Bug 68383 - Demangler stack overflow
Summary: Demangler stack overflow
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: demangler (show other bugs)
Version: 6.0
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on: 78252
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-17 13:13 UTC by Markus Trippelsdorf
Modified: 2019-06-15 00:38 UTC (History)
5 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed: 2015-11-19 00:00:00


Attachments
Preprocessed c++ file (518.79 KB, application/x-xz)
2015-11-17 14:31 UTC, fiesh
Details
Somewhat reduced testcase (5.20 KB, text/plain)
2015-11-18 07:38 UTC, Markus Trippelsdorf
Details
A patch (431 bytes, patch)
2016-08-01 23:54 UTC, H.J. Lu
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Trippelsdorf 2015-11-17 13:13:54 UTC
markus@x4 libiberty % ./a.out _ZSt7forwardIRKZN5Write14DataMapGrammarISt20back_insert_iteratorISsEEC4EvEUlRT_E_EOS5_RNSt16remove_referenceIS5_E4typeE
ASAN:SIGSEGV
=================================================================
==29666==ERROR: AddressSanitizer: stack-overflow on address 0x7ffee66ebf28 (pc 0x7f255c00f094 bp 0x7ffee66ec790 sp 0x7ffee66ebf30 T0)
    #0 0x7f255c00f093 in __asan_memcpy (/usr/lib/gcc/x86_64-pc-linux-gnu/5.2.1/libasan.so.2+0x90093)
    #1 0x403b0d in d_growable_string_append_buffer cp-demangle.c:3839
    #2 0x403b0d in d_growable_string_callback_adapter cp-demangle.c:3851
    #3 0x40463c in d_print_flush cp-demangle.c:4044
    #4 0x40463c in d_append_char cp-demangle.c:4055
    #5 0x40463c in d_append_buffer cp-demangle.c:4067
    #6 0x40463c in d_print_comp_inner cp-demangle.c:4373
    #7 0x412f88 in d_print_comp cp-demangle.c:5431
    #8 0x40445f in d_print_comp_inner cp-demangle.c:4401
    #9 0x412f88 in d_print_comp cp-demangle.c:5431
    #10 0x408a71 in d_print_comp_inner cp-demangle.c:4559
    #11 0x412f88 in d_print_comp cp-demangle.c:5431
    #12 0x407eaf in d_print_comp_inner cp-demangle.c:5013
    #13 0x412f88 in d_print_comp cp-demangle.c:5431
    #14 0x408b73 in d_print_comp_inner cp-demangle.c:4563
    #15 0x412f88 in d_print_comp cp-demangle.c:5431
    #16 0x404362 in d_print_comp_inner cp-demangle.c:4387
    #17 0x414422 in d_print_comp cp-demangle.c:5431
    #18 0x414422 in d_print_mod cp-demangle.c:5649
    #19 0x4155a6 in d_print_mod_list cp-demangle.c:5575
    #20 0x417137 in d_print_function_type cp-demangle.c:5720
    #21 0x404bb6 in d_print_comp_inner cp-demangle.c:4898
    #22 0x412f88 in d_print_comp cp-demangle.c:5431
    #23 0x40e69b in d_print_comp_inner cp-demangle.c:4504
    #24 0x412f88 in d_print_comp cp-demangle.c:5431
    #25 0x404362 in d_print_comp_inner cp-demangle.c:4387
    #26 0x412f88 in d_print_comp cp-demangle.c:5431
    #27 0x406d78 in d_print_comp_inner cp-demangle.c:4832
    #28 0x412f88 in d_print_comp cp-demangle.c:5431
    #29 0x406d78 in d_print_comp_inner cp-demangle.c:4832
    #30 0x412f88 in d_print_comp cp-demangle.c:5431
    #31 0x407eaf in d_print_comp_inner cp-demangle.c:5013
    #32 0x412f88 in d_print_comp cp-demangle.c:5431
    #33 0x40a8c2 in d_print_comp_inner cp-demangle.c:5396
    #34 0x412f88 in d_print_comp cp-demangle.c:5431
    #35 0x40445f in d_print_comp_inner cp-demangle.c:4401
    #36 0x412f88 in d_print_comp cp-demangle.c:5431
    #37 0x406d78 in d_print_comp_inner cp-demangle.c:4832
    #38 0x412f88 in d_print_comp cp-demangle.c:5431
    #39 0x406d78 in d_print_comp_inner cp-demangle.c:4832
    #40 0x412f88 in d_print_comp cp-demangle.c:5431
    #41 0x407eaf in d_print_comp_inner cp-demangle.c:5013
    #42 0x412f88 in d_print_comp cp-demangle.c:5431
    #43 0x40a8c2 in d_print_comp_inner cp-demangle.c:5396
...
Comment 1 Markus Trippelsdorf 2015-11-17 13:37:38 UTC
@fiesh@zefix.tv 
Ian asks:
»Was the symbol _ZSt7forwardIRKZN5Write14DataMapGrammarISt20back_insert_iteratorISsEEC4EvEUlRT_E_EOS5_RNSt16remove_referenceIS5_E4typeE generated by g++ or clang?  That is, is it supposed to demangle?  If so, do you have the source code?»
Comment 2 fiesh 2015-11-17 13:38:58 UTC
g++ 4.9.3, I do have the source code and will try to provide a minimal test case.
Comment 3 fiesh 2015-11-17 14:31:45 UTC
Created attachment 36739 [details]
Preprocessed c++ file
Comment 4 fiesh 2015-11-17 14:33:46 UTC
I added a preprocessed file that triggers the bug.  It was created using

g++ -I. -std=c++14 -E -o write.ii write.cpp

and can be compiled and linked using

g++ -std=c++14 -o write write.ii

This binary will trigger the bug in GDB.

It's huge, alas I don't have time today / tomorrow any more.  If I need to produce a smaller test case, I can work on it, but given the heavy use of boost::spirit, it won't become too small anyway.
Comment 5 Ian Lance Taylor 2015-11-17 15:16:22 UTC
Thanks for the test case.  Which version of GCC are you using to compile?  When I try to compile the test case I get

/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/avx512fintrin.h: In function ‘__m512i _mm512_set1_epi64(long long int)’:
/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/avx512fintrin.h:3631:25: error: ‘__builtin_ia32_pbroadcastq512_mem_mask’ was not declared in this scope
/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/avx512fintrin.h: In function ‘__m512i _mm512_mask_set1_epi64(__m512i, __mmask8, long long int)’:
/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/avx512fintrin.h:3644:14: error: ‘__builtin_ia32_pbroadcastq512_mem_mask’ was not declared in this scope
/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/avx512fintrin.h: In function ‘__m512i _mm512_maskz_set1_epi64(__mmask8, long long int)’:
/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/avx512fintrin.h:3661:11: error: ‘__builtin_ia32_pbroadcastq512_mem_mask’ was not declared in this scope


The version of avx512fintrin.h on mainline does not seem to call the function __builtin_ia32_pbroadcastq512_mem_mask.
Comment 6 Markus Trippelsdorf 2015-11-17 15:17:34 UTC
It compiles with 4.9.3. I'm currently reducing the testcase...
Comment 7 Markus Trippelsdorf 2015-11-18 07:38:29 UTC
Created attachment 36749 [details]
Somewhat reduced testcase

markus@x4 tmp % g++ -w -c -std=c++14 write.ii
markus@x4 tmp % nm write.o | grep _ZSt7forwardIRKZN
0000000000000000 W _ZSt7forwardIRKZN5Write14DataMapGrammarISt20back_insert_iteratorISsEEC4EvEUlRT_E_EOS5_RNSt16remove_referenceIS5_E4typeE
markus@x4 tmp % clang++ -w -c -std=c++14 write.ii
markus@x4 tmp % nm write.o | grep _ZSt7forwardIRKZN
0000000000000000 W _ZSt7forwardIRKZN5Write14DataMapGrammarISt20back_insert_iteratorISsEEC1EvEUlRT_E_EOS5_RNSt16remove_referenceIS5_E4typeE
Comment 8 fiesh 2015-11-19 08:32:59 UTC
Would it be helpful it I tried to create a test case for 5.2.0?  Or anything else I can provide?
Comment 9 Markus Trippelsdorf 2015-11-19 09:19:22 UTC
(In reply to fiesh from comment #8)
> Would it be helpful it I tried to create a test case for 5.2.0?  Or anything
> else I can provide?

The reduced testcase works with all gcc versions.
Comment 10 Markus Trippelsdorf 2015-11-27 18:09:18 UTC
markus@x4 libiberty % ./a.out _ZSt7forwardIRKZN5Write14DataMapGrammarISt20back_insert_iteratorISsEEC4EvEUlRT_E_EOS5_RNSt16remove_referenceIS5_E4typeE
typed name
  template
    qualified name
      name 'std'
      name 'forward'
    template argument list
      reference
        const
          local name
            typed name
              qualified name
                template
                  qualified name
                    name 'Write'
                    name 'DataMapGrammar'
                  template argument list
                    template
                      qualified name
                        name 'std'
                        name 'back_insert_iterator'
                      template argument list
                        standard substitution std::string
                constructor 4
                  name 'DataMapGrammar'
              function type
                argument list
            lambda 0
              argument list
                reference
                  template parameter 0
  function type
    rvalue reference
      template parameter 0
    argument list
      reference
        qualified name
          template
            qualified name
              standard substitution std
              name 'remove_reference'
            template argument list
              template parameter 0
          name 'type'
ASAN:SIGSEGV
=================================================================
==12223==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe00004e88 (pc 0x0000004046fd bp 0x0fffc0000a20 sp 0x7ffe00004e80 T0)
Comment 11 H.J. Lu 2016-08-01 21:24:47 UTC
Dup

*** This bug has been marked as a duplicate of bug 68159 ***
Comment 12 H.J. Lu 2016-08-01 23:54:54 UTC
Created attachment 39044 [details]
A patch

This gives:

Write::DataMapGrammar<std::back_insert_iterator<std::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::DataMapGrammar()::{lambda()#1} const& std::forward<Write::DataMapGrammar<std::back_insert_iterator<std::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::DataMapGrammar()::{lambda()#1} const&>(std::remove_reference<Write::DataMapGrammar<std::back_insert_iterator<std::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::DataMapGrammar()::{lambda()#1} const&>::type&)

No idea if it is correct.
Comment 13 H.J. Lu 2016-08-01 23:55:36 UTC
Not a dup.
Comment 14 fiesh 2016-08-02 06:32:58 UTC
It appears to be correct, as far as one can safely judge this by eye examination.
Comment 15 Mark Wielaard 2016-12-04 22:56:34 UTC
This seems related to Bug 78252 - C++ demangler crashes with infinite recursion with lambda (auto). With the patch proposed in for that bug this demangles to:

Write::DataMapGrammar<std::back_insert_iterator<std::string> >::DataMapGrammar()::{lambda(auto&)#1} const& std::forward<Write::DataMapGrammar<std::back_insert_iterator<std::string> >::DataMapGrammar()::{lambda(auto&)#1} const&>(std::remove_reference<Write::DataMapGrammar<std::back_insert_iterator<std::string> >::DataMapGrammar()::{lambda(auto&)#1} const&>::type&)
Comment 16 Markus Trippelsdorf 2017-03-09 08:46:06 UTC
Fixed by r245978.