This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
- From: "zeccav at gmail dot com" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Tue, 15 Sep 2015 05:07:25 +0000
- Subject: [Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
- Auto-submitted: auto-generated
- References: <bug-67484-4 at http dot gcc dot gnu dot org/bugzilla/>
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484
Vittorio Zecca <zeccav at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|5.2.0 |6.0
--- Comment #1 from Vittorio Zecca <zeccav at gmail dot com> ---
Same bug on the trunk.
The following is the sanitizer output:
~/1tb/vitti/local/gcc-trunk-sanitized/bin/g++ -S gccerr26.C
=================================================================
==25114==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000005850
at pc 0x2b7d193c94a5 bp 0x7ffe44d41860 sp 0x7ffe44d41010
READ of size 1 at 0x602000005850 thread T0
#0 0x2b7d193c94a4 in __interceptor_strcmp
../../../../gcc-5.2.0/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:178
#1 0x170f87f in cl_target_option_eq(cl_target_option const*,
cl_target_option const*) /home/vitti/test/gcc-sanitized/gcc/options-save.c:3491
#2 0x202ee44 in cl_option_hasher::equal(tree_node*, tree_node*)
../../gcc/gcc/tree.c:11866
#3 0x204559b in hash_table<cl_option_hasher,
xcallocator>::find_slot_with_hash(tree_node* const&, unsigned int,
insert_option) ../../gcc/gcc/hash-table.h:838
#4 0x2042095 in hash_table<cl_option_hasher,
xcallocator>::find_slot(tree_node* const&, insert_option)
../../gcc/gcc/hash-table.h:408
#5 0x202efc4 in build_target_option_node(gcc_options*)
../../gcc/gcc/tree.c:11914
#6 0x21218b0 in ix86_valid_target_attribute_tree(tree_node*, gcc_options*,
gcc_options*) ../../gcc/gcc/config/i386/i386.c:5110
#7 0x21af79c in get_builtin_code_for_version
../../gcc/gcc/config/i386/i386.c:34678
#8 0x21b00b2 in ix86_compare_version_priority
../../gcc/gcc/config/i386/i386.c:34846
#9 0x780078 in joust ../../gcc/gcc/cp/call.c:9234
#10 0x781a8e in tourney ../../gcc/gcc/cp/call.c:9361
#11 0x7544bf in perform_overload_resolution ../../gcc/gcc/cp/call.c:4016
#12 0x754942 in build_new_function_call(tree_node*, vec<tree_node*, va_gc,
vl_embed>**, bool, int) ../../gcc/gcc/cp/call.c:4089
#13 0xb66c40 in finish_call_expr(tree_node*, vec<tree_node*, va_gc,
vl_embed>**, bool, bool, int) ../../gcc/gcc/cp/semantics.c:2391
#14 0xa0b32a in cp_parser_postfix_expression ../../gcc/gcc/cp/parser.c:6422
#15 0xa0fec8 in cp_parser_unary_expression ../../gcc/gcc/cp/parser.c:7486
#16 0xa11a49 in cp_parser_cast_expression ../../gcc/gcc/cp/parser.c:8122
#17 0xa11bb4 in cp_parser_binary_expression ../../gcc/gcc/cp/parser.c:8223
#18 0xa13696 in cp_parser_assignment_expression
../../gcc/gcc/cp/parser.c:8481
#19 0xa14197 in cp_parser_constant_expression
../../gcc/gcc/cp/parser.c:8727
#20 0xa42158 in cp_parser_initializer_clause
../../gcc/gcc/cp/parser.c:19925
#21 0xa41e9b in cp_parser_initializer ../../gcc/gcc/cp/parser.c:19866
#22 0xa3813e in cp_parser_init_declarator ../../gcc/gcc/cp/parser.c:17793
#23 0xa215bc in cp_parser_simple_declaration
../../gcc/gcc/cp/parser.c:11681
#24 0xa210aa in cp_parser_block_declaration ../../gcc/gcc/cp/parser.c:11555
#25 0xa208bb in cp_parser_declaration ../../gcc/gcc/cp/parser.c:11452
#26 0xa1fe63 in cp_parser_declaration_seq_opt
../../gcc/gcc/cp/parser.c:11334
#27 0xa0181d in cp_parser_translation_unit ../../gcc/gcc/cp/parser.c:4154
#28 0xa843f8 in c_parse_file() ../../gcc/gcc/cp/parser.c:34273
#29 0xdb2e46 in c_common_parse_file() ../../gcc/gcc/c-family/c-opts.c:1058
#30 0x19b8f12 in compile_file ../../gcc/gcc/toplev.c:544
#31 0x19bf8f0 in do_compile ../../gcc/gcc/toplev.c:2034
#32 0x19bff60 in toplev::main(int, char**) ../../gcc/gcc/toplev.c:2141
#33 0x2d332c0 in main ../../gcc/gcc/main.c:39
#34 0x390da1ffdf in __libc_start_main (/lib64/libc.so.6+0x390da1ffdf)
#35 0x737768
(/home/vitti/1tb/vitti/local/gcc-trunk-sanitized/libexec/gcc/x86_64-pc-linux-gnu/6.0.0/cc1plus+0x737768)
0x602000005850 is located 0 bytes inside of 6-byte region
[0x602000005850,0x602000005856)
freed by thread T0 here:
#0 0x2b7d194171dd in __interceptor_free
../../../../gcc-5.2.0/libsanitizer/asan/asan_malloc_linux.cc:28
#1 0x21219df in ix86_valid_target_attribute_tree(tree_node*, gcc_options*,
gcc_options*) ../../gcc/gcc/config/i386/i386.c:5118
#2 0x2121e77 in ix86_valid_target_attribute_p
../../gcc/gcc/config/i386/i386.c:5166
#3 0xd5e237 in handle_target_attribute
../../gcc/gcc/c-family/c-common.c:9777
#4 0xce2e48 in decl_attributes(tree_node**, tree_node*, int)
../../gcc/gcc/attribs.c:557
#5 0x9a5e3a in cplus_decl_attributes(tree_node**, tree_node*, int)
../../gcc/gcc/cp/decl2.c:1493
#6 0x7d65a7 in grokfndecl ../../gcc/gcc/cp/decl.c:8100
#7 0x7ea399 in grokdeclarator(cp_declarator const*, cp_decl_specifier_seq*,
decl_context, int, tree_node**) ../../gcc/gcc/cp/decl.c:11265
#8 0x7bcb26 in start_decl(cp_declarator const*, cp_decl_specifier_seq*,
int, tree_node*, tree_node*, tree_node**) ../../gcc/gcc/cp/decl.c:4740
#9 0xa37c1f in cp_parser_init_declarator ../../gcc/gcc/cp/parser.c:17717
#10 0xa215bc in cp_parser_simple_declaration
../../gcc/gcc/cp/parser.c:11681
#11 0xa210aa in cp_parser_block_declaration ../../gcc/gcc/cp/parser.c:11555
#12 0xa208bb in cp_parser_declaration ../../gcc/gcc/cp/parser.c:11452
#13 0xa1fe63 in cp_parser_declaration_seq_opt
../../gcc/gcc/cp/parser.c:11334
#14 0xa0181d in cp_parser_translation_unit ../../gcc/gcc/cp/parser.c:4154
#15 0xa843f8 in c_parse_file() ../../gcc/gcc/cp/parser.c:34273
#16 0xdb2e46 in c_common_parse_file() ../../gcc/gcc/c-family/c-opts.c:1058
#17 0x19b8f12 in compile_file ../../gcc/gcc/toplev.c:544
#18 0x19bf8f0 in do_compile ../../gcc/gcc/toplev.c:2034
#19 0x19bff60 in toplev::main(int, char**) ../../gcc/gcc/toplev.c:2141
#20 0x2d332c0 in main ../../gcc/gcc/main.c:39
#21 0x390da1ffdf in __libc_start_main (/lib64/libc.so.6+0x390da1ffdf)
previously allocated by thread T0 here:
#0 0x2b7d19417509 in __interceptor_malloc
../../../../gcc-5.2.0/libsanitizer/asan/asan_malloc_linux.cc:38
#1 0x2e6d27c in xmalloc ../../gcc/libiberty/xmalloc.c:147
#2 0x2e6d41f in xstrdup ../../gcc/libiberty/xstrdup.c:34
#3 0x2121028 in ix86_valid_target_attribute_inner_p
../../gcc/gcc/config/i386/i386.c:5017
#4 0x21206da in ix86_valid_target_attribute_inner_p
../../gcc/gcc/config/i386/i386.c:4909
#5 0x2121474 in ix86_valid_target_attribute_tree(tree_node*, gcc_options*,
gcc_options*) ../../gcc/gcc/config/i386/i386.c:5066
#6 0x2121e77 in ix86_valid_target_attribute_p
../../gcc/gcc/config/i386/i386.c:5166
#7 0xd5e237 in handle_target_attribute
../../gcc/gcc/c-family/c-common.c:9777
#8 0xce2e48 in decl_attributes(tree_node**, tree_node*, int)
../../gcc/gcc/attribs.c:557
#9 0x9a5e3a in cplus_decl_attributes(tree_node**, tree_node*, int)
../../gcc/gcc/cp/decl2.c:1493
#10 0x7d65a7 in grokfndecl ../../gcc/gcc/cp/decl.c:8100
#11 0x7ea399 in grokdeclarator(cp_declarator const*,
cp_decl_specifier_seq*, decl_context, int, tree_node**)
../../gcc/gcc/cp/decl.c:11265
#12 0x7bcb26 in start_decl(cp_declarator const*, cp_decl_specifier_seq*,
int, tree_node*, tree_node*, tree_node**) ../../gcc/gcc/cp/decl.c:4740
#13 0xa37c1f in cp_parser_init_declarator ../../gcc/gcc/cp/parser.c:17717
#14 0xa215bc in cp_parser_simple_declaration
../../gcc/gcc/cp/parser.c:11681
#15 0xa210aa in cp_parser_block_declaration ../../gcc/gcc/cp/parser.c:11555
#16 0xa208bb in cp_parser_declaration ../../gcc/gcc/cp/parser.c:11452
#17 0xa1fe63 in cp_parser_declaration_seq_opt
../../gcc/gcc/cp/parser.c:11334
#18 0xa0181d in cp_parser_translation_unit ../../gcc/gcc/cp/parser.c:4154
#19 0xa843f8 in c_parse_file() ../../gcc/gcc/cp/parser.c:34273
#20 0xdb2e46 in c_common_parse_file() ../../gcc/gcc/c-family/c-opts.c:1058
#21 0x19b8f12 in compile_file ../../gcc/gcc/toplev.c:544
#22 0x19bf8f0 in do_compile ../../gcc/gcc/toplev.c:2034
#23 0x19bff60 in toplev::main(int, char**) ../../gcc/gcc/toplev.c:2141
#24 0x2d332c0 in main ../../gcc/gcc/main.c:39
#25 0x390da1ffdf in __libc_start_main (/lib64/libc.so.6+0x390da1ffdf)
SUMMARY: AddressSanitizer: heap-use-after-free
../../../../gcc-5.2.0/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:178
__interceptor_strcmp
Shadow bytes around the buggy address:
0x0c047fff8ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8af0: fa fa fa fa fa fa 06 fa fa fa fd fa fa fa fd fd
=>0x0c047fff8b00: fa fa fd fa fa fa fd fd fa fa[fd]fa fa fa fd fd
0x0c047fff8b10: fa fa fd fa fa fa fd fd fa fa fd fd fa fa 00 06
0x0c047fff8b20: fa fa 00 00 fa fa 00 01 fa fa 00 01 fa fa 00 01
0x0c047fff8b30: fa fa 00 01 fa fa 00 01 fa fa 00 01 fa fa 00 01
0x0c047fff8b40: fa fa 00 01 fa fa 00 fa fa fa 00 07 fa fa fd fd
0x0c047fff8b50: fa fa 00 07 fa fa 00 07 fa fa 00 04 fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==25114==ABORTING