[Bug c++/90587] [10 Regression] asan: stack-use-after-scope with -O3 and -Wall
marxin at gcc dot gnu.org
gcc-bugzilla@gcc.gnu.org
Thu May 23 10:05:00 GMT 2019
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90587
--- Comment #7 from Martin Liška <marxin at gcc dot gnu.org> ---
Full report:
==26783==ERROR: AddressSanitizer: stack-use-after-scope on address
0x7fff19d9ac10 at pc 0x000002d5bd6e bp 0x7fff19d9a9f0 sp 0x7fff19d9a9e8
READ of size 8 at 0x7fff19d9ac10 thread T0
#0 0x2d5bd6d in bool wi::eq_p<generic_wide_int<wide_int_ref_storage<false,
false> >, generic_wide_int<wide_int_ref_storage<false, false> >
>(generic_wide_int<wide_int_ref_storage<false, false> > const&,
generic_wide_int<wide_int_ref_storage<false, false> > const&)
/home/marxin/Programming/gcc/gcc/wide-int.h:1856
#1 0x2d5ac1e in
wi::binary_traits<generic_wide_int<wide_int_ref_storage<false, false> >,
generic_wide_int<wide_int_ref_storage<false, false> >,
wi::int_traits<generic_wide_int<wide_int_ref_storage<false, false> >
>::precision_type, wi::int_traits<generic_wide_int<wide_int_ref_storage<false,
false> > >::precision_type>::predicate_result
operator==<generic_wide_int<wide_int_ref_storage<false, false> >,
generic_wide_int<wide_int_ref_storage<false, false> >
>(generic_wide_int<wide_int_ref_storage<false, false> > const&,
generic_wide_int<wide_int_ref_storage<false, false> > const&)
/home/marxin/Programming/gcc/gcc/wide-int.h:3268
#2 0x2d4bf89 in value_sat_pred_p
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:1063
#3 0x2d4e35c in is_pred_expr_subset_of
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:1501
#4 0x2d4e7e9 in is_pred_chain_subset_of
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:1525
#5 0x2d4ea48 in is_included_in
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:1554
#6 0x2d4ec85 in is_superset_of
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:1585
#7 0x2d54e75 in is_use_properly_guarded
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:2488
#8 0x2d55215 in find_uninit_use
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:2532
#9 0x2d5586f in warn_uninitialized_phi
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:2601
#10 0x2d5643d in execute
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:2710
#11 0x21778df in execute_one_pass(opt_pass*)
/home/marxin/Programming/gcc/gcc/passes.c:2473
#12 0x2178152 in execute_pass_list_1
/home/marxin/Programming/gcc/gcc/passes.c:2559
#13 0x21781cd in execute_pass_list_1
/home/marxin/Programming/gcc/gcc/passes.c:2560
#14 0x2178271 in execute_pass_list(function*, opt_pass*)
/home/marxin/Programming/gcc/gcc/passes.c:2570
#15 0x143943f in cgraph_node::expand()
/home/marxin/Programming/gcc/gcc/cgraphunit.c:2194
#16 0x143a429 in expand_all_functions
/home/marxin/Programming/gcc/gcc/cgraphunit.c:2332
#17 0x143c4be in symbol_table::compile()
/home/marxin/Programming/gcc/gcc/cgraphunit.c:2683
#18 0x143cdc3 in symbol_table::finalize_compilation_unit()
/home/marxin/Programming/gcc/gcc/cgraphunit.c:2861
#19 0x257b442 in compile_file /home/marxin/Programming/gcc/gcc/toplev.c:481
#20 0x2583430 in do_compile /home/marxin/Programming/gcc/gcc/toplev.c:2205
#21 0x2583cb8 in toplev::main(int, char**)
/home/marxin/Programming/gcc/gcc/toplev.c:2340
#22 0x4b87f4a in main /home/marxin/Programming/gcc/gcc/main.c:39
#23 0x7f2456b01b7a in __libc_start_main ../csu/libc-start.c:308
#24 0x8a0799 in _start (/dev/shm/objdir2/gcc/cc1plus+0x8a0799)
Address 0x7fff19d9ac10 is located in stack of thread T0 at offset 224 in frame
#0 0x2d4bc1e in value_sat_pred_p
/home/marxin/Programming/gcc/gcc/tree-ssa-uninit.c:1057
This frame has 5 object(s):
[32, 64) 'andw'
[96, 128) '<unknown>'
[160, 192) '<unknown>'
[224, 256) '<unknown>' <== Memory access at offset 224 is inside this
variable
[288, 320) '<unknown>'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope
/home/marxin/Programming/gcc/gcc/wide-int.h:1856 in bool
wi::eq_p<generic_wide_int<wide_int_ref_storage<false, false> >,
generic_wide_int<wide_int_ref_storage<false, false> >
>(generic_wide_int<wide_int_ref_storage<false, false> > const&,
generic_wide_int<wide_int_ref_storage<false, false> > const&)
Shadow bytes around the buggy address:
0x1000633ab530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000633ab540: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 f2 f2 f2 f2
0x1000633ab550: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x1000633ab560: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 f2 f2
0x1000633ab570: f2 f2 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f2 f2
=>0x1000633ab580: f2 f2[f8]f8 f8 f8 f2 f2 f2 f2 00 00 00 00 f3 f3
0x1000633ab590: f3 f3 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
0x1000633ab5a0: 00 f2 f2 f2 f2 f2 00 00 00 f2 f3 f3 f3 f3 00 00
0x1000633ab5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000633ab5c0: 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2
0x1000633ab5d0: f2 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==26783==ABORTING
More information about the Gcc-bugs
mailing list