[Bug tree-optimization/101154] New: [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039

[Bug tree-optimization/101154] New: [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101154

            Bug ID: 101154
           Summary: [12 Regression] AddressSanitizer:
                    dynamic-stack-buffer-overflow on address: in
                    vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marxin at gcc dot gnu.org
                CC: rguenth at gcc dot gnu.org
            Blocks: 86656
  Target Milestone: ---

Please build host compiler with:
make -j16 all-host -k CFLAGS="-O0 -g -fsanitize=address" CXXFLAGS="-O0 -g
-fsanitize=address"  LDFLAGS="-fsanitize=address -ldl"

and then:

$ cat ice.i
_Complex matmul_c4_vanilla_abase_0, matmul_c4_vanilla_b_0_0;
_Complex *matmul_c4_vanilla_dest;

int matmul_c4_vanilla_x;
void matmul_c4_vanilla() {
  for (; matmul_c4_vanilla_x; matmul_c4_vanilla_x++)
    matmul_c4_vanilla_dest[matmul_c4_vanilla_x] +=
        matmul_c4_vanilla_abase_0 * matmul_c4_vanilla_b_0_0;
}

causes:

$ /home/mliska/Programming/gcc/objdir/./gcc/xgcc
-B/home/mliska/Programming/gcc/objdir/./gcc/ -Ofast ice.i -c
=================================================================
==2428==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address
0x7fffffff8bc2 at pc 0x0000022a04ff bp 0x7fffffff5fc0 sp 0x7fffffff5fb8
WRITE of size 1 at 0x7fffffff8bc2 thread T0
    #0 0x22a04fe in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039
    #1 0x229126e in vect_build_slp_tree ../../gcc/tree-vect-slp.c:1581
    #2 0x22947b6 in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2247
    #3 0x229126e in vect_build_slp_tree ../../gcc/tree-vect-slp.c:1581
    #4 0x22a2f85 in vect_build_slp_instance ../../gcc/tree-vect-slp.c:3018
    #5 0x22a7c06 in vect_analyze_slp_instance ../../gcc/tree-vect-slp.c:3337
    #6 0x22bd06b in vect_analyze_slp(vec_info*, unsigned int)
../../gcc/tree-vect-slp.c:3370
    #7 0x2220e27 in vect_analyze_loop_2 ../../gcc/tree-vect-loop.c:2317
    #8 0x222b95b in vect_analyze_loop(loop*, vec_info_shared*)
../../gcc/tree-vect-loop.c:2986
    #9 0x22f479f in try_vectorize_loop_1 ../../gcc/tree-vectorizer.c:1004
    #10 0x22f6f41 in vectorize_loops() ../../gcc/tree-vectorizer.c:1238
    #11 0x1655b31 in execute_one_pass(opt_pass*) ../../gcc/passes.c:2567
    #12 0x1657429 in execute_pass_list_1 ../../gcc/passes.c:2656
    #13 0x165744f in execute_pass_list_1 ../../gcc/passes.c:2657
    #14 0x165744f in execute_pass_list_1 ../../gcc/passes.c:2657
    #15 0x16574b2 in execute_pass_list(function*, opt_pass*)
../../gcc/passes.c:2667
    #16 0xb1f528 in cgraph_node::expand() ../../gcc/cgraphunit.c:1828
    #17 0xb1f528 in cgraph_node::expand() ../../gcc/cgraphunit.c:1781
    #18 0xb225a6 in expand_all_functions ../../gcc/cgraphunit.c:1992
    #19 0xb225a6 in symbol_table::compile() ../../gcc/cgraphunit.c:2356
    #20 0xb2b1c6 in symbol_table::compile() ../../gcc/cgraphunit.c:2269
    #21 0xb2b1c6 in symbol_table::finalize_compilation_unit()
../../gcc/cgraphunit.c:2537
    #22 0x193dd1c in compile_file ../../gcc/toplev.c:482
    #23 0x63e7f8 in do_compile ../../gcc/toplev.c:2210
    #24 0x63e7f8 in toplev::main(int, char**) ../../gcc/toplev.c:2349
    #25 0x64b11a in main ../../gcc/main.c:39
    #26 0x7ffff6e96b34 in __libc_start_main (/lib64/libc.so.6+0x27b34)
    #27 0x64c3dd in _start
(/home/mliska/Programming/gcc/objdir/gcc/cc1+0x64c3dd)

Address 0x7fffffff8bc2 is located in stack of thread T0 at offset 1058 in frame
    #0 0x228fc6f in vect_build_slp_tree ../../gcc/tree-vect-slp.c:1536

  This frame has 18 object(s):
    [32, 40) '<unknown>'
    [64, 72) 'this_max_nunits' (line 1580)
    [96, 104) 'h' (line 1405)
    [128, 136) 'r'
    [160, 168) 'new_vec'
    [192, 200) 'h' (line 1405)
    [224, 232) 'r'
    [256, 264) 'stmts' (line 1532)
    [288, 312) '<unknown>'
    [352, 376) '<unknown>'
    [416, 440) '<unknown>'
    [480, 504) '<unknown>'
    [544, 568) '<unknown>'
    [608, 640) '<unknown>'
    [672, 704) '<unknown>'
    [736, 768) '<unknown>'
    [800, 832) '<unknown>'
    [864, 896) '<unknown>' <== Memory access at offset 1058 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow
../../gcc/tree-vect-slp.c:2039 in vect_build_slp_tree_2
Shadow bytes around the buggy address:
  0x10007fff7120: 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2
  0x10007fff7130: 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2
  0x10007fff7140: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2
  0x10007fff7150: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2
  0x10007fff7160: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
=>0x10007fff7170: 00 00 00 00 ca ca ca ca[02]cb cb cb cb cb cb cb
  0x10007fff7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7190: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1
  0x10007fff71a0: 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2
  0x10007fff71b0: f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2
  0x10007fff71c0: f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2428==ABORTING


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86656
[Bug 86656] [meta-bug] Issues found with -fsanitize=address

[Bug tree-optimization/101154] [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101154

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2021-06-21
     Ever confirmed|0                           |1
   Target Milestone|---                         |12.0
             Status|UNCONFIRMED                 |NEW

[Bug tree-optimization/101154] [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101154

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at gcc dot gnu.org      |rguenth at gcc dot gnu.org
             Status|NEW                         |ASSIGNED

--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
I will have a look.

[Bug tree-optimization/101154] [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101154

--- Comment #2 from Martin Liška <marxin at gcc dot gnu.org> ---
Good. Hope you can reproduce it. Tell me if you need bisection or not?

[Bug tree-optimization/101154] [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101154

--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Richard Biener <rguenth@gcc.gnu.org>:

https://gcc.gnu.org/g:26f05f5a823030ebb52b107a8c303d07f77fe317

commit r12-1713-g26f05f5a823030ebb52b107a8c303d07f77fe317
Author: Richard Biener <rguenther@suse.de>
Date:   Tue Jun 22 09:10:56 2021 +0200

    tree-optimization/101154 - fix out-of bound access in SLP

    This fixes an out-of-bound access of matches.

    2021-06-22  Richard Biener  <rguenther@suse.de>

            PR tree-optimization/101154
            * tree-vect-slp.c (vect_build_slp_tree_2): Fix out-of-bound access.

[Bug tree-optimization/101154] [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101154

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #4 from Richard Biener <rguenth at gcc dot gnu.org> ---
Fixed.