public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug sanitizer/112730] New: Wrong code generated with Address Sanitizer for a call to a callback in contained subroutine, mapping not executable
@ 2023-11-27 15:55 trnka at scm dot com
2023-11-27 16:02 ` [Bug sanitizer/112730] " pinskia at gcc dot gnu.org
0 siblings, 1 reply; 2+ messages in thread
From: trnka at scm dot com @ 2023-11-27 15:55 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112730
Bug ID: 112730
Summary: Wrong code generated with Address Sanitizer for a call
to a callback in contained subroutine, mapping not
executable
Product: gcc
Version: 13.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: trnka at scm dot com
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
Target Milestone: ---
Created attachment 56696
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56696&action=edit
Testcase reproducing the issue
The attached testcase works fine when compiled without sanitizers, prints a
single dot and OK. When compiled with -fsanitize=address, it segfaults
attempting the call to traverse_callback() inside traverse(). The problem seems
to occur on GCC 9 through 14, at least.
#0 0x0000155552500030 in ?? ()
#1 0x00000000004016b2 in json_traverse::traverse (p=0x602000000070) at
test-json_traverse-minimal.f90:65
#2 0x00000000004017e1 in json_value_module::json_traverse (
json=<error reading variable: Cannot access memory at address 0x0>,
p=0x602000000070, traverse_callback=0x0)
at test-json_traverse-minimal.f90:55
#3 0x0000000000401609 in json_value_module::json_check_all_for_duplicate_keys
(json=..., p=0x602000000070)
at test-json_traverse-minimal.f90:80
#4 0x00000000004019a2 in test_json_traverse () at
test-json_traverse-minimal.f90:111
The location in RIP seems to contain some sort of a trampoline:
(gdb) disass $rip,+40
Dump of assembler code from 0x155552500030 to 0x155552500058:
=> 0x0000155552500030: mov $0x401244,%r11d
0x0000155552500036: movabs $0x155552500030,%r10
0x0000155552500040: rex.WB jmp *%r11
0x0000155552500043: nop
…
Here, $0x401244 is indeed the address of the callback which should get
executed:
(gdb) disass 0x00401244
Dump of assembler code for function
json_check_all_for_duplicate_keys::duplicate_key_func:
0x0000000000401244 <+0>: push %rbp
0x0000000000401245 <+1>: mov %rsp,%rbp
0x0000000000401248 <+4>: push %r14
…
The segfault is probably because the mapping containing the trampoline is not
executable:
(gdb) info proc mappings
process 41564
Mapped address spaces:
Start Addr End Addr Size Offset Perms objfile
…
0x1555523f7000 0x155552f00000 0xb09000 0x0 rw-p
…
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug sanitizer/112730] Wrong code generated with Address Sanitizer for a call to a callback in contained subroutine, mapping not executable
2023-11-27 15:55 [Bug sanitizer/112730] New: Wrong code generated with Address Sanitizer for a call to a callback in contained subroutine, mapping not executable trnka at scm dot com
@ 2023-11-27 16:02 ` pinskia at gcc dot gnu.org
0 siblings, 0 replies; 2+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-11-27 16:02 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112730
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |DUPLICATE
--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Dup.
*** This bug has been marked as a duplicate of bug 87875 ***
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-11-27 16:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-27 15:55 [Bug sanitizer/112730] New: Wrong code generated with Address Sanitizer for a call to a callback in contained subroutine, mapping not executable trnka at scm dot com
2023-11-27 16:02 ` [Bug sanitizer/112730] " pinskia at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).