[Bug java/74750] New: Address sanitizer detects stack-buffer-underflow in GC_push_all_eager in mark.c
zeccav at gmail dot com
gcc-bugzilla@gcc.gnu.org
Fri Aug 12 06:40:00 GMT 2016
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=74750
Bug ID: 74750
Summary: Address sanitizer detects stack-buffer-underflow in
GC_push_all_eager in mark.c
Product: gcc
Version: 7.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: java
Assignee: unassigned at gcc dot gnu.org
Reporter: zeccav at gmail dot com
Target Milestone: ---
While generating 7.0 trunk with sanitized java I get the following
in mark.c:1468
"q = *p;"
libtool: link: /home/vitti/1tb/vitti/gcc-7-address/./gcc/gcj
-B/home/vitti/1tb/vitti/gcc-7-address/x86_64-pc-linux-gnu/libjava/
-B/home/vitti/1tb/vitti/gcc-7-address/./gcc/
-B/home/vitti/1tb/vitti/local/gcc-7-address/x86_64-pc-linux-gnu/bin/
-B/home/vitti/1tb/vitti/local/gcc-7-address/x86_64-pc-linux-gnu/lib/ -isystem
/home/vitti/1tb/vitti/local/gcc-7-address/x86_64-pc-linux-gnu/include -isystem
/home/vitti/1tb/vitti/local/gcc-7-address/x86_64-pc-linux-gnu/sys-include
-fomit-frame-pointer -Usun -g -O2 -o .libs/gcj-dbtool
--main=gnu.gcj.tools.gcj_dbtool.Main -shared-libgcc
gnu/gcj/tools/gcj_dbtool/natMain.o gnu/gcj/tools/.libs/gcj_dbtool.o
-L/home/vitti/1tb/vitti/gcc-7-address/x86_64-pc-linux-gnu/libjava/.libs
-L/home/vitti/1tb/vitti/gcc-7-address/x86_64-pc-linux-gnu/libjava
./.libs/libgcj.so /home/vitti/1tb/vitti/local/gcc-7/lib/../lib64/libasan.so
-ldl -lrt -lpthread /home/vitti/1tb/vitti/local/gcc-7/lib/../lib64/libstdc++.so
-lm -Wl,-rpath -Wl,/home/vitti/1tb/vitti/local/gcc-7-address/lib/../lib64
-Wl,-rpath -Wl,/home/vitti/1tb/vitti/local/gcc-7/lib/../lib64
./gcj-dbtool -n classmap.db || touch classmap.db
=================================================================
==16985==ERROR: AddressSanitizer: stack-buffer-underflow on address
0x7ffd646e1ff0 at pc 0x2b760583a7c1 bp 0x7ffd646e1f90 sp 0x7ffd646e1f88
READ of size 8 at 0x7ffd646e1ff0 thread T0
#0 0x2b760583a7c0 in GC_push_all_eager
/home/vitti/1tb/vitti/test/gcc-trunk-239276/boehm-gc/mark.c:1468
#1 0x2b760583c607 in GC_push_current_stack
/home/vitti/1tb/vitti/test/gcc-trunk-239276/boehm-gc/mark_rts.c:497
#2 0x2b7605849561 in GC_with_callee_saves_pushed
/home/vitti/1tb/vitti/test/gcc-trunk-239276/boehm-gc/mach_dep.c:476
#3 0x2b76058495f0 in GC_generic_push_regs
/home/vitti/1tb/vitti/test/gcc-trunk-239276/boehm-gc/mach_dep.c:487
#4 0x2b760583c7c8 in GC_push_roots
/home/vitti/1tb/vitti/test/gcc-trunk-239276/boehm-gc/mark_rts.c:637
#5 0x2b760583b3cc in GC_mark_some
/home/vitti/1tb/vitti/test/gcc-trunk-239276/boehm-gc/mark.c:326
#6 0x2b760582c330 in GC_stopped_mark
/home/vitti/1tb/vitti/test/gcc-trunk-239276/boehm-gc/alloc.c:531
#7 0x2b760582d1cf in GC_try_to_collect_inner
/home/vitti/1tb/vitti/test/gcc-trunk-239276/boehm-gc/alloc.c:378
#8 0x2b760583ddf2 in GC_init_inner
/home/vitti/1tb/vitti/test/gcc-trunk-239276/boehm-gc/misc.c:789
#9 0x2b760583df2e in GC_init
/home/vitti/1tb/vitti/test/gcc-trunk-239276/boehm-gc/misc.c:493
#10 0x2b7605833e60 in GC_init_gcj_malloc
/home/vitti/1tb/vitti/test/gcc-trunk-239276/boehm-gc/gcj_mlc.c:60
#11 0x2b7605048a6f in _Jv_InitGC()
/home/vitti/1tb/vitti/test/gcc-trunk-239276/libjava/boehm.cc:537
#12 0x2b7604f7f242 in _Jv_CreateJavaVM
/home/vitti/1tb/vitti/test/gcc-trunk-239276/libjava/prims.cc:1631
#13 0x2b7604f7f692 in _Jv_RunMain(_Jv_VMInitArgs*, java::lang::Class*, char
const*, int, char const**, bool)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/libjava/prims.cc:1720
#14 0x2b7604f7fc55 in _Jv_RunMain(java::lang::Class*, char const*, int,
char const**, bool)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/libjava/prims.cc:1815
#15 0x2b7604f7fc70 in JvRunMain
/home/vitti/1tb/vitti/test/gcc-trunk-239276/libjava/prims.cc:1821
#16 0x40302f in main /tmp/cccH4paM.i:12
#17 0x390da1ffdf in __libc_start_main (/lib64/libc.so.6+0x390da1ffdf)
#18 0x403077
(/home/vitti/1tb/vitti/gcc-7-address/x86_64-pc-linux-gnu/libjava/.libs/lt-gcj-dbtool+0x403077)
Address 0x7ffd646e1ff0 is located in stack of thread T0 at offset 0 in frame
#0 0x2b76058494ed in GC_with_callee_saves_pushed
/home/vitti/1tb/vitti/test/gcc-trunk-239276/boehm-gc/mach_dep.c:410
This frame has 1 object(s):
[32, 40) 'dummy'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow
/home/vitti/1tb/vitti/test/gcc-trunk-239276/boehm-gc/mark.c:1468 in
GC_push_all_eager
Shadow bytes around the buggy address:
0x10002c8d43a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c8d43b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c8d43c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c8d43d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c8d43e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10002c8d43f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f1]f1
0x10002c8d4400: f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00
0x10002c8d4410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c8d4420: f1 f1 f1 f1 04 f4 f4 f4 f3 f3 f3 f3 00 00 00 00
0x10002c8d4430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c8d4440: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16985==ABORTING
More information about the Gcc-bugs
mailing list