public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug rtl-optimization/52629] New: global buffer overflow in gcc/reload1.c
@ 2012-03-19 23:49 konstantin.s.serebryany at gmail dot com
2012-03-21 16:23 ` [Bug rtl-optimization/52629] " ebotcazou at gcc dot gnu.org
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: konstantin.s.serebryany at gmail dot com @ 2012-03-19 23:49 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=52629
Bug #: 52629
Summary: global buffer overflow in gcc/reload1.c
Classification: Unclassified
Product: gcc
Version: 4.8.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: rtl-optimization
AssignedTo: unassigned@gcc.gnu.org
ReportedBy: konstantin.s.serebryany@gmail.com
Building gcc trunk (r185531, linux, x86_64) with AddressSanitizer (a memory
error detector)
shows a global buffer overflow in gcc/reload1.c while compiling
libgcc/libgcc2.c with ./gcc/xgcc
==21687== ERROR: AddressSanitizer global-buffer-overflow on address
0x000002ddc551 at pc 0xf98a5f bp 0x7fffdcbe1050 sp 0x7fffdcbe1048
READ of size 1 at 0x000002ddc551 thread T0
#0 0xf98a5f in count_spilled_pseudo gcc/reload1.c:1830
#1 0xf715a6 in bmp_iter_set_init gcc/bitmap.h:385
#2 0xd55dc2 in do_reload gcc/ira.c:3733
#3 0xea9e0d in execute_one_pass gcc/passes.c:2084
#4 0xeaaf4d in execute_pass_list gcc/passes.c:2139
#5 0xeaaf71 in execute_pass_list gcc/passes.c:2141
#6 0x1200802 in invoke_plugin_callbacks gcc/plugin.h:57
#7 0x81917d in cgraph_expand_function gcc/cgraphunit.c:1840
#8 0x820425 in cgraph_expand_all_functions gcc/cgraphunit.c:1904
#9 0x81c655 in timevar_pop gcc/timevar.h:110
#10 0x4ebc2e in c_write_global_declarations gcc/c-decl.c:10053
#11 0x10b82c5 in compile_file gcc/toplev.c:575
#12 0x2b1cbf568c4d in __libc_start_main
/build/buildd/eglibc-2.11.1/csu/libc-start.c:258
0x000002ddc551 is located 17 bytes to the right of global variable
'default_target_hard_regs (../../gcc_trunk/gcc/reginfo.c)' (0x2dd9d80) of size
10176
The buggy lines:
static void
count_spilled_pseudo (int spilled, int spilled_nregs, int reg)
{
int freq = REG_FREQ (reg);
int r = reg_renumber[reg];
int nregs = hard_regno_nregs[r][PSEUDO_REGNO_MODE (reg)];
the value of 'r' can be -1, thus the buffer overflow.
One can confirm this bug by changing the code like this and performing full gcc
build:
count_spilled_pseudo (int spilled, int spilled_nregs, int reg)
{
int freq = REG_FREQ (reg);
int r = reg_renumber[reg];
int nregs;
gcc_assert(r >= 0); /*<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<*/
nregs = hard_regno_nregs[r][PSEUDO_REGNO_MODE (reg)];
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug rtl-optimization/52629] global buffer overflow in gcc/reload1.c
2012-03-19 23:49 [Bug rtl-optimization/52629] New: global buffer overflow in gcc/reload1.c konstantin.s.serebryany at gmail dot com
@ 2012-03-21 16:23 ` ebotcazou at gcc dot gnu.org
2012-03-26 8:42 ` [Bug rtl-optimization/52629] out-of-bounds access in reload1.c ebotcazou at gcc dot gnu.org
2012-03-28 23:51 ` ebotcazou at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: ebotcazou at gcc dot gnu.org @ 2012-03-21 16:23 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=52629
Eric Botcazou <ebotcazou at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2012-03-21
CC| |ebotcazou at gcc dot
| |gnu.org
AssignedTo|unassigned at gcc dot |ebotcazou at gcc dot
|gnu.org |gnu.org
Ever Confirmed|0 |1
--- Comment #1 from Eric Botcazou <ebotcazou at gcc dot gnu.org> 2012-03-21 16:21:21 UTC ---
Ugh. count_pseudo has the correct implementation.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug rtl-optimization/52629] out-of-bounds access in reload1.c
2012-03-19 23:49 [Bug rtl-optimization/52629] New: global buffer overflow in gcc/reload1.c konstantin.s.serebryany at gmail dot com
2012-03-21 16:23 ` [Bug rtl-optimization/52629] " ebotcazou at gcc dot gnu.org
@ 2012-03-26 8:42 ` ebotcazou at gcc dot gnu.org
2012-03-28 23:51 ` ebotcazou at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: ebotcazou at gcc dot gnu.org @ 2012-03-26 8:42 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=52629
--- Comment #2 from Eric Botcazou <ebotcazou at gcc dot gnu.org> 2012-03-26 08:41:14 UTC ---
Author: ebotcazou
Date: Mon Mar 26 08:41:02 2012
New Revision: 185787
URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=185787
Log:
PR rtl-optimization/52629
* reload1.c (count_pseudo): Short-circuit common case.
(count_spilled_pseudo): Return early for pseudos without hard regs.
Assert that the pseudo has got a hard reg before manipulating it.
Modified:
trunk/gcc/ChangeLog
trunk/gcc/reload1.c
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug rtl-optimization/52629] out-of-bounds access in reload1.c
2012-03-19 23:49 [Bug rtl-optimization/52629] New: global buffer overflow in gcc/reload1.c konstantin.s.serebryany at gmail dot com
2012-03-21 16:23 ` [Bug rtl-optimization/52629] " ebotcazou at gcc dot gnu.org
2012-03-26 8:42 ` [Bug rtl-optimization/52629] out-of-bounds access in reload1.c ebotcazou at gcc dot gnu.org
@ 2012-03-28 23:51 ` ebotcazou at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: ebotcazou at gcc dot gnu.org @ 2012-03-28 23:51 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=52629
Eric Botcazou <ebotcazou at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
Target Milestone|--- |4.8.0
--- Comment #3 from Eric Botcazou <ebotcazou at gcc dot gnu.org> 2012-03-28 21:51:51 UTC ---
On the trunk only.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-03-28 21:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-03-19 23:49 [Bug rtl-optimization/52629] New: global buffer overflow in gcc/reload1.c konstantin.s.serebryany at gmail dot com
2012-03-21 16:23 ` [Bug rtl-optimization/52629] " ebotcazou at gcc dot gnu.org
2012-03-26 8:42 ` [Bug rtl-optimization/52629] out-of-bounds access in reload1.c ebotcazou at gcc dot gnu.org
2012-03-28 23:51 ` ebotcazou at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).