[Bug c++/90587] [10 Regression] asan: stack-use-after-scope with -O3 and -Wall

marxin at gcc dot gnu.org gcc-bugzilla@gcc.gnu.org
Thu May 23 10:05:00 GMT 2019 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90587

--- Comment #7 from Martin Liška <marxin at gcc dot gnu.org> ---
Full report:

==26783==ERROR: AddressSanitizer: stack-use-after-scope on address
0x7fff19d9ac10 at pc 0x000002d5bd6e bp 0x7fff19d9a9f0 sp 0x7fff19d9a9e8
READ of size 8 at 0x7fff19d9ac10 thread T0
    #0 0x2d5bd6d in bool wi::eq_p<generic_wide_int<wide_int_ref_storage<false,
false> >, generic_wide_int<wide_int_ref_storage<false, false> >
>(generic_wide_int<wide_int_ref_storage<false, false> > const&,
generic_wide_int<wide_int_ref_storage<false, false> > const&)
/home/marxin/Programming/gcc/gcc/wide-int.h:1856
    #1 0x2d5ac1e in
wi::binary_traits<generic_wide_int<wide_int_ref_storage<false, false> >,
generic_wide_int<wide_int_ref_storage<false, false> >,
wi::int_traits<generic_wide_int<wide_int_ref_storage<false, false> >
>::precision_type, wi::int_traits<generic_wide_int<wide_int_ref_storage<false,
false> > >::precision_type>::predicate_result
operator==<generic_wide_int<wide_int_ref_storage<false, false> >,
generic_wide_int<wide_int_ref_storage<false, false> >
>(generic_wide_int<wide_int_ref_storage<false, false> > const&,
generic_wide_int<wide_int_ref_storage<false, false> > const&)
/home/marxin/Programming/gcc/gcc/wide-int.h:3268
    #2 0x2d4bf89 in value_sat_pred_p
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:1063
    #3 0x2d4e35c in is_pred_expr_subset_of
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:1501
    #4 0x2d4e7e9 in is_pred_chain_subset_of
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:1525
    #5 0x2d4ea48 in is_included_in
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:1554
    #6 0x2d4ec85 in is_superset_of
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:1585
    #7 0x2d54e75 in is_use_properly_guarded
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:2488
    #8 0x2d55215 in find_uninit_use
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:2532
    #9 0x2d5586f in warn_uninitialized_phi
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:2601
    #10 0x2d5643d in execute
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:2710
    #11 0x21778df in execute_one_pass(opt_pass*)
/home/marxin/Programming/gcc/gcc/passes.c:2473
    #12 0x2178152 in execute_pass_list_1
/home/marxin/Programming/gcc/gcc/passes.c:2559
    #13 0x21781cd in execute_pass_list_1
/home/marxin/Programming/gcc/gcc/passes.c:2560
    #14 0x2178271 in execute_pass_list(function*, opt_pass*)
/home/marxin/Programming/gcc/gcc/passes.c:2570
    #15 0x143943f in cgraph_node::expand()
/home/marxin/Programming/gcc/gcc/cgraphunit.c:2194
    #16 0x143a429 in expand_all_functions
/home/marxin/Programming/gcc/gcc/cgraphunit.c:2332
    #17 0x143c4be in symbol_table::compile()
/home/marxin/Programming/gcc/gcc/cgraphunit.c:2683
    #18 0x143cdc3 in symbol_table::finalize_compilation_unit()
/home/marxin/Programming/gcc/gcc/cgraphunit.c:2861
    #19 0x257b442 in compile_file /home/marxin/Programming/gcc/gcc/toplev.c:481
    #20 0x2583430 in do_compile /home/marxin/Programming/gcc/gcc/toplev.c:2205
    #21 0x2583cb8 in toplev::main(int, char**)
/home/marxin/Programming/gcc/gcc/toplev.c:2340
    #22 0x4b87f4a in main /home/marxin/Programming/gcc/gcc/main.c:39
    #23 0x7f2456b01b7a in __libc_start_main ../csu/libc-start.c:308
    #24 0x8a0799 in _start (/dev/shm/objdir2/gcc/cc1plus+0x8a0799)

Address 0x7fff19d9ac10 is located in stack of thread T0 at offset 224 in frame
    #0 0x2d4bc1e in value_sat_pred_p
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:1057

  This frame has 5 object(s):
    [32, 64) 'andw'
    [96, 128) '<unknown>'
    [160, 192) '<unknown>'
    [224, 256) '<unknown>' <== Memory access at offset 224 is inside this
variable
    [288, 320) '<unknown>'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope
/home/marxin/Programming/gcc/gcc/wide-int.h:1856 in bool
wi::eq_p<generic_wide_int<wide_int_ref_storage<false, false> >,
generic_wide_int<wide_int_ref_storage<false, false> >
>(generic_wide_int<wide_int_ref_storage<false, false> > const&,
generic_wide_int<wide_int_ref_storage<false, false> > const&)
Shadow bytes around the buggy address:
  0x1000633ab530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000633ab540: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 f2 f2 f2 f2
  0x1000633ab550: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x1000633ab560: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 f2 f2
  0x1000633ab570: f2 f2 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f2 f2
=>0x1000633ab580: f2 f2[f8]f8 f8 f8 f2 f2 f2 f2 00 00 00 00 f3 f3
  0x1000633ab590: f3 f3 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
  0x1000633ab5a0: 00 f2 f2 f2 f2 f2 00 00 00 f2 f3 f3 f3 f3 00 00
  0x1000633ab5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000633ab5c0: 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2
  0x1000633ab5d0: f2 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==26783==ABORTING

More information about the Gcc-bugs mailing list