This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug c++/80236] ARM NEON: Crash in std::map

From: "dev at dominik-schmidt dot de" <gcc-bugzilla at gcc dot gnu dot org>
To: gcc-bugs at gcc dot gnu dot org
Date: Tue, 28 Mar 2017 14:49:11 +0000
Subject: [Bug c++/80236] ARM NEON: Crash in std::map
Auto-submitted: auto-generated
References: <bug-80236-4@http.gcc.gnu.org/bugzilla/>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80236

--- Comment #4 from Dominik Schmidt <dev@dominik-schmidt.de> ---
AddressSanitizer output:

=================================================================
==597==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7e842bd0 at
pc 0x00013d20 bp 0x7e8428dc sp 0x7e8428d4
READ of size 16 at 0x7e842bd0 thread T0
    #0 0x13d1f in void
__gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<int const, double> >
>::construct<std::pair<int const, double>, std::pair<int const, double>
const&>(std::pair<int const, double>*, std::pair<int const, double> const&)
(/tmp/crashTest+0x13d1f)
    #1 0x13b0f in void
std::allocator_traits<std::allocator<std::_Rb_tree_node<std::pair<int const,
double> > > >::construct<std::pair<int const, double>, std::pair<int const,
double> const&>(std::allocator<std::_Rb_tree_node<std::pair<int const, double>
> >&, std::pair<int const, double>*, std::pair<int const, double> const&)
(/tmp/crashTest+0x13b0f)
    #2 0x13a27 in void std::_Rb_tree<int, std::pair<int const, double>,
std::_Select1st<std::pair<int const, double> >, std::less<int>,
std::allocator<std::pair<int const, double> >
>::_M_construct_node<std::pair<int const, double>
const&>(std::_Rb_tree_node<std::pair<int const, double> >*, std::pair<int
const, double> const&) (/tmp/crashTest+0x13a27)
    #3 0x1381b in std::_Rb_tree_node<std::pair<int const, double> >*
std::_Rb_tree<int, std::pair<int const, double>, std::_Select1st<std::pair<int
const, double> >, std::less<int>, std::allocator<std::pair<int const, double> >
>::_M_create_node<std::pair<int const, double> const&>(std::pair<int const,
double> const&) (/tmp/crashTest+0x1381b)
    #4 0x1352f in std::_Rb_tree_node<std::pair<int const, double> >*
std::_Rb_tree<int, std::pair<int const, double>, std::_Select1st<std::pair<int
const, double> >, std::less<int>, std::allocator<std::pair<int const, double> >
>::_Alloc_node::operator()<std::pair<int const, double> const&>(std::pair<int
const, double> const&) const (/tmp/crashTest+0x1352f)
    #5 0x12b23 in std::_Rb_tree_iterator<std::pair<int const, double> >
std::_Rb_tree<int, std::pair<int const, double>, std::_Select1st<std::pair<int
const, double> >, std::less<int>, std::allocator<std::pair<int const, double> >
>::_M_insert_<std::pair<int const, double> const&, std::_Rb_tree<int,
std::pair<int const, double>, std::_Select1st<std::pair<int const, double> >,
std::less<int>, std::allocator<std::pair<int const, double> >
>::_Alloc_node>(std::_Rb_tree_node_base*, std::_Rb_tree_node_base*,
std::pair<int const, double> const&, std::_Rb_tree<int, std::pair<int const,
double>, std::_Select1st<std::pair<int const, double> >, std::less<int>,
std::allocator<std::pair<int const, double> > >::_Alloc_node&)
(/tmp/crashTest+0x12b23)
    #6 0x11953 in std::_Rb_tree_iterator<std::pair<int const, double> >
std::_Rb_tree<int, std::pair<int const, double>, std::_Select1st<std::pair<int
const, double> >, std::less<int>, std::allocator<std::pair<int const, double> >
>::_M_insert_unique_<std::pair<int const, double> const&, std::_Rb_tree<int,
std::pair<int const, double>, std::_Select1st<std::pair<int const, double> >,
std::less<int>, std::allocator<std::pair<int const, double> >
>::_Alloc_node>(std::_Rb_tree_const_iterator<std::pair<int const, double> >,
std::pair<int const, double> const&, std::_Rb_tree<int, std::pair<int const,
double>, std::_Select1st<std::pair<int const, double> >, std::less<int>,
std::allocator<std::pair<int const, double> > >::_Alloc_node&)
(/tmp/crashTest+0x11953)
    #7 0x11337 in void std::_Rb_tree<int, std::pair<int const, double>,
std::_Select1st<std::pair<int const, double> >, std::less<int>,
std::allocator<std::pair<int const, double> > >::_M_insert_unique<std::pair<int
const, double> const*>(std::pair<int const, double> const*, std::pair<int
const, double> const*) (/tmp/crashTest+0x11337)
    #8 0x110a7 in std::map<int, double, std::less<int>,
std::allocator<std::pair<int const, double> >
>::map(std::initializer_list<std::pair<int const, double> >, std::less<int>
const&, std::allocator<std::pair<int const, double> > const&)
(/tmp/crashTest+0x110a7)
    #9 0x13e87 in main (/tmp/crashTest+0x13e87)
    #10 0x766cb83f in __libc_start_main
(/test/crosscan-test/lib/libc.so.6+0x1683f)

Address 0x7e842bd0 is located in stack of thread T0 at offset 112 in frame
    #0 0x13d8f in main (/tmp/crashTest+0x13d8f)

  This frame has 2 object(s):
    [32, 56) 'j1'
    [96, 120) 'j3' <== Memory access at offset 112 partially overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/tmp/crashTest+0x13d1f) in
void __gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<int const, double> >
>::construct<std::pair<int const, double>, std::pair<int const, double>
const&>(std::pair<int const, double>*, std::pair<int const, double> const&)
Shadow bytes around the buggy address:
  0x2fd08520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x2fd08530: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x2fd08540: 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x2fd08550: 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f3 f3 f3 f3
  0x2fd08560: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x2fd08570: 00 00 00 f4 f2 f2 f2 f2 00 00[00]f4 f3 f3 f3 f3
  0x2fd08580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x2fd08590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x2fd085a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x2fd085b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x2fd085c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==597==ABORTING

References:
- [Bug c++/80236] New: ARM NEON: Crash in std::map
  - From: dev at dominik-schmidt dot de

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]