public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug tree-optimization/101154] New: [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039
@ 2021-06-21 19:27 marxin at gcc dot gnu.org
2021-06-21 19:28 ` [Bug tree-optimization/101154] " marxin at gcc dot gnu.org
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: marxin at gcc dot gnu.org @ 2021-06-21 19:27 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101154
Bug ID: 101154
Summary: [12 Regression] AddressSanitizer:
dynamic-stack-buffer-overflow on address: in
vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: tree-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: marxin at gcc dot gnu.org
CC: rguenth at gcc dot gnu.org
Blocks: 86656
Target Milestone: ---
Please build host compiler with:
make -j16 all-host -k CFLAGS="-O0 -g -fsanitize=address" CXXFLAGS="-O0 -g
-fsanitize=address" LDFLAGS="-fsanitize=address -ldl"
and then:
$ cat ice.i
_Complex matmul_c4_vanilla_abase_0, matmul_c4_vanilla_b_0_0;
_Complex *matmul_c4_vanilla_dest;
int matmul_c4_vanilla_x;
void matmul_c4_vanilla() {
for (; matmul_c4_vanilla_x; matmul_c4_vanilla_x++)
matmul_c4_vanilla_dest[matmul_c4_vanilla_x] +=
matmul_c4_vanilla_abase_0 * matmul_c4_vanilla_b_0_0;
}
causes:
$ /home/mliska/Programming/gcc/objdir/./gcc/xgcc
-B/home/mliska/Programming/gcc/objdir/./gcc/ -Ofast ice.i -c
=================================================================
==2428==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address
0x7fffffff8bc2 at pc 0x0000022a04ff bp 0x7fffffff5fc0 sp 0x7fffffff5fb8
WRITE of size 1 at 0x7fffffff8bc2 thread T0
#0 0x22a04fe in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039
#1 0x229126e in vect_build_slp_tree ../../gcc/tree-vect-slp.c:1581
#2 0x22947b6 in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2247
#3 0x229126e in vect_build_slp_tree ../../gcc/tree-vect-slp.c:1581
#4 0x22a2f85 in vect_build_slp_instance ../../gcc/tree-vect-slp.c:3018
#5 0x22a7c06 in vect_analyze_slp_instance ../../gcc/tree-vect-slp.c:3337
#6 0x22bd06b in vect_analyze_slp(vec_info*, unsigned int)
../../gcc/tree-vect-slp.c:3370
#7 0x2220e27 in vect_analyze_loop_2 ../../gcc/tree-vect-loop.c:2317
#8 0x222b95b in vect_analyze_loop(loop*, vec_info_shared*)
../../gcc/tree-vect-loop.c:2986
#9 0x22f479f in try_vectorize_loop_1 ../../gcc/tree-vectorizer.c:1004
#10 0x22f6f41 in vectorize_loops() ../../gcc/tree-vectorizer.c:1238
#11 0x1655b31 in execute_one_pass(opt_pass*) ../../gcc/passes.c:2567
#12 0x1657429 in execute_pass_list_1 ../../gcc/passes.c:2656
#13 0x165744f in execute_pass_list_1 ../../gcc/passes.c:2657
#14 0x165744f in execute_pass_list_1 ../../gcc/passes.c:2657
#15 0x16574b2 in execute_pass_list(function*, opt_pass*)
../../gcc/passes.c:2667
#16 0xb1f528 in cgraph_node::expand() ../../gcc/cgraphunit.c:1828
#17 0xb1f528 in cgraph_node::expand() ../../gcc/cgraphunit.c:1781
#18 0xb225a6 in expand_all_functions ../../gcc/cgraphunit.c:1992
#19 0xb225a6 in symbol_table::compile() ../../gcc/cgraphunit.c:2356
#20 0xb2b1c6 in symbol_table::compile() ../../gcc/cgraphunit.c:2269
#21 0xb2b1c6 in symbol_table::finalize_compilation_unit()
../../gcc/cgraphunit.c:2537
#22 0x193dd1c in compile_file ../../gcc/toplev.c:482
#23 0x63e7f8 in do_compile ../../gcc/toplev.c:2210
#24 0x63e7f8 in toplev::main(int, char**) ../../gcc/toplev.c:2349
#25 0x64b11a in main ../../gcc/main.c:39
#26 0x7ffff6e96b34 in __libc_start_main (/lib64/libc.so.6+0x27b34)
#27 0x64c3dd in _start
(/home/mliska/Programming/gcc/objdir/gcc/cc1+0x64c3dd)
Address 0x7fffffff8bc2 is located in stack of thread T0 at offset 1058 in frame
#0 0x228fc6f in vect_build_slp_tree ../../gcc/tree-vect-slp.c:1536
This frame has 18 object(s):
[32, 40) '<unknown>'
[64, 72) 'this_max_nunits' (line 1580)
[96, 104) 'h' (line 1405)
[128, 136) 'r'
[160, 168) 'new_vec'
[192, 200) 'h' (line 1405)
[224, 232) 'r'
[256, 264) 'stmts' (line 1532)
[288, 312) '<unknown>'
[352, 376) '<unknown>'
[416, 440) '<unknown>'
[480, 504) '<unknown>'
[544, 568) '<unknown>'
[608, 640) '<unknown>'
[672, 704) '<unknown>'
[736, 768) '<unknown>'
[800, 832) '<unknown>'
[864, 896) '<unknown>' <== Memory access at offset 1058 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow
../../gcc/tree-vect-slp.c:2039 in vect_build_slp_tree_2
Shadow bytes around the buggy address:
0x10007fff7120: 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2
0x10007fff7130: 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2
0x10007fff7140: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2
0x10007fff7150: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2
0x10007fff7160: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
=>0x10007fff7170: 00 00 00 00 ca ca ca ca[02]cb cb cb cb cb cb cb
0x10007fff7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7190: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1
0x10007fff71a0: 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2
0x10007fff71b0: f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2
0x10007fff71c0: f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2428==ABORTING
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86656
[Bug 86656] [meta-bug] Issues found with -fsanitize=address
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug tree-optimization/101154] [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039
2021-06-21 19:27 [Bug tree-optimization/101154] New: [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039 marxin at gcc dot gnu.org
@ 2021-06-21 19:28 ` marxin at gcc dot gnu.org
2021-06-22 6:51 ` rguenth at gcc dot gnu.org
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: marxin at gcc dot gnu.org @ 2021-06-21 19:28 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101154
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Last reconfirmed| |2021-06-21
Ever confirmed|0 |1
Target Milestone|--- |12.0
Status|UNCONFIRMED |NEW
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug tree-optimization/101154] [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039
2021-06-21 19:27 [Bug tree-optimization/101154] New: [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039 marxin at gcc dot gnu.org
2021-06-21 19:28 ` [Bug tree-optimization/101154] " marxin at gcc dot gnu.org
@ 2021-06-22 6:51 ` rguenth at gcc dot gnu.org
2021-06-22 6:54 ` marxin at gcc dot gnu.org
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: rguenth at gcc dot gnu.org @ 2021-06-22 6:51 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101154
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned at gcc dot gnu.org |rguenth at gcc dot gnu.org
Status|NEW |ASSIGNED
--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
I will have a look.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug tree-optimization/101154] [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039
2021-06-21 19:27 [Bug tree-optimization/101154] New: [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039 marxin at gcc dot gnu.org
2021-06-21 19:28 ` [Bug tree-optimization/101154] " marxin at gcc dot gnu.org
2021-06-22 6:51 ` rguenth at gcc dot gnu.org
@ 2021-06-22 6:54 ` marxin at gcc dot gnu.org
2021-06-22 9:01 ` cvs-commit at gcc dot gnu.org
2021-06-22 9:02 ` rguenth at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: marxin at gcc dot gnu.org @ 2021-06-22 6:54 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101154
--- Comment #2 from Martin Liška <marxin at gcc dot gnu.org> ---
Good. Hope you can reproduce it. Tell me if you need bisection or not?
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug tree-optimization/101154] [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039
2021-06-21 19:27 [Bug tree-optimization/101154] New: [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039 marxin at gcc dot gnu.org
` (2 preceding siblings ...)
2021-06-22 6:54 ` marxin at gcc dot gnu.org
@ 2021-06-22 9:01 ` cvs-commit at gcc dot gnu.org
2021-06-22 9:02 ` rguenth at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2021-06-22 9:01 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101154
--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Richard Biener <rguenth@gcc.gnu.org>:
https://gcc.gnu.org/g:26f05f5a823030ebb52b107a8c303d07f77fe317
commit r12-1713-g26f05f5a823030ebb52b107a8c303d07f77fe317
Author: Richard Biener <rguenther@suse.de>
Date: Tue Jun 22 09:10:56 2021 +0200
tree-optimization/101154 - fix out-of bound access in SLP
This fixes an out-of-bound access of matches.
2021-06-22 Richard Biener <rguenther@suse.de>
PR tree-optimization/101154
* tree-vect-slp.c (vect_build_slp_tree_2): Fix out-of-bound access.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug tree-optimization/101154] [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039
2021-06-21 19:27 [Bug tree-optimization/101154] New: [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039 marxin at gcc dot gnu.org
` (3 preceding siblings ...)
2021-06-22 9:01 ` cvs-commit at gcc dot gnu.org
@ 2021-06-22 9:02 ` rguenth at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: rguenth at gcc dot gnu.org @ 2021-06-22 9:02 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101154
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Richard Biener <rguenth at gcc dot gnu.org> ---
Fixed.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-06-22 9:02 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-21 19:27 [Bug tree-optimization/101154] New: [12 Regression] AddressSanitizer: dynamic-stack-buffer-overflow on address: in vect_build_slp_tree_2 ../../gcc/tree-vect-slp.c:2039 marxin at gcc dot gnu.org
2021-06-21 19:28 ` [Bug tree-optimization/101154] " marxin at gcc dot gnu.org
2021-06-22 6:51 ` rguenth at gcc dot gnu.org
2021-06-22 6:54 ` marxin at gcc dot gnu.org
2021-06-22 9:01 ` cvs-commit at gcc dot gnu.org
2021-06-22 9:02 ` rguenth at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).