[Bug other/61016] New: use of uninitialized memory in gcc/config/i386/i386.c

kcc at gcc dot gnu.org gcc-bugzilla@gcc.gnu.org
Wed Apr 30 14:26:00 GMT 2014 

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61016

            Bug ID: 61016
           Summary: use of uninitialized memory in gcc/config/i386/i386.c
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: other
          Assignee: unassigned at gcc dot gnu.org
          Reporter: kcc at gcc dot gnu.org
                CC: eugeni.stepanov at gmail dot com

Created attachment 32715
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=32715&action=edit
z.cc

This is revision 209930 on x86_64 Linux. 

% valgrind --track-origins=yes gcc/cc1plus -quiet   z.cc    -O2 -o /dev/null

==12029== Conditional jump or move depends on uninitialised value(s)
==12029==    at 0xDBEF66: classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) (gcc/config/i386/i386.c:6361)
==12029==    by 0xDBF2D4: classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) (gcc/config/i386/i386.c:6501)
==12029==    by 0xDBA097: ix86_function_arg_advance(cumulative_args_t,
machine_mode, tree_node const*, bool) (gcc/config/i386/i386.c:6818)
==12029==    by 0x92B40A: gimplify_parameters() (gcc/function.c:3624)
==12029==    by 0x978AEA: gimplify_body(tree_node*, bool) (gcc/gimplify.c:8620)
==12029==    by 0x9794AC: gimplify_function_tree(tree_node*)
(gcc/gimplify.c:8777)
==12029==    by 0x7EBC14: analyze_function(cgraph_node*) (gcc/cgraphunit.c:649)
==12029==    by 0x7EECD2: analyze_functions() (gcc/cgraphunit.c:1017)
==12029==    by 0x7EEACB: finalize_compilation_unit() (gcc/cgraphunit.c:2320)
==12029==    by 0x5E67D3: cp_write_global_declarations() (gcc/cp/decl2.c:4619)
==12029==    by 0xB19A20: compile_file() (gcc/toplev.c:562)
==12029==    by 0xB197D7: toplev_main(int, char**) (gcc/toplev.c:1914)
==12029==  Uninitialised value was created by a stack allocation
==12029==    at 0xDBE920: classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) (gcc/config/i386/i386.c:6412)


The bug was initially detected by MemorySanitizer (which is a bit trickier to
use with gcc at the moment)

==5348== WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7f265400f64d in merge_classes(x86_64_reg_class, x86_64_reg_class)
gcc/config/i386/i386.c:6361
    #1 0x7f265400f64d in classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) gcc/config/i386/i386.c:6557
    #2 0x7f265400dbfa in classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) gcc/config/i386/i386.c:6501
    #3 0x7f2653fef8fc in examine_argument(machine_mode, tree_node const*, int,
int*, int*) gcc/config/i386/i386.c:6817
    #4 0x7f2653fef8fc in function_arg_advance_64(ix86_args*, machine_mode,
tree_node const*, long, bool) gcc/config/i386/i386.c:7199
    #5 0x7f2653fef8fc in ix86_function_arg_advance(cumulative_args_t,
machine_mode, tree_node const*, bool) gcc/config/i386/i386.c:7253
    #6 0x7f26523a1ae1 in gimplify_parameters() gcc/function.c:3624
    #7 0x7f2652594737 in gimplify_body(tree_node*, bool) gcc/gimplify.c:8620
    #8 0x7f2652598479 in gimplify_function_tree(tree_node*) gcc/gimplify.c:8777
    #9 0x7f2651bee7db in analyze_function(cgraph_node*) gcc/cgraphunit.c:649
    #10 0x7f2651c01aa1 in analyze_functions() gcc/cgraphunit.c:1017
    #11 0x7f2651c01088 in finalize_compilation_unit() gcc/cgraphunit.c:2320
    #12 0x7f2650f8da6e in cp_write_global_declarations() gcc/cp/decl2.c:4619
    #13 0x7f2652fa249d in compile_file() gcc/toplev.c:562
    #14 0x7f2652fa06ff in do_compile() gcc/toplev.c:1914
    #15 0x7f2652fa06ff in toplev_main(int, char**) gcc/toplev.c:1990
    #16 0x7f26552563b3 in main gcc/main.c:36
    #17 0x7f264f30276c in __libc_start_main
/build/buildd/eglibc-2.15/csu/libc-start.c:226
    #18 0x7f26509f8960 in _start
(/usr/local/google/ssd/msan-gcc/inst/libexec/gcc/x86_64-unknown-linux-gnu/4.10.0/cc1plus+0x2f4960)

  Uninitialized value was created by an allocation of 'subclasses' in the stack
frame of function 'classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int)'
    #0 0x7f265400a310 in classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) gcc/config/i386/i386.c:6412


Confirmed by printf:

Index: gcc/config/i386/i386.c
===================================================================
--- gcc/config/i386/i386.c      (revision 209930)
+++ gcc/config/i386/i386.c      (working copy)
@@ -6428,6 +6428,7 @@
       int i;
       tree field;
       enum x86_64_reg_class subclasses[MAX_CLASSES];
+      subclasses[1] = (enum x86_64_reg_class)0xab;

       /* On x86-64 we pass structures larger than 64 bytes on the stack.  */
       if (bytes > 64)
@@ -6553,8 +6554,10 @@
                                           bit_offset);
                  if (!num)
                    return 0;
-                 for (i = 0; i < num; i++)
+                 for (i = 0; i < num; i++) {
+                    fprintf(stderr, "ZZZ[%d] %x\n", i, classes[i]);
                    classes[i] = merge_classes (subclasses[i], classes[i]);
+                  }
                }
            }
          break;



ZZZ[0] 0
ZZZ[1] ab       <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

More information about the Gcc-bugs mailing list