[Bug preprocessor/29966] New: crash in cc1 with backtrace from free()

[Bug preprocessor/29966] New: crash in cc1 with backtrace from free()

[acahalan at gmail dot com]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 5073 bytes --]

Both gcc and g++ crash on this. (I'll attach the code later, as it's still
kind of large.) Seemingly innocent changes will affect the crash behavior.
Normally I compile with "-std=gnu99 -O2"; this is intended to be C code.
These very similar programs give different errors at times, especially when
using "-O0" instead of "-O2".

I suppose I'll blame the preprocessor, but changing from "-O2" to "-O0"
will usualy (not always) cause the crash to be a regular SIGSEGV instead
of a glibc backtrace. I suppose the preprocessor is all unified now though,
so a bit of memory corruption could make things go weird later.

$ gcc -std=gnu99 -O0 gcc-bug4.c
gcc-bug4.c: In function ‘boomwrap’:
gcc-bug4.c:134: error: invalid application of ‘sizeof’ to incomplete type
‘struct dief’ 
gcc-bug4.c:138: error: expected ‘:’ before ‘)’ token
gcc-bug4.c:138: error: expected statement before ‘)’ token
gcc-bug4.c:138: error: expected expression before ‘:’ token
gcc-bug4.c:141: error: expected ‘:’ before ‘)’ token
gcc-bug4.c:141: error: expected statement before ‘)’ token
gcc-bug4.c:141: error: expected expression before ‘:’ token
gcc-bug4.c:141: error: expected ‘:’ before ‘)’ token
gcc-bug4.c:141: error: expected statement before ‘)’ token
gcc-bug4.c:141: error: expected expression before ‘:’ token
gcc-bug4.c:142: error: expected ‘:’ before ‘)’ token
gcc-bug4.c:142: error: expected statement before ‘)’ token
gcc-bug4.c:142: error: expected expression before ‘:’ token
gcc-bug4.c:447:1: error: unterminated argument list invoking macro "swap32"
gcc-bug4.c:142: error: ‘swap32’ undeclared (first use in this function)
gcc-bug4.c:142: error: (Each undeclared identifier is reported only once
gcc-bug4.c:142: error: for each function it appears in.)
gcc-bug4.c:142: error: expected ‘;’ at end of input
gcc-bug4.c:142: error: expected declaration or statement at end of input
*** glibc detected *** /usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1: free():
invalid next size (normal): 0x0000000000c939e0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x347e06eb00]
/lib64/libc.so.6(cfree+0x8c)[0x347e07227c]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x696bfd]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x746e53]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x747224]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x40af09]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x4476ee]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x44e164]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x439aea]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x6e9ac5]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x347e01da44]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1(calloc+0x191)[0x402399]
======= Memory map: ========
00400000-00972000 r-xp 00000000 08:07 2734449                           
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1
00b72000-00b79000 rw-p 00572000 08:07 2734449                           
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1
00b79000-00c9a000 rw-p 00b79000 00:00 0                                  [heap]
347d000000-347d01a000 r-xp 00000000 08:07 1974387                       
/lib64/ld-2.4.90.so
347d219000-347d21a000 r--p 00019000 08:07 1974387                       
/lib64/ld-2.4.90.so
347d21a000-347d21b000 rw-p 0001a000 08:07 1974387                       
/lib64/ld-2.4.90.so
347e000000-347e144000 r-xp 00000000 08:07 1974396                       
/lib64/libc-2.4.90.so
347e144000-347e344000 ---p 00144000 08:07 1974396                       
/lib64/libc-2.4.90.so
347e344000-347e348000 r--p 00144000 08:07 1974396                       
/lib64/libc-2.4.90.so
347e348000-347e349000 rw-p 00148000 08:07 1974396                       
/lib64/libc-2.4.90.so
347e349000-347e34e000 rw-p 347e349000 00:00 0 
3489a00000-3489a0d000 r-xp 00000000 08:07 1974339                       
/lib64/libgcc_s-4.1.1-20060828.so.1
3489a0d000-3489c0c000 ---p 0000d000 08:07 1974339                       
/lib64/libgcc_s-4.1.1-20060828.so.1
3489c0c000-3489c0d000 rw-p 0000c000 08:07 1974339                       
/lib64/libgcc_s-4.1.1-20060828.so.1
2aaaaaaab000-2aaaaaaac000 rw-p 2aaaaaaab000 00:00 0 
2aaaaaac3000-2aaaaaac5000 rw-p 2aaaaaac3000 00:00 0 
2aaaaaac5000-2aaaadfb7000 r--p 00000000 08:07 833564                    
/usr/lib/locale/locale-archive
2aaaadfb7000-2aaaae484000 rw-p 2aaaadfb7000 00:00 0 
2aaab0000000-2aaab0021000 rw-p 2aaab0000000 00:00 0 
2aaab0021000-2aaab4000000 ---p 2aaab0021000 00:00 0 
7fffc45dc000-7fffc45f2000 rw-p 7fffc45dc000 00:00 0                     
[stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]
gcc-bug4.c:142: confused by earlier errors, bailing out


-- 
           Summary: crash in cc1 with backtrace from free()
           Product: gcc
           Version: 4.1.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: preprocessor
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: acahalan at gmail dot com


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966

[Bug preprocessor/29966] crash in cc1 with backtrace from free()

[acahalan at gmail dot com]

------- Comment #1 from acahalan at gmail dot com  2006-11-23 23:59 -------
Created an attachment (id=12676)
 --> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=12676&action=view)
crash1.c


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966

[Bug preprocessor/29966] crash in cc1 with backtrace from free()

[acahalan at gmail dot com]

------- Comment #2 from acahalan at gmail dot com  2006-11-24 00:00 -------
Created an attachment (id=12677)
 --> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=12677&action=view)
crash2.c


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966

[Bug preprocessor/29966] crash in cc1 with backtrace from free()

[acahalan at gmail dot com]

------- Comment #4 from acahalan at gmail dot com  2006-11-24 00:01 -------
Created an attachment (id=12679)
 --> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=12679&action=view)
crash4.c


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966

[Bug preprocessor/29966] crash in cc1 with backtrace from free()

[acahalan at gmail dot com]

------- Comment #3 from acahalan at gmail dot com  2006-11-24 00:01 -------
Created an attachment (id=12678)
 --> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=12678&action=view)
crash3.c


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966

[Bug preprocessor/29966] crash in cc1 with backtrace from free()

[acahalan at gmail dot com]

------- Comment #5 from acahalan at gmail dot com  2006-11-24 00:02 -------
Created an attachment (id=12680)
 --> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=12680&action=view)
crash5.c


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966

[Bug preprocessor/29966] crash in cc1 with backtrace from free()

[pinskia at gcc dot gnu dot org]

------- Comment #6 from pinskia at gcc dot gnu dot org  2006-11-24 00:17 -------
valgrind on the mainline shows begining with:
==11886== Invalid write of size 1
==11886==    at 0x8592FE0: _cpp_lex_direct (lex.c:881)
==11886==  Address 0x48DD485 is 5 bytes after a block of size 4,000 alloc'd
==11886==    at 0x40051F9: malloc (vg_replace_malloc.c:149)
==11886==    by 0x85AD1F5: xmalloc (xmalloc.c:147)

4.0.4 and 4.1.2 all have the same issue.  I have not looked at 3.4.6 yet to see
if this is a regression.


-- 

pinskia at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |ice-on-invalid-code
      Known to fail|                            |4.0.4 4.1.2 4.2.0 4.3.0


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966

[Bug preprocessor/29966] crash in cc1 with backtrace from free()

[rguenth at gcc dot gnu dot org]

------- Comment #7 from rguenth at gcc dot gnu dot org  2006-11-24 10:46 -------
3.4.6 and 3.3.6 have the same issue


-- 

rguenth at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
      Known to fail|4.0.4 4.1.2 4.2.0 4.3.0     |3.3.6 3.4.6 4.0.4 4.1.2
                   |                            |4.2.0 4.3.0


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966

[Bug preprocessor/29966] crash in cc1 with backtrace from free()

[tromey at gcc dot gnu dot org]

------- Comment #8 from tromey at gcc dot gnu dot org  2006-12-27 21:43 -------
I looked at this a bit.

The basic problem resembles bug #14438 in a way.
The source code here has an unterminated "call" to a function-like
macro.  cpp thinks all the subsequent #define directives are
in the expansion (try -pedantic to see the errors).

I believe what happens is that during a call to create_iso_definition,
we call _cpp_lex_token at a point where it must allocate a new token
run.  But then upon returning we restore the old cur_token pointer
(see _cpp_create_definition), leading to the bug.

I'm testing a fix which works by saving and restoring cur_token in
lex_expansion_token.  I'm not positive this is correct, though.
Another possible fix might be to change create_iso_definition to call
_cpp_lex_direct rather than _cpp_lex_token.

BTW, my reading of _cpp_lex_token is that it assumes that cur_token
is in the current token run.  One easy way to make gdb stop when
the first bug is hit is to make a breakpoint conditional on this not
being true.  For debugging I added an assert() for this, but cpp
doesn't seem to use assertions anywhere, so I won't be submitting this.


-- 

tromey at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
     Ever Confirmed|0                           |1
   Last reconfirmed|0000-00-00 00:00:00         |2006-12-27 21:43:58
               date|                            |


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966

[Bug preprocessor/29966] crash in cc1 with backtrace from free()

[patchapp at dberlin dot org]

------- Comment #9 from patchapp at dberlin dot org  2007-01-01 21:53 -------
Subject: Bug number PR preprocessor/29966

A patch for this bug has been added to the patch tracker.
The mailing list url for the patch is
http://gcc.gnu.org/ml/gcc-patches/2006-12/msg01848.html


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966

[Bug preprocessor/29966] crash in cc1 with backtrace from free()

[tromey at gcc dot gnu dot org]

-- 

tromey at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|unassigned at gcc dot gnu   |tromey at gcc dot gnu dot
                   |dot org                     |org
             Status|NEW                         |ASSIGNED
   Last reconfirmed|2006-12-27 21:43:58         |2007-01-08 01:30:57
               date|                            |


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966

[Bug preprocessor/29966] crash in cc1 with backtrace from free()

[tromey at gcc dot gnu dot org]

------- Comment #10 from tromey at gcc dot gnu dot org  2007-01-30 15:46 -------
Subject: Bug 29966

Author: tromey
Date: Tue Jan 30 15:46:01 2007
New Revision: 121340

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=121340
Log:
        PR preprocessor/29966:
        * macro.c (lex_expansion_token): Save and restore cpp_reader's
        cur_token.
        (_cpp_create_definition): Don't restore cur_token here.
        * lex.c (_cpp_lex_token): Added assertion.

Modified:
    trunk/libcpp/ChangeLog
    trunk/libcpp/lex.c
    trunk/libcpp/macro.c


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966

[Bug preprocessor/29966] crash in cc1 with backtrace from free()

[tromey at gcc dot gnu dot org]

------- Comment #11 from tromey at gcc dot gnu dot org  2007-01-30 16:29 -------
Fix checked in.


-- 

tromey at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED
   Target Milestone|---                         |4.3.0


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966