Bug 16366 - Preprocessor option -remap causes memory corruption
Summary: Preprocessor option -remap causes memory corruption
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: preprocessor (show other bugs)
Version: 3.4.1
: P2 normal
Target Milestone: 3.4.2
Assignee: Not yet assigned to anyone
URL:
Keywords: ice-on-valid-code
Depends on:
Blocks:
 
Reported: 2004-07-05 05:45 UTC by Andris Pavenis
Modified: 2005-07-23 22:49 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:

Attachments
Patch to fix the bug (352 bytes, patch)
2004-07-05 05:54 UTC, Andris Pavenis 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andris Pavenis 2004-07-05 05:45:31 UTC 
Preprocessor option -remap (gcc -Wp,-remap ...) ocasionally causes write 
to freed memory. It's enough to specify this option, there is no need for 
header.gcc files to be present.  
 
Initially noticed for target i586-pc-msdosdjgpp, when cc1plus crashed for some 
files while reading header files. Removing -remap from specs fixed the 
problem.  
 
After that reproduced bug for i686-linux-gnu by specifying command line option 
-Wp,-remap and trying to build some C++ packages for example glibmm-2.4.2 or 
cln-1.1.6 
 
Here is information which I got from valgrind-2.1.1: 
 
rm -f .libs/cl_debug.lo 
valgrind --tool=memcheck --trace-children=yes --num-callers=15 g++ -v -g -O2 
-I../include -I../include -I./base -c ./base/cl_debug.cc  -fPIC -DPIC 
-o .libs/cl_debug.lo 
==26799== Memcheck, a memory error detector for x86-linux. 
==26799== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward. 
==26799== Using valgrind-2.1.1, a program supervision framework for x86-linux. 
==26799== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward. 
==26799== For more details, rerun with: -v 
==26799==  
Reading specs from /disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/specs 
Configured with: ./configure --prefix=/disk2/gcc34test 
--enable-languages=c,c++ 
Thread model: posix 
gcc version 3.4.1 
 /disk2/gcc34test/libexec/gcc/i686-pc-linux-gnu/3.4.1/cc1plus -quiet -v 
-I../include -I../include -I./base -D_GNU_SOURCE -remap 
-DPIC ./base/cl_debug.cc -quiet -dumpbase cl_debug.cc -mtune=pentiumpro 
-auxbase-strip .libs/cl_debug.lo -g -O2 -version -fPIC -o /tmp/cc8STD4d.s 
==26801== Memcheck, a memory error detector for x86-linux. 
==26801== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward. 
==26801== Using valgrind-2.1.1, a program supervision framework for x86-linux. 
==26801== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward. 
==26801== For more details, rerun with: -v 
==26801==  
ignoring duplicate directory "/usr/lib/qt/include" 
ignoring nonexistent directory 
"/disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/../../../../i686-pc-linux-gnu/include" 
ignoring duplicate directory "../include" 
#include "..." search starts here: 
#include <...> search starts here: 
 ../include 
 ./base 
 /usr/lib/qt/include 
 /disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/../../../../include/c++/3.4.1 
 /disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/../../../../include/c++/3.4.1/i686-pc-linux-gnu 
 /disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/../../../../include/c++/3.4.1/backward 
 /usr/local/include 
 /disk2/gcc34test/include 
 /disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/include 
 /usr/include 
End of search list. 
GNU C++ version 3.4.1 (i686-pc-linux-gnu) 
	compiled by GNU C version 3.4.1. 
GGC heuristics: --param ggc-min-expand=90 --param ggc-min-heapsize=113227 
==26801== Invalid read of size 4 
==26801==    at 0x836349E: _cpp_find_file (cppfiles.c:433) 
==26801==    by 0x8363986: _cpp_stack_include (cppfiles.c:733) 
==26801==    by 0x8359651: do_include_common (cpplib.c:695) 
==26801==    by 0x8358E87: _cpp_handle_directive (cpplib.c:424) 
==26801==    by 0x835D1EA: _cpp_lex_token (cpplex.c:716) 
==26801==    by 0x835DD1B: cpp_get_token (cppmacro.c:1061) 
==26801==    by 0x80E703C: c_lex_with_flags (c-lex.c:308) 
==26801==    by 0x808F1CB: cp_lexer_get_preprocessor_token (parser.c:602) 
==26801==    by 0x808F2A5: cp_lexer_read_token (parser.c:492) 
==26801==    by 0x808F598: cp_lexer_peek_token (parser.c:649) 
==26801==    by 0x809A925: cp_parser_declaration_seq_opt (parser.c:6201) 
==26801==    by 0x809A780: cp_parser_declaration (parser.c:9495) 
==26801==    by 0x809A91E: cp_parser_declaration_seq_opt (parser.c:6231) 
==26801==    by 0x809AAEA: c_parse_file (parser.c:2319) 
==26801==    by 0x80EC4B1: c_common_parse_file (c-opts.c:1237) 
==26801==  Address 0x3C1EE2A8 is 884 bytes inside a block of size 1004 free'd 
==26801==    at 0x3C01D8A1: free (vg_replace_malloc.c:127) 
==26801==    by 0x836B9C8: htab_expand (hashtab.c:421) 
==26801==    by 0x836BBFC: htab_find_slot_with_hash (hashtab.c:510) 
==26801==    by 0x8362947: make_cpp_dir (cppfiles.c:797) 
==26801==    by 0x836356A: _cpp_find_file (cppfiles.c:1202) 
==26801==    by 0x8363986: _cpp_stack_include (cppfiles.c:733) 
==26801==    by 0x8359651: do_include_common (cpplib.c:695) 
==26801==    by 0x8358E87: _cpp_handle_directive (cpplib.c:424) 
==26801==    by 0x835D1EA: _cpp_lex_token (cpplex.c:716) 
==26801==    by 0x835DD1B: cpp_get_token (cppmacro.c:1061) 
==26801==    by 0x80E703C: c_lex_with_flags (c-lex.c:308) 
==26801==    by 0x808F1CB: cp_lexer_get_preprocessor_token (parser.c:602) 
==26801==    by 0x808F2A5: cp_lexer_read_token (parser.c:492) 
==26801==    by 0x808F598: cp_lexer_peek_token (parser.c:649) 
==26801==    by 0x809A925: cp_parser_declaration_seq_opt (parser.c:6201) 
==26801==  
==26801== Invalid write of size 4 
==26801==    at 0x83634B7: _cpp_find_file (cppfiles.c:436) 
==26801==    by 0x8363986: _cpp_stack_include (cppfiles.c:733) 
==26801==    by 0x8359651: do_include_common (cpplib.c:695) 
==26801==    by 0x8358E87: _cpp_handle_directive (cpplib.c:424) 
==26801==    by 0x835D1EA: _cpp_lex_token (cpplex.c:716) 
==26801==    by 0x835DD1B: cpp_get_token (cppmacro.c:1061) 
==26801==    by 0x80E703C: c_lex_with_flags (c-lex.c:308) 
==26801==    by 0x808F1CB: cp_lexer_get_preprocessor_token (parser.c:602) 
==26801==    by 0x808F2A5: cp_lexer_read_token (parser.c:492) 
==26801==    by 0x808F598: cp_lexer_peek_token (parser.c:649) 
==26801==    by 0x809A925: cp_parser_declaration_seq_opt (parser.c:6201) 
==26801==    by 0x809A780: cp_parser_declaration (parser.c:9495) 
==26801==    by 0x809A91E: cp_parser_declaration_seq_opt (parser.c:6231) 
==26801==    by 0x809AAEA: c_parse_file (parser.c:2319) 
==26801==    by 0x80EC4B1: c_common_parse_file (c-opts.c:1237) 
==26801==  Address 0x3C1EE2A8 is 884 bytes inside a block of size 1004 free'd 
==26801==    at 0x3C01D8A1: free (vg_replace_malloc.c:127) 
==26801==    by 0x836B9C8: htab_expand (hashtab.c:421) 
==26801==    by 0x836BBFC: htab_find_slot_with_hash (hashtab.c:510) 
==26801==    by 0x8362947: make_cpp_dir (cppfiles.c:797) 
==26801==    by 0x836356A: _cpp_find_file (cppfiles.c:1202) 
==26801==    by 0x8363986: _cpp_stack_include (cppfiles.c:733) 
==26801==    by 0x8359651: do_include_common (cpplib.c:695) 
==26801==    by 0x8358E87: _cpp_handle_directive (cpplib.c:424) 
==26801==    by 0x835D1EA: _cpp_lex_token (cpplex.c:716) 
==26801==    by 0x835DD1B: cpp_get_token (cppmacro.c:1061) 
==26801==    by 0x80E703C: c_lex_with_flags (c-lex.c:308) 
==26801==    by 0x808F1CB: cp_lexer_get_preprocessor_token (parser.c:602) 
==26801==    by 0x808F2A5: cp_lexer_read_token (parser.c:492) 
==26801==    by 0x808F598: cp_lexer_peek_token (parser.c:649) 
==26801==    by 0x809A925: cp_parser_declaration_seq_opt (parser.c:6201) 
==26801==  
==26801== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 11 from 1) 
==26801== malloc/free: in use at exit: 947389 bytes in 6810 blocks. 
==26801== malloc/free: 27194 allocs, 20384 frees, 9137121 bytes allocated. 
==26801== For a detailed leak analysis,  rerun with: --leak-check=yes 
==26801== For counts of detected errors, rerun with: -v 
 as -V -Qy -o .libs/cl_debug.lo /tmp/cc8STD4d.s 
==26804== Memcheck, a memory error detector for x86-linux. 
==26804== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward. 
==26804== Using valgrind-2.1.1, a program supervision framework for x86-linux. 
==26804== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward. 
==26804== For more details, rerun with: -v 
==26804==  
GNU assembler version 2.15.90.0.3 (i486-slackware-linux) using BFD version 
2.15.90.0.3 20040415 
==26804==  
==26804== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 13 from 1) 
==26804== malloc/free: in use at exit: 524637 bytes in 4101 blocks. 
==26804== malloc/free: 4242 allocs, 141 frees, 701301 bytes allocated. 
==26804== For a detailed leak analysis,  rerun with: --leak-check=yes 
==26804== For counts of detected errors, rerun with: -v 
==26799==  
==26799== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 13 from 2) 
==26799== malloc/free: in use at exit: 27177 bytes in 193 blocks. 
==26799== malloc/free: 249 allocs, 56 frees, 33094 bytes allocated. 
==26799== For a detailed leak analysis,  rerun with: --leak-check=yes 
==26799== For counts of detected errors, rerun with: -v 
valgrind --tool=memcheck --trace-children=yes --num-callers=15 g++ -v -g -O2 
-I../include -I../include -I./base -c ./base/cl_debug.cc -o cl_debug.o 
>/dev/null 2>&1 
mv -f .libs/cl_debug.lo cl_debug.lo
Comment 1 Andris Pavenis 2004-07-05 05:54:38 UTC 
Created attachment 6688 [details]
Patch to fix the bug

The reason was that in case if option -remap was specified pfile->file_hash 
was updated before attempt to use pointer hash_slot. If the array additionally 
gets reallocated then the result is accessing already freed memory. Calling 
htab_find_slot_with_hash once more later fixes the problem (verified for 
i586-pc-msdosdjgpp)
Comment 2 Andrew Pinski 2004-07-05 15:53:32 UTC 
As always patch should be done off the CVS and be sent to gcc-patches@,

In this case files have moved and the function has changes a little.
Comment 3 Andris Pavenis 2004-07-06 07:48:19 UTC 
Reproduced under Linux (i686-pc-linux-gnu) also with  
	gcc version 3.5.0 20040705 (experimental) 
 
Verified that similar patch fixes problem
Comment 4 GCC Commits 2004-07-16 17:07:06 UTC 
Subject: Bug 16366

CVSROOT:	/cvs/gcc
Module name:	gcc
Changes by:	zack@gcc.gnu.org	2004-07-16 17:07:01

Modified files:
	libcpp         : ChangeLog files.c internal.h 

Log message:
	2004-07-16  Andris Pavenis  <pavenis@latnet.lv>
	
	PR preprocessor/16366
	* internal.h (struct cpp_reader): New field dir_hash.
	* files.c (make_cpp_dir): Use dir_hash, not file_hash.
	(_cpp_init_files, _cpp_cleanup_files): Update for new field.

Patches:
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libcpp/ChangeLog.diff?cvsroot=gcc&r1=1.17&r2=1.18
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libcpp/files.c.diff?cvsroot=gcc&r1=1.4&r2=1.5
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libcpp/internal.h.diff?cvsroot=gcc&r1=1.4&r2=1.5
Comment 5 GCC Commits 2004-07-16 17:16:57 UTC 
Subject: Bug 16366

CVSROOT:	/cvs/gcc
Module name:	gcc
Branch: 	gcc-3_4-branch
Changes by:	zack@gcc.gnu.org	2004-07-16 17:16:46

Modified files:
	gcc            : ChangeLog cppfiles.c cpphash.h 

Log message:
	2004-07-16  Andris Pavenis  <pavenis@latnet.lv>
	
	PR preprocessor/16366
	* internal.h (struct cpp_reader): New field dir_hash.
	* files.c (make_cpp_dir): Use dir_hash, not file_hash.
	(_cpp_init_files, _cpp_cleanup_files): Update for new field.

Patches:
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/ChangeLog.diff?cvsroot=gcc&only_with_tag=gcc-3_4-branch&r1=2.2326.2.561&r2=2.2326.2.562
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/cppfiles.c.diff?cvsroot=gcc&only_with_tag=gcc-3_4-branch&r1=1.198.4.2&r2=1.198.4.3
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/cpphash.h.diff?cvsroot=gcc&only_with_tag=gcc-3_4-branch&r1=1.203.4.3&r2=1.203.4.4
Comment 6 Zack Weinberg 2004-07-16 17:20:30 UTC 
fixed