This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug c/65096] New: Illegal memory access beyond packed struct ARCH: ppc64
- From: "cyrilbur at gmail dot com" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Tue, 17 Feb 2015 23:42:49 +0000
- Subject: [Bug c/65096] New: Illegal memory access beyond packed struct ARCH: ppc64
- Auto-submitted: auto-generated
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65096
Bug ID: 65096
Summary: Illegal memory access beyond packed struct ARCH: ppc64
Product: gcc
Version: 5.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: cyrilbur at gmail dot com
Created attachment 34795
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=34795&action=edit
Simple test case
When a heap allocated packed struct is passed by value and the struct contains
an array the copy gets performed with a sequence of ld instructions which can
cause the a read beyond the end of the struct.
In the case of the attached example: gcc uses ld instructions to copy the char
array if it is of size other than 1, 2 or 4. Therefore the assembly is only
correct if the size of the array is a multiple of 8 chars.
System information:
I am reliably informed that it reproduces on 5.0 but I have discovered it on a
system with the following versions.
builder:~ $ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/ppc64-redhat-linux/4.8.3/lto-wrapper
Target: ppc64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla
--enable-bootstrap --enable-shared --enable-threads=posix
--enable-checking=release --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-gnu-unique-object
--enable-linker-build-id --with-linker-hash-style=gnu
--enable-languages=c,c++,objc,obj-c++,java,fortran,ada,go,lto --enable-plugin
--enable-initfini-array --enable-java-awt=gtk --disable-dssi
--with-java-home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre
--enable-libgcj-multifile --enable-java-maintainer-mode
--with-ecj-jar=/usr/share/java/eclipse-ecj.jar --disable-libjava-multilib
--with-isl=/builddir/build/BUILD/gcc-4.8.3-20140624/obj-ppc64-redhat-linux/isl-install
--with-cloog=/builddir/build/BUILD/gcc-4.8.3-20140624/obj-ppc64-redhat-linux/cloog-install
--enable-secureplt --with-long-double-128 --build=ppc64-redhat-linux
Thread model: posix
gcc version 4.8.3 20140624 (Red Hat 4.8.3-1) (GCC)
builder:~ $ valgrind --version
valgrind-3.8.1
To confirm:
Compile with `gcc gcc_test.c` and run the binary through valgrind `valgrind
./a.out`. Valgrind will report invalid read of size 8.
I have a attached a .i and also a simple example .c
Work arounds:
Pass the struct from the stack.
I have documented some of my debugging in the .c.