public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug preprocessor/29966] New: crash in cc1 with backtrace from free()
@ 2006-11-23 23:57 acahalan at gmail dot com
2006-11-23 23:59 ` [Bug preprocessor/29966] " acahalan at gmail dot com
` (11 more replies)
0 siblings, 12 replies; 13+ messages in thread
From: acahalan at gmail dot com @ 2006-11-23 23:57 UTC (permalink / raw)
To: gcc-bugs
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 5073 bytes --]
Both gcc and g++ crash on this. (I'll attach the code later, as it's still
kind of large.) Seemingly innocent changes will affect the crash behavior.
Normally I compile with "-std=gnu99 -O2"; this is intended to be C code.
These very similar programs give different errors at times, especially when
using "-O0" instead of "-O2".
I suppose I'll blame the preprocessor, but changing from "-O2" to "-O0"
will usualy (not always) cause the crash to be a regular SIGSEGV instead
of a glibc backtrace. I suppose the preprocessor is all unified now though,
so a bit of memory corruption could make things go weird later.
$ gcc -std=gnu99 -O0 gcc-bug4.c
gcc-bug4.c: In function boomwrap:
gcc-bug4.c:134: error: invalid application of sizeof to incomplete type
struct dief
gcc-bug4.c:138: error: expected : before ) token
gcc-bug4.c:138: error: expected statement before ) token
gcc-bug4.c:138: error: expected expression before : token
gcc-bug4.c:141: error: expected : before ) token
gcc-bug4.c:141: error: expected statement before ) token
gcc-bug4.c:141: error: expected expression before : token
gcc-bug4.c:141: error: expected : before ) token
gcc-bug4.c:141: error: expected statement before ) token
gcc-bug4.c:141: error: expected expression before : token
gcc-bug4.c:142: error: expected : before ) token
gcc-bug4.c:142: error: expected statement before ) token
gcc-bug4.c:142: error: expected expression before : token
gcc-bug4.c:447:1: error: unterminated argument list invoking macro "swap32"
gcc-bug4.c:142: error: swap32 undeclared (first use in this function)
gcc-bug4.c:142: error: (Each undeclared identifier is reported only once
gcc-bug4.c:142: error: for each function it appears in.)
gcc-bug4.c:142: error: expected ; at end of input
gcc-bug4.c:142: error: expected declaration or statement at end of input
*** glibc detected *** /usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1: free():
invalid next size (normal): 0x0000000000c939e0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x347e06eb00]
/lib64/libc.so.6(cfree+0x8c)[0x347e07227c]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x696bfd]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x746e53]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x747224]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x40af09]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x4476ee]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x44e164]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x439aea]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1[0x6e9ac5]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x347e01da44]
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1(calloc+0x191)[0x402399]
======= Memory map: ========
00400000-00972000 r-xp 00000000 08:07 2734449
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1
00b72000-00b79000 rw-p 00572000 08:07 2734449
/usr/libexec/gcc/x86_64-redhat-linux/4.1.1/cc1
00b79000-00c9a000 rw-p 00b79000 00:00 0 [heap]
347d000000-347d01a000 r-xp 00000000 08:07 1974387
/lib64/ld-2.4.90.so
347d219000-347d21a000 r--p 00019000 08:07 1974387
/lib64/ld-2.4.90.so
347d21a000-347d21b000 rw-p 0001a000 08:07 1974387
/lib64/ld-2.4.90.so
347e000000-347e144000 r-xp 00000000 08:07 1974396
/lib64/libc-2.4.90.so
347e144000-347e344000 ---p 00144000 08:07 1974396
/lib64/libc-2.4.90.so
347e344000-347e348000 r--p 00144000 08:07 1974396
/lib64/libc-2.4.90.so
347e348000-347e349000 rw-p 00148000 08:07 1974396
/lib64/libc-2.4.90.so
347e349000-347e34e000 rw-p 347e349000 00:00 0
3489a00000-3489a0d000 r-xp 00000000 08:07 1974339
/lib64/libgcc_s-4.1.1-20060828.so.1
3489a0d000-3489c0c000 ---p 0000d000 08:07 1974339
/lib64/libgcc_s-4.1.1-20060828.so.1
3489c0c000-3489c0d000 rw-p 0000c000 08:07 1974339
/lib64/libgcc_s-4.1.1-20060828.so.1
2aaaaaaab000-2aaaaaaac000 rw-p 2aaaaaaab000 00:00 0
2aaaaaac3000-2aaaaaac5000 rw-p 2aaaaaac3000 00:00 0
2aaaaaac5000-2aaaadfb7000 r--p 00000000 08:07 833564
/usr/lib/locale/locale-archive
2aaaadfb7000-2aaaae484000 rw-p 2aaaadfb7000 00:00 0
2aaab0000000-2aaab0021000 rw-p 2aaab0000000 00:00 0
2aaab0021000-2aaab4000000 ---p 2aaab0021000 00:00 0
7fffc45dc000-7fffc45f2000 rw-p 7fffc45dc000 00:00 0
[stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vdso]
gcc-bug4.c:142: confused by earlier errors, bailing out
--
Summary: crash in cc1 with backtrace from free()
Product: gcc
Version: 4.1.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: preprocessor
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: acahalan at gmail dot com
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug preprocessor/29966] crash in cc1 with backtrace from free()
2006-11-23 23:57 [Bug preprocessor/29966] New: crash in cc1 with backtrace from free() acahalan at gmail dot com
@ 2006-11-23 23:59 ` acahalan at gmail dot com
2006-11-24 0:00 ` acahalan at gmail dot com
` (10 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: acahalan at gmail dot com @ 2006-11-23 23:59 UTC (permalink / raw)
To: gcc-bugs
------- Comment #1 from acahalan at gmail dot com 2006-11-23 23:59 -------
Created an attachment (id=12676)
--> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=12676&action=view)
crash1.c
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug preprocessor/29966] crash in cc1 with backtrace from free()
2006-11-23 23:57 [Bug preprocessor/29966] New: crash in cc1 with backtrace from free() acahalan at gmail dot com
2006-11-23 23:59 ` [Bug preprocessor/29966] " acahalan at gmail dot com
@ 2006-11-24 0:00 ` acahalan at gmail dot com
2006-11-24 0:01 ` acahalan at gmail dot com
` (9 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: acahalan at gmail dot com @ 2006-11-24 0:00 UTC (permalink / raw)
To: gcc-bugs
------- Comment #2 from acahalan at gmail dot com 2006-11-24 00:00 -------
Created an attachment (id=12677)
--> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=12677&action=view)
crash2.c
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug preprocessor/29966] crash in cc1 with backtrace from free()
2006-11-23 23:57 [Bug preprocessor/29966] New: crash in cc1 with backtrace from free() acahalan at gmail dot com
` (2 preceding siblings ...)
2006-11-24 0:01 ` acahalan at gmail dot com
@ 2006-11-24 0:01 ` acahalan at gmail dot com
2006-11-24 0:02 ` acahalan at gmail dot com
` (7 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: acahalan at gmail dot com @ 2006-11-24 0:01 UTC (permalink / raw)
To: gcc-bugs
------- Comment #4 from acahalan at gmail dot com 2006-11-24 00:01 -------
Created an attachment (id=12679)
--> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=12679&action=view)
crash4.c
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug preprocessor/29966] crash in cc1 with backtrace from free()
2006-11-23 23:57 [Bug preprocessor/29966] New: crash in cc1 with backtrace from free() acahalan at gmail dot com
2006-11-23 23:59 ` [Bug preprocessor/29966] " acahalan at gmail dot com
2006-11-24 0:00 ` acahalan at gmail dot com
@ 2006-11-24 0:01 ` acahalan at gmail dot com
2006-11-24 0:01 ` acahalan at gmail dot com
` (8 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: acahalan at gmail dot com @ 2006-11-24 0:01 UTC (permalink / raw)
To: gcc-bugs
------- Comment #3 from acahalan at gmail dot com 2006-11-24 00:01 -------
Created an attachment (id=12678)
--> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=12678&action=view)
crash3.c
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug preprocessor/29966] crash in cc1 with backtrace from free()
2006-11-23 23:57 [Bug preprocessor/29966] New: crash in cc1 with backtrace from free() acahalan at gmail dot com
` (3 preceding siblings ...)
2006-11-24 0:01 ` acahalan at gmail dot com
@ 2006-11-24 0:02 ` acahalan at gmail dot com
2006-11-24 0:17 ` pinskia at gcc dot gnu dot org
` (6 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: acahalan at gmail dot com @ 2006-11-24 0:02 UTC (permalink / raw)
To: gcc-bugs
------- Comment #5 from acahalan at gmail dot com 2006-11-24 00:02 -------
Created an attachment (id=12680)
--> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=12680&action=view)
crash5.c
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug preprocessor/29966] crash in cc1 with backtrace from free()
2006-11-23 23:57 [Bug preprocessor/29966] New: crash in cc1 with backtrace from free() acahalan at gmail dot com
` (4 preceding siblings ...)
2006-11-24 0:02 ` acahalan at gmail dot com
@ 2006-11-24 0:17 ` pinskia at gcc dot gnu dot org
2006-11-24 10:46 ` rguenth at gcc dot gnu dot org
` (5 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: pinskia at gcc dot gnu dot org @ 2006-11-24 0:17 UTC (permalink / raw)
To: gcc-bugs
------- Comment #6 from pinskia at gcc dot gnu dot org 2006-11-24 00:17 -------
valgrind on the mainline shows begining with:
==11886== Invalid write of size 1
==11886== at 0x8592FE0: _cpp_lex_direct (lex.c:881)
==11886== Address 0x48DD485 is 5 bytes after a block of size 4,000 alloc'd
==11886== at 0x40051F9: malloc (vg_replace_malloc.c:149)
==11886== by 0x85AD1F5: xmalloc (xmalloc.c:147)
4.0.4 and 4.1.2 all have the same issue. I have not looked at 3.4.6 yet to see
if this is a regression.
--
pinskia at gcc dot gnu dot org changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |ice-on-invalid-code
Known to fail| |4.0.4 4.1.2 4.2.0 4.3.0
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug preprocessor/29966] crash in cc1 with backtrace from free()
2006-11-23 23:57 [Bug preprocessor/29966] New: crash in cc1 with backtrace from free() acahalan at gmail dot com
` (5 preceding siblings ...)
2006-11-24 0:17 ` pinskia at gcc dot gnu dot org
@ 2006-11-24 10:46 ` rguenth at gcc dot gnu dot org
2006-12-27 21:44 ` tromey at gcc dot gnu dot org
` (4 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: rguenth at gcc dot gnu dot org @ 2006-11-24 10:46 UTC (permalink / raw)
To: gcc-bugs
------- Comment #7 from rguenth at gcc dot gnu dot org 2006-11-24 10:46 -------
3.4.6 and 3.3.6 have the same issue
--
rguenth at gcc dot gnu dot org changed:
What |Removed |Added
----------------------------------------------------------------------------
Known to fail|4.0.4 4.1.2 4.2.0 4.3.0 |3.3.6 3.4.6 4.0.4 4.1.2
| |4.2.0 4.3.0
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug preprocessor/29966] crash in cc1 with backtrace from free()
2006-11-23 23:57 [Bug preprocessor/29966] New: crash in cc1 with backtrace from free() acahalan at gmail dot com
` (6 preceding siblings ...)
2006-11-24 10:46 ` rguenth at gcc dot gnu dot org
@ 2006-12-27 21:44 ` tromey at gcc dot gnu dot org
2007-01-01 21:53 ` patchapp at dberlin dot org
` (3 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: tromey at gcc dot gnu dot org @ 2006-12-27 21:44 UTC (permalink / raw)
To: gcc-bugs
------- Comment #8 from tromey at gcc dot gnu dot org 2006-12-27 21:43 -------
I looked at this a bit.
The basic problem resembles bug #14438 in a way.
The source code here has an unterminated "call" to a function-like
macro. cpp thinks all the subsequent #define directives are
in the expansion (try -pedantic to see the errors).
I believe what happens is that during a call to create_iso_definition,
we call _cpp_lex_token at a point where it must allocate a new token
run. But then upon returning we restore the old cur_token pointer
(see _cpp_create_definition), leading to the bug.
I'm testing a fix which works by saving and restoring cur_token in
lex_expansion_token. I'm not positive this is correct, though.
Another possible fix might be to change create_iso_definition to call
_cpp_lex_direct rather than _cpp_lex_token.
BTW, my reading of _cpp_lex_token is that it assumes that cur_token
is in the current token run. One easy way to make gdb stop when
the first bug is hit is to make a breakpoint conditional on this not
being true. For debugging I added an assert() for this, but cpp
doesn't seem to use assertions anywhere, so I won't be submitting this.
--
tromey at gcc dot gnu dot org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Ever Confirmed|0 |1
Last reconfirmed|0000-00-00 00:00:00 |2006-12-27 21:43:58
date| |
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug preprocessor/29966] crash in cc1 with backtrace from free()
2006-11-23 23:57 [Bug preprocessor/29966] New: crash in cc1 with backtrace from free() acahalan at gmail dot com
` (7 preceding siblings ...)
2006-12-27 21:44 ` tromey at gcc dot gnu dot org
@ 2007-01-01 21:53 ` patchapp at dberlin dot org
2007-01-08 1:31 ` tromey at gcc dot gnu dot org
` (2 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: patchapp at dberlin dot org @ 2007-01-01 21:53 UTC (permalink / raw)
To: gcc-bugs
------- Comment #9 from patchapp at dberlin dot org 2007-01-01 21:53 -------
Subject: Bug number PR preprocessor/29966
A patch for this bug has been added to the patch tracker.
The mailing list url for the patch is
http://gcc.gnu.org/ml/gcc-patches/2006-12/msg01848.html
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug preprocessor/29966] crash in cc1 with backtrace from free()
2006-11-23 23:57 [Bug preprocessor/29966] New: crash in cc1 with backtrace from free() acahalan at gmail dot com
` (8 preceding siblings ...)
2007-01-01 21:53 ` patchapp at dberlin dot org
@ 2007-01-08 1:31 ` tromey at gcc dot gnu dot org
2007-01-30 15:46 ` tromey at gcc dot gnu dot org
2007-01-30 16:29 ` tromey at gcc dot gnu dot org
11 siblings, 0 replies; 13+ messages in thread
From: tromey at gcc dot gnu dot org @ 2007-01-08 1:31 UTC (permalink / raw)
To: gcc-bugs
--
tromey at gcc dot gnu dot org changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|unassigned at gcc dot gnu |tromey at gcc dot gnu dot
|dot org |org
Status|NEW |ASSIGNED
Last reconfirmed|2006-12-27 21:43:58 |2007-01-08 01:30:57
date| |
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug preprocessor/29966] crash in cc1 with backtrace from free()
2006-11-23 23:57 [Bug preprocessor/29966] New: crash in cc1 with backtrace from free() acahalan at gmail dot com
` (9 preceding siblings ...)
2007-01-08 1:31 ` tromey at gcc dot gnu dot org
@ 2007-01-30 15:46 ` tromey at gcc dot gnu dot org
2007-01-30 16:29 ` tromey at gcc dot gnu dot org
11 siblings, 0 replies; 13+ messages in thread
From: tromey at gcc dot gnu dot org @ 2007-01-30 15:46 UTC (permalink / raw)
To: gcc-bugs
------- Comment #10 from tromey at gcc dot gnu dot org 2007-01-30 15:46 -------
Subject: Bug 29966
Author: tromey
Date: Tue Jan 30 15:46:01 2007
New Revision: 121340
URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=121340
Log:
PR preprocessor/29966:
* macro.c (lex_expansion_token): Save and restore cpp_reader's
cur_token.
(_cpp_create_definition): Don't restore cur_token here.
* lex.c (_cpp_lex_token): Added assertion.
Modified:
trunk/libcpp/ChangeLog
trunk/libcpp/lex.c
trunk/libcpp/macro.c
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug preprocessor/29966] crash in cc1 with backtrace from free()
2006-11-23 23:57 [Bug preprocessor/29966] New: crash in cc1 with backtrace from free() acahalan at gmail dot com
` (10 preceding siblings ...)
2007-01-30 15:46 ` tromey at gcc dot gnu dot org
@ 2007-01-30 16:29 ` tromey at gcc dot gnu dot org
11 siblings, 0 replies; 13+ messages in thread
From: tromey at gcc dot gnu dot org @ 2007-01-30 16:29 UTC (permalink / raw)
To: gcc-bugs
------- Comment #11 from tromey at gcc dot gnu dot org 2007-01-30 16:29 -------
Fix checked in.
--
tromey at gcc dot gnu dot org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
Target Milestone|--- |4.3.0
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29966
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2007-01-30 16:29 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-11-23 23:57 [Bug preprocessor/29966] New: crash in cc1 with backtrace from free() acahalan at gmail dot com
2006-11-23 23:59 ` [Bug preprocessor/29966] " acahalan at gmail dot com
2006-11-24 0:00 ` acahalan at gmail dot com
2006-11-24 0:01 ` acahalan at gmail dot com
2006-11-24 0:01 ` acahalan at gmail dot com
2006-11-24 0:02 ` acahalan at gmail dot com
2006-11-24 0:17 ` pinskia at gcc dot gnu dot org
2006-11-24 10:46 ` rguenth at gcc dot gnu dot org
2006-12-27 21:44 ` tromey at gcc dot gnu dot org
2007-01-01 21:53 ` patchapp at dberlin dot org
2007-01-08 1:31 ` tromey at gcc dot gnu dot org
2007-01-30 15:46 ` tromey at gcc dot gnu dot org
2007-01-30 16:29 ` tromey at gcc dot gnu dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).