[Bug preprocessor/106252] New: [13 Regression] AddressSanitizer: global-buffer-overflow on address since r13-1544-ge46f4d7430c521

Mon Jul 11 09:47:23 GMT 2022

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106252

            Bug ID: 106252
           Summary: [13 Regression] AddressSanitizer:
                    global-buffer-overflow on address since
                    r13-1544-ge46f4d7430c521
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Keywords: ice-on-valid-code
          Severity: normal
          Priority: P3
         Component: preprocessor
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marxin at gcc dot gnu.org
                CC: lhyatt at gcc dot gnu.org
  Target Milestone: ---

Since the revision the following ASAN error is reported:

/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/objdir/gcc/xgcc
-B/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/objdir/gcc/
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/testsuite/c-c++-common/pragma-diag-13.c
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/testsuite/c-c++-common/pragma-diag-13.c:2:54:
warning: missing ‘error’, ‘warning’, ‘ignored’, ‘push’, ‘pop’, or
‘ignored_attributes’ after ‘#pragma GCC diagnostic’ [-Wpragmas]
    2 | #pragma GCC diagnostic /* { dg-warning "missing" } */
      |                                                      ^
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/testsuite/c-c++-common/pragma-diag-13.c:3:24:
warning: expected ‘error’, ‘warning’, ‘ignored’, ‘push’, ‘pop’,
‘ignored_attributes’ after ‘#pragma GCC diagnostic’ [-Wpragmas]
    3 | #pragma GCC diagnostic warn /* { dg-warning "24:expected" } */
      |                        ^~~~
=================================================================
==4798==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000005e9d1fc at pc 0x000000a5903c bp 0x7fffffffc310 sp 0x7fffffffc308
READ of size 4 at 0x000005e9d1fc thread T0
    #0 0xa5903b in handle_pragma_diagnostic_impl<false, false>
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/c-family/c-pragma.cc:1013
    #1 0xa5903b in handle_pragma_diagnostic
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/c-family/c-pragma.cc:1070
    #2 0x8d77d1 in c_parser_pragma
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/c/c-parser.cc:12640
    #3 0x960b55 in c_parser_external_declaration
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/c/c-parser.cc:1768
    #4 0x962040 in c_parser_translation_unit
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/c/c-parser.cc:1660
    #5 0x962040 in c_parse_file()
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/c/c-parser.cc:23540
    #6 0xa4dcee in c_common_parse_file()
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/c-family/c-opts.cc:1235
    #7 0x1bc699f in compile_file
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/toplev.cc:452
    #8 0x70ebb9 in do_compile
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/toplev.cc:2146
    #9 0x70ebb9 in toplev::main(int, char**)
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/toplev.cc:2298
    #10 0x719203 in main
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/main.cc:39
    #11 0x7ffff78405af in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
    #12 0x7ffff7840678 in __libc_start_main_impl ../csu/libc-start.c:392
    #13 0x71a624 in _start
(/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/objdir/gcc/cc1+0x71a624)

0x000005e9d1fc is located 36 bytes to the left of global variable 'cl_enums'
defined in 'options.cc:1282:22' (0x5e9d220) of size 2976
0x000005e9d1fc is located 20 bytes to the right of global variable 'lang_names'
defined in 'options.cc:3187:20' (0x5e9d180) of size 104
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/c-family/c-pragma.cc:1013
in handle_pragma_diagnostic_impl<false, false>
Shadow bytes around the buggy address:
  0x000080bcb9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080bcb9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080bcba00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080bcba10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080bcba20: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
=>0x000080bcba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9[f9]
  0x000080bcba40: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080bcba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080bcba60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080bcba70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080bcba80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4798==ABORTING

Can be also seen with the following simple patch:

diff --git a/gcc/c-family/c-pragma.cc b/gcc/c-family/c-pragma.cc
index 62bce2ed0f5..93887759439 100644
--- a/gcc/c-family/c-pragma.cc
+++ b/gcc/c-family/c-pragma.cc
@@ -1010,6 +1010,7 @@ handle_pragma_diagnostic_impl ()
     return;

   const char *arg = NULL;
+  gcc_assert (option_index < N_OPTS);
   if (cl_options[option_index].flags & CL_JOINED)
     arg = data.option_str + 1 + cl_options[option_index].opt_len;

$ ./xg++ -B.
/home/marxin/Programming/gcc/gcc/testsuite/c-c++-common/pragma-diag-13.c -c
-std=c++20
/home/marxin/Programming/gcc/gcc/testsuite/c-c++-common/pragma-diag-13.c:2:54:
warning: missing ‘error’, ‘warning’, ‘ignored’, ‘push’, ‘pop’, or
‘ignored_attributes’ after ‘#pragma GCC diagnostic’ [-Wpragmas]
    2 | #pragma GCC diagnostic /* { dg-warning "missing" } */
      |                                                      ^
/home/marxin/Programming/gcc/gcc/testsuite/c-c++-common/pragma-diag-13.c:3:24:
warning: expected ‘error’, ‘warning’, ‘ignored’, ‘push’, ‘pop’,
‘ignored_attributes’ after ‘#pragma GCC diagnostic’ [-Wpragmas]
    3 | #pragma GCC diagnostic warn /* { dg-warning "24:expected" } */
      |                        ^~~~
/home/marxin/Programming/gcc/gcc/testsuite/c-c++-common/pragma-diag-13.c:4:32:
internal compiler error: in handle_pragma_diagnostic_impl, at
c-family/c-pragma.cc:1013
    4 | #pragma GCC diagnostic ignored "-Wfoo" /* { dg-warning "32:unknown" }
*/
      |                                ^~~~~~~
0x7b250c handle_pragma_diagnostic_impl<false, false>
        /home/marxin/Programming/gcc/gcc/c-family/c-pragma.cc:1013
0x7b250c handle_pragma_diagnostic
        /home/marxin/Programming/gcc/gcc/c-family/c-pragma.cc:1071
0xb7906c cp_parser_pragma
        /home/marxin/Programming/gcc/gcc/cp/parser.cc:48424
0xbb2ceb cp_parser_toplevel_declaration
        /home/marxin/Programming/gcc/gcc/cp/parser.cc:15085
0xbb2ceb cp_parser_toplevel_declaration
        /home/marxin/Programming/gcc/gcc/cp/parser.cc:15076
0xbb2ceb cp_parser_translation_unit
        /home/marxin/Programming/gcc/gcc/cp/parser.cc:5063
0xbb2ceb c_parse_file()
        /home/marxin/Programming/gcc/gcc/cp/parser.cc:48481
0xcf81f5 c_common_parse_file()
        /home/marxin/Programming/gcc/gcc/c-family/c-opts.cc:1235
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
