This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug target/84272] New: AddressSanitizer: heap-use-after-free ../../gcc/config/aarch64/cortex-a57-fma-steering.c:519 in fma_node::get_parity()
- From: "marxin at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Wed, 07 Feb 2018 21:11:46 +0000
- Subject: [Bug target/84272] New: AddressSanitizer: heap-use-after-free ../../gcc/config/aarch64/cortex-a57-fma-steering.c:519 in fma_node::get_parity()
- Auto-submitted: auto-generated
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84272
Bug ID: 84272
Summary: AddressSanitizer: heap-use-after-free
../../gcc/config/aarch64/cortex-a57-fma-steering.c:519
in fma_node::get_parity()
Product: gcc
Version: unknown
Status: UNCONFIRMED
Keywords: ice-on-valid-code
Severity: normal
Priority: P3
Component: target
Assignee: unassigned at gcc dot gnu.org
Reporter: marxin at gcc dot gnu.org
CC: amker at gcc dot gnu.org, kyrylo.tkachov at arm dot com,
ramana at gcc dot gnu.org
Target Milestone: ---
Host: aarch64-linux-gnu
Target: aarch64-linux-gnu
Seen both on a native machine and cross compiler (on x86_64):
$ cat model.ii
class a
{
public:
float b, c;
a ();
a (float, float, float);
float operator* (a)
{
float d = b * b + c * c;
return d;
}
} typedef e;
void
f ()
{
e g[1];
e h (0, 0, h * g[2]);
}
$ ./xg++ -B. model.ii -c -march=armv8-a -mtune=cortex-a57 -O2
=================================================================
==20120==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000023ca8
at pc 0x000002e669b2 bp 0x7fffffffd1b0 sp 0x7fffffffd1a8
READ of size 8 at 0x604000023ca8 thread T0
#0 0x2e669b1 in fma_node::get_parity()
../../gcc/config/aarch64/cortex-a57-fma-steering.c:519
#1 0x2e669b1 in fma_node::rename(fma_forest*)
../../gcc/config/aarch64/cortex-a57-fma-steering.c:600
#2 0x2e67b0a in func_fma_steering::dfs(void (*)(fma_forest*), void
(*)(fma_forest*, fma_root_node*), void (*)(fma_forest*, fma_node*), bool)
../../gcc/config/aarch64/cortex-a57-fma-steering.c:882
#3 0x2e686b9 in func_fma_steering::rename_fma_trees()
../../gcc/config/aarch64/cortex-a57-fma-steering.c:1006
#4 0x2e6aac2 in func_fma_steering::execute_fma_steering()
../../gcc/config/aarch64/cortex-a57-fma-steering.c:1036
#5 0x2e6c7ad in pass_fma_steering::execute(function*)
../../gcc/config/aarch64/cortex-a57-fma-steering.c:1071
#6 0x1dadc09 in execute_one_pass(opt_pass*) ../../gcc/passes.c:2497
#7 0x1daf5e2 in execute_pass_list_1 ../../gcc/passes.c:2586
#8 0x1daf60c in execute_pass_list_1 ../../gcc/passes.c:2587
#9 0x1daf60c in execute_pass_list_1 ../../gcc/passes.c:2587
#10 0x1daf68f in execute_pass_list(function*, opt_pass*)
../../gcc/passes.c:2597
#11 0x11619a9 in cgraph_node::expand() ../../gcc/cgraphunit.c:2139
#12 0x116454c in expand_all_functions ../../gcc/cgraphunit.c:2275
#13 0x116454c in symbol_table::compile() ../../gcc/cgraphunit.c:2624
#14 0x116dc76 in symbol_table::finalize_compilation_unit()
../../gcc/cgraphunit.c:2717
#15 0x2132fe4 in compile_file ../../gcc/toplev.c:480
#16 0x690921 in do_compile ../../gcc/toplev.c:2081
#17 0x690921 in toplev::main(int, char**) ../../gcc/toplev.c:2216
#18 0x69b444 in main ../../gcc/main.c:39
#19 0x7ffff5a65f49 in __libc_start_main (/lib64/libc.so.6+0x20f49)
#20 0x69dba9 in _start
(/home/marxin/Programming/gcc2/objdir2/gcc/cc1plus+0x69dba9)
0x604000023ca8 is located 24 bytes inside of 48-byte region
[0x604000023c90,0x604000023cc0)
freed by thread T0 here:
#0 0x7ffff6f02ff8 in operator delete(void*, unsigned long)
(/usr/lib64/libasan.so.4+0xdeff8)
#1 0x2e682e5 in func_fma_steering::dfs(void (*)(fma_forest*), void
(*)(fma_forest*, fma_root_node*), void (*)(fma_forest*, fma_node*), bool)
../../gcc/config/aarch64/cortex-a57-fma-steering.c:896
#2 0x604000023bcf (<unknown module>)
previously allocated by thread T0 here:
#0 0x7ffff6f01c70 in operator new(unsigned long)
(/usr/lib64/libasan.so.4+0xddc70)
#1 0x2e69e52 in func_fma_steering::analyze_fma_fmul_insn(fma_forest*,
du_chain*, du_head*) ../../gcc/config/aarch64/cortex-a57-fma-steering.c:774
SUMMARY: AddressSanitizer: heap-use-after-free
../../gcc/config/aarch64/cortex-a57-fma-steering.c:519 in
fma_node::get_parity()
Shadow bytes around the buggy address:
0x0c087fffc740: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
0x0c087fffc750: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
0x0c087fffc760: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fffc770: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
0x0c087fffc780: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
=>0x0c087fffc790: fa fa fd fd fd[fd]fd fd fa fa 00 00 00 00 00 fa
0x0c087fffc7a0: fa fa 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c087fffc7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fffc7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fffc7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fffc7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20120==ABORTING