)::pass_sanopt::execute() + 8 in section .text
...
Address 0x7fffcc257f58 is located in stack of thread T0 at offset 184 in frame
#0 ubsan_create_data(char const*, unsigned int, ubsan_mismatch_data const*,
...) + 15 in section .text
This frame has 5 object(s):
[32, 40) 'saved_args'
[96, 104) 'v'
[160, 184) 'fields' <== Memory access at offset 184 overflows this variable
[224, 248) 'args'
[288, 320) 'tmp_name'