Bug 16366 - Preprocessor option -remap causes memory corruption
Summary: Preprocessor option -remap causes memory corruption
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: preprocessor (show other bugs)
Version: 3.4.1
: P2 normal
Target Milestone: 3.4.2
Assignee: Not yet assigned to anyone
URL:
Keywords: ice-on-valid-code
Depends on:
Blocks:
 
Reported: 2004-07-05 05:45 UTC by Andris Pavenis
Modified: 2005-07-23 22:49 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:


Attachments
Patch to fix the bug (352 bytes, patch)
2004-07-05 05:54 UTC, Andris Pavenis
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andris Pavenis 2004-07-05 05:45:31 UTC
Preprocessor option -remap (gcc -Wp,-remap ...) ocasionally causes write 
to freed memory. It's enough to specify this option, there is no need for 
header.gcc files to be present.  
 
Initially noticed for target i586-pc-msdosdjgpp, when cc1plus crashed for some 
files while reading header files. Removing -remap from specs fixed the 
problem.  
 
After that reproduced bug for i686-linux-gnu by specifying command line option 
-Wp,-remap and trying to build some C++ packages for example glibmm-2.4.2 or 
cln-1.1.6 
 
Here is information which I got from valgrind-2.1.1: 
 
rm -f .libs/cl_debug.lo 
valgrind --tool=memcheck --trace-children=yes --num-callers=15 g++ -v -g -O2 
-I../include -I../include -I./base -c ./base/cl_debug.cc  -fPIC -DPIC 
-o .libs/cl_debug.lo 
==26799== Memcheck, a memory error detector for x86-linux. 
==26799== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward. 
==26799== Using valgrind-2.1.1, a program supervision framework for x86-linux. 
==26799== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward. 
==26799== For more details, rerun with: -v 
==26799==  
Reading specs from /disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/specs 
Configured with: ./configure --prefix=/disk2/gcc34test 
--enable-languages=c,c++ 
Thread model: posix 
gcc version 3.4.1 
 /disk2/gcc34test/libexec/gcc/i686-pc-linux-gnu/3.4.1/cc1plus -quiet -v 
-I../include -I../include -I./base -D_GNU_SOURCE -remap 
-DPIC ./base/cl_debug.cc -quiet -dumpbase cl_debug.cc -mtune=pentiumpro 
-auxbase-strip .libs/cl_debug.lo -g -O2 -version -fPIC -o /tmp/cc8STD4d.s 
==26801== Memcheck, a memory error detector for x86-linux. 
==26801== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward. 
==26801== Using valgrind-2.1.1, a program supervision framework for x86-linux. 
==26801== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward. 
==26801== For more details, rerun with: -v 
==26801==  
ignoring duplicate directory "/usr/lib/qt/include" 
ignoring nonexistent directory 
"/disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/../../../../i686-pc-linux-gnu/include" 
ignoring duplicate directory "../include" 
#include "..." search starts here: 
#include <...> search starts here: 
 ../include 
 ./base 
 /usr/lib/qt/include 
 /disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/../../../../include/c++/3.4.1 
 /disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/../../../../include/c++/3.4.1/i686-pc-linux-gnu 
 /disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/../../../../include/c++/3.4.1/backward 
 /usr/local/include 
 /disk2/gcc34test/include 
 /disk2/gcc34test/lib/gcc/i686-pc-linux-gnu/3.4.1/include 
 /usr/include 
End of search list. 
GNU C++ version 3.4.1 (i686-pc-linux-gnu) 
	compiled by GNU C version 3.4.1. 
GGC heuristics: --param ggc-min-expand=90 --param ggc-min-heapsize=113227 
==26801== Invalid read of size 4 
==26801==    at 0x836349E: _cpp_find_file (cppfiles.c:433) 
==26801==    by 0x8363986: _cpp_stack_include (cppfiles.c:733) 
==26801==    by 0x8359651: do_include_common (cpplib.c:695) 
==26801==    by 0x8358E87: _cpp_handle_directive (cpplib.c:424) 
==26801==    by 0x835D1EA: _cpp_lex_token (cpplex.c:716) 
==26801==    by 0x835DD1B: cpp_get_token (cppmacro.c:1061) 
==26801==    by 0x80E703C: c_lex_with_flags (c-lex.c:308) 
==26801==    by 0x808F1CB: cp_lexer_get_preprocessor_token (parser.c:602) 
==26801==    by 0x808F2A5: cp_lexer_read_token (parser.c:492) 
==26801==    by 0x808F598: cp_lexer_peek_token (parser.c:649) 
==26801==    by 0x809A925: cp_parser_declaration_seq_opt (parser.c:6201) 
==26801==    by 0x809A780: cp_parser_declaration (parser.c:9495) 
==26801==    by 0x809A91E: cp_parser_declaration_seq_opt (parser.c:6231) 
==26801==    by 0x809AAEA: c_parse_file (parser.c:2319) 
==26801==    by 0x80EC4B1: c_common_parse_file (c-opts.c:1237) 
==26801==  Address 0x3C1EE2A8 is 884 bytes inside a block of size 1004 free'd 
==26801==    at 0x3C01D8A1: free (vg_replace_malloc.c:127) 
==26801==    by 0x836B9C8: htab_expand (hashtab.c:421) 
==26801==    by 0x836BBFC: htab_find_slot_with_hash (hashtab.c:510) 
==26801==    by 0x8362947: make_cpp_dir (cppfiles.c:797) 
==26801==    by 0x836356A: _cpp_find_file (cppfiles.c:1202) 
==26801==    by 0x8363986: _cpp_stack_include (cppfiles.c:733) 
==26801==    by 0x8359651: do_include_common (cpplib.c:695) 
==26801==    by 0x8358E87: _cpp_handle_directive (cpplib.c:424) 
==26801==    by 0x835D1EA: _cpp_lex_token (cpplex.c:716) 
==26801==    by 0x835DD1B: cpp_get_token (cppmacro.c:1061) 
==26801==    by 0x80E703C: c_lex_with_flags (c-lex.c:308) 
==26801==    by 0x808F1CB: cp_lexer_get_preprocessor_token (parser.c:602) 
==26801==    by 0x808F2A5: cp_lexer_read_token (parser.c:492) 
==26801==    by 0x808F598: cp_lexer_peek_token (parser.c:649) 
==26801==    by 0x809A925: cp_parser_declaration_seq_opt (parser.c:6201) 
==26801==  
==26801== Invalid write of size 4 
==26801==    at 0x83634B7: _cpp_find_file (cppfiles.c:436) 
==26801==    by 0x8363986: _cpp_stack_include (cppfiles.c:733) 
==26801==    by 0x8359651: do_include_common (cpplib.c:695) 
==26801==    by 0x8358E87: _cpp_handle_directive (cpplib.c:424) 
==26801==    by 0x835D1EA: _cpp_lex_token (cpplex.c:716) 
==26801==    by 0x835DD1B: cpp_get_token (cppmacro.c:1061) 
==26801==    by 0x80E703C: c_lex_with_flags (c-lex.c:308) 
==26801==    by 0x808F1CB: cp_lexer_get_preprocessor_token (parser.c:602) 
==26801==    by 0x808F2A5: cp_lexer_read_token (parser.c:492) 
==26801==    by 0x808F598: cp_lexer_peek_token (parser.c:649) 
==26801==    by 0x809A925: cp_parser_declaration_seq_opt (parser.c:6201) 
==26801==    by 0x809A780: cp_parser_declaration (parser.c:9495) 
==26801==    by 0x809A91E: cp_parser_declaration_seq_opt (parser.c:6231) 
==26801==    by 0x809AAEA: c_parse_file (parser.c:2319) 
==26801==    by 0x80EC4B1: c_common_parse_file (c-opts.c:1237) 
==26801==  Address 0x3C1EE2A8 is 884 bytes inside a block of size 1004 free'd 
==26801==    at 0x3C01D8A1: free (vg_replace_malloc.c:127) 
==26801==    by 0x836B9C8: htab_expand (hashtab.c:421) 
==26801==    by 0x836BBFC: htab_find_slot_with_hash (hashtab.c:510) 
==26801==    by 0x8362947: make_cpp_dir (cppfiles.c:797) 
==26801==    by 0x836356A: _cpp_find_file (cppfiles.c:1202) 
==26801==    by 0x8363986: _cpp_stack_include (cppfiles.c:733) 
==26801==    by 0x8359651: do_include_common (cpplib.c:695) 
==26801==    by 0x8358E87: _cpp_handle_directive (cpplib.c:424) 
==26801==    by 0x835D1EA: _cpp_lex_token (cpplex.c:716) 
==26801==    by 0x835DD1B: cpp_get_token (cppmacro.c:1061) 
==26801==    by 0x80E703C: c_lex_with_flags (c-lex.c:308) 
==26801==    by 0x808F1CB: cp_lexer_get_preprocessor_token (parser.c:602) 
==26801==    by 0x808F2A5: cp_lexer_read_token (parser.c:492) 
==26801==    by 0x808F598: cp_lexer_peek_token (parser.c:649) 
==26801==    by 0x809A925: cp_parser_declaration_seq_opt (parser.c:6201) 
==26801==  
==26801== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 11 from 1) 
==26801== malloc/free: in use at exit: 947389 bytes in 6810 blocks. 
==26801== malloc/free: 27194 allocs, 20384 frees, 9137121 bytes allocated. 
==26801== For a detailed leak analysis,  rerun with: --leak-check=yes 
==26801== For counts of detected errors, rerun with: -v 
 as -V -Qy -o .libs/cl_debug.lo /tmp/cc8STD4d.s 
==26804== Memcheck, a memory error detector for x86-linux. 
==26804== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward. 
==26804== Using valgrind-2.1.1, a program supervision framework for x86-linux. 
==26804== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward. 
==26804== For more details, rerun with: -v 
==26804==  
GNU assembler version 2.15.90.0.3 (i486-slackware-linux) using BFD version 
2.15.90.0.3 20040415 
==26804==  
==26804== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 13 from 1) 
==26804== malloc/free: in use at exit: 524637 bytes in 4101 blocks. 
==26804== malloc/free: 4242 allocs, 141 frees, 701301 bytes allocated. 
==26804== For a detailed leak analysis,  rerun with: --leak-check=yes 
==26804== For counts of detected errors, rerun with: -v 
==26799==  
==26799== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 13 from 2) 
==26799== malloc/free: in use at exit: 27177 bytes in 193 blocks. 
==26799== malloc/free: 249 allocs, 56 frees, 33094 bytes allocated. 
==26799== For a detailed leak analysis,  rerun with: --leak-check=yes 
==26799== For counts of detected errors, rerun with: -v 
valgrind --tool=memcheck --trace-children=yes --num-callers=15 g++ -v -g -O2 
-I../include -I../include -I./base -c ./base/cl_debug.cc -o cl_debug.o 
>/dev/null 2>&1 
mv -f .libs/cl_debug.lo cl_debug.lo
Comment 1 Andris Pavenis 2004-07-05 05:54:38 UTC
Created attachment 6688 [details]
Patch to fix the bug

The reason was that in case if option -remap was specified pfile->file_hash 
was updated before attempt to use pointer hash_slot. If the array additionally 
gets reallocated then the result is accessing already freed memory. Calling 
htab_find_slot_with_hash once more later fixes the problem (verified for 
i586-pc-msdosdjgpp)
Comment 2 Andrew Pinski 2004-07-05 15:53:32 UTC
As always patch should be done off the CVS and be sent to gcc-patches@,

In this case files have moved and the function has changes a little.
Comment 3 Andris Pavenis 2004-07-06 07:48:19 UTC
Reproduced under Linux (i686-pc-linux-gnu) also with  
	gcc version 3.5.0 20040705 (experimental) 
 
Verified that similar patch fixes problem 
 
Comment 4 CVS Commits 2004-07-16 17:07:06 UTC
Subject: Bug 16366

CVSROOT:	/cvs/gcc
Module name:	gcc
Changes by:	zack@gcc.gnu.org	2004-07-16 17:07:01

Modified files:
	libcpp         : ChangeLog files.c internal.h 

Log message:
	2004-07-16  Andris Pavenis  <pavenis@latnet.lv>
	
	PR preprocessor/16366
	* internal.h (struct cpp_reader): New field dir_hash.
	* files.c (make_cpp_dir): Use dir_hash, not file_hash.
	(_cpp_init_files, _cpp_cleanup_files): Update for new field.

Patches:
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libcpp/ChangeLog.diff?cvsroot=gcc&r1=1.17&r2=1.18
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libcpp/files.c.diff?cvsroot=gcc&r1=1.4&r2=1.5
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libcpp/internal.h.diff?cvsroot=gcc&r1=1.4&r2=1.5

Comment 5 CVS Commits 2004-07-16 17:16:57 UTC
Subject: Bug 16366

CVSROOT:	/cvs/gcc
Module name:	gcc
Branch: 	gcc-3_4-branch
Changes by:	zack@gcc.gnu.org	2004-07-16 17:16:46

Modified files:
	gcc            : ChangeLog cppfiles.c cpphash.h 

Log message:
	2004-07-16  Andris Pavenis  <pavenis@latnet.lv>
	
	PR preprocessor/16366
	* internal.h (struct cpp_reader): New field dir_hash.
	* files.c (make_cpp_dir): Use dir_hash, not file_hash.
	(_cpp_init_files, _cpp_cleanup_files): Update for new field.

Patches:
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/ChangeLog.diff?cvsroot=gcc&only_with_tag=gcc-3_4-branch&r1=2.2326.2.561&r2=2.2326.2.562
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/cppfiles.c.diff?cvsroot=gcc&only_with_tag=gcc-3_4-branch&r1=1.198.4.2&r2=1.198.4.3
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/cpphash.h.diff?cvsroot=gcc&only_with_tag=gcc-3_4-branch&r1=1.203.4.3&r2=1.203.4.4

Comment 6 Zack Weinberg 2004-07-16 17:20:30 UTC
fixed