[Bug other/53615] New: Buffer overflow in the compiler?

[Bug other/53615] New: Buffer overflow in the compiler?

[gjl at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53615

             Bug #: 53615
           Summary: Buffer overflow in the compiler?
    Classification: Unclassified
           Product: gcc
           Version: 4.7.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: other
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: gjl@gcc.gnu.org
              Host: x86-linux-gnu, mingw32
            Target: avr
             Build: x86-linux-gnu


This is a bug I observe with the GCC 4.7.1 release snapshot SVN 188257.

== Command line ==

$ avr-gcc -c wek.c -mmcu=atmega2561 -O3 -mstrict-X

== configure ==

Target: avr
Configured with: ../../gcc.gnu.org/gcc-4_7-branch/configure --target=avr
--prefix=/local/gnu/install/gcc-4.7 --disable-nls --with-dwarf2
--enable-languages=c,c++ --enable-target-optspace=yes
Thread model: single
gcc version 4.7.1 20120606 (prerelease) (GCC)

GNU C (GCC) version 4.7.1 20120606 (prerelease) (avr)
        compiled by GNU C version 4.3.2 [gcc-4_3-branch revision 141291], GMP
version 4.3.2, MPFR version 2.4.2, MPC version 0.8.2

The problem can also be seen with canadian cross configured as:

../../gcc.gnu.org/gcc-4_7-branch/configure --target=avr
--prefix=/local/gnu/install/gcc-4.7-mingw32 --host=i386-mingw32
--build=i686-linux-gnu --enable-languages=c,c++ --disable-nls --disable-shared
--with-dwarf2

[Bug other/53615] Buffer overflow in the compiler?

[gjl at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53615

--- Comment #1 from Georg-Johann Lay <gjl at gcc dot gnu.org> 2012-06-08 16:48:22 UTC ---
Created attachment 27588
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=27588
wek.c

And here is the source file wek.c

Compiled with the above options yields:

$ avr-gcc -c wek.c -mmcu=atmega2561 -O3 -mstrict-X
wek.c: In function 'foo':
wek.c:86:20: error: can't find a register in class 'BASE_POINTER_REGS' while
reloading 'asm'
wek.c:86:20: error: 'asm' operand has impossible constraints

At the beginning of the source you see a macro called CODE32 that is defined to
a string literal which is used as inline assembler code template.

If CODE32 is defined to a shorter string like

#define CODE32 \
  ";%2, %C1%1%A0, Z+\n\telpm %B0, Z\n\t"

the compiler passes.

By all of by understanding such an error should not depend on the length of the
inline assembler template. Thus, does this indicates a buffer overflow or
missing GTY or similar?

Notice that the %-operands / %-operand sequence is unchanged in the shorter
version of CODE32.

[Bug other/53615] Buffer overflow in the compiler?

[gjl at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53615

--- Comment #2 from Georg-Johann Lay <gjl at gcc dot gnu.org> 2012-06-08 16:52:54 UTC ---
Note: In attachment 27588 the long version is commented out. You have to remove
the comment and the second CODE32 like so:


#define CODE32  \
  "out %2, %C1\n\tmovw r30, %1\n\telpm %A0, Z+\n\telpm %B0, Z\n\t"


instead of


//#define CODE32  \
//  "out %2, %C1\n\tmovw r30, %1\n\telpm %A0, Z+\n\telpm %B0, Z\n\t"

#define CODE32  \
  ";%2, %C1%1%A0, Z+\n\telpm %B0, Z\n\t"

[Bug other/53615] Buffer overflow in the compiler?

[wek at host dot sk]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53615

--- Comment #3 from Jan Waclawek <wek at host dot sk> 2012-06-10 15:07:10 UTC ---
Created attachment 27597
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=27597
wek1.c

[Bug other/53615] Buffer overflow in the compiler?

[wek at host dot sk]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53615

Jan Waclawek <wek at host dot sk> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |wek at host dot sk

--- Comment #4 from Jan Waclawek <wek at host dot sk> 2012-06-10 15:17:12 UTC ---
http://gcc.gnu.org/bugzilla/attachment.cgi?id=27597 is a somewhat reduced test
case, which still fails with the "first bundle" (build provided by
Georg-Johann, which did not contain the patch for
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53595 yet).

It fails at my place even if 
#define CODE32 ""
.

As I said in
http://www.avrfreaks.net/index.php?name=PNphpBB2&file=viewtopic&p=963618#963618
, the register variables are instrumental - in this particular case, after
removing variable "blocking" r4 and r5 the example compiles.

The "second bundle" (contain the patch for
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53595) again compiles the example
code OK.

I also tried to clobber the r31:r30 (i.e. Z) register pair in the inline asm by
adding an output parameter with constraint "z" and removing the explicit
clobbers; in that case the example code does compile OK.

[Bug other/53615] Buffer overflow in the compiler?

[gjl at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53615

Georg-Johann Lay <gjl at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2012-07-31
     Ever Confirmed|0                           |1

--- Comment #5 from Georg-Johann Lay <gjl at gcc dot gnu.org> 2012-07-31 17:56:56 UTC ---
Bug is still present with SVN from today.

[Bug other/53615] Buffer overflow in the compiler?

[ebotcazou at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53615

Eric Botcazou <ebotcazou at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING
                 CC|                            |ebotcazou at gcc dot
                   |                            |gnu.org

--- Comment #6 from Eric Botcazou <ebotcazou at gcc dot gnu.org> 2012-08-02 07:09:02 UTC ---
You should run the compiler under Valgrind and see whether it complains.

[Bug other/53615] Buffer overflow in the compiler?

[gjl at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53615

--- Comment #7 from Georg-Johann Lay <gjl at gcc dot gnu.org> 2012-08-02 16:45:24 UTC ---
(In reply to comment #6)
> You should run the compiler under Valgrind and see whether it complains.

I never built the compiler with valgrind support.  Is the a comprehensible
documentation?

The wiki has http://gcc.gnu.org/wiki/DebuggingGCC to use valgring as wrapper,
but I also see many valgrind strings in GCC sources and some in gcc/doc.
You mean --enable-checking=valgrind?

This bug does no more appear since PR53595 is fixed.  This is strange; maybe
it's just incidental and now some other test case is needed to trigger this
bug.
Or one bug is actually a duplicate if the other?

[Bug other/53615] Buffer overflow in the compiler?

[gjl at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53615

--- Comment #8 from Georg-Johann Lay <gjl at gcc dot gnu.org> 2012-08-03 16:03:09 UTC ---
(In reply to comment #6)
> You should run the compiler under Valgrind and see whether it complains.

I now configured with --enable-checking=valgrind

Valgrind is 3.3.1
GCC is 4.7.1
URL: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-4_7-branch
Repository Root: svn+ssh://gcc.gnu.org/svn/gcc
Revision: 189410

Configure:

../../gcc.gnu.org/gcc-4_7-branch/configure --target=avr
--prefix=/local/gnu/install/gcc-4.7 --disable-nls --with-dwarf2
--enable-languages=c,c++ --enable-target-optspace=yes
--enable-checking=valgrind

While building the compiler there is messages like

echo | /home/georg/gnu/build/gcc-4.7-avr/./gcc/xgcc
-B/home/georg/gnu/build/gcc-4.7-avr/./gcc/ -E -dM - | \
          sed -n -e 's/^#define \([^_][a-zA-Z0-9_]*\).*/\1/p' \
                 -e 's/^#define \(_[^_A-Z][a-zA-Z0-9_]*\).*/\1/p' | \
          sort -u > tmp-macro_list
==3916== Invalid read of size 4
==3916==    at 0x85D0F4F: _cpp_clean_line (lex.c:243)
==3916==    by 0x85D2377: _cpp_get_fresh_line (lex.c:1938)
==3916==    by 0x85D2D82: _cpp_lex_direct (lex.c:2003)
==3916==    by 0x85D3C6C: _cpp_lex_token (lex.c:1877)
==3916==    by 0x85D932F: cpp_get_token_1 (macro.c:2245)
==3916==    by 0x85D96AF: cpp_scan_nooutput (macro.c:2460)
==3916==    by 0x811CA9D: preprocess_file (c-ppoutput.c:94)
==3916==    by 0x8119021: c_common_init (c-opts.c:1097)
==3916==    by 0x80D1E8F: c_objc_common_init (c-objc-common.c:64)
==3916==    by 0x8369F06: toplev_main (toplev.c:1765)
==3916==    by 0x8129C71: main (main.c:36)
==3916==  Address 0x4213000 is 0 bytes inside a block of size 2 alloc'd
==3916==    at 0x4027EFC: realloc (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==3916==    by 0x85F9F82: xrealloc (xmalloc.c:179)
==3916==    by 0x85C3491: _cpp_convert_input (charset.c:1734)
==3916==    by 0x85CE1D0: read_file (files.c:648)
==3916==    by 0x85CE3FA: _cpp_stack_file (files.c:723)
==3916==    by 0x85CFC49: cpp_read_main_file (init.c:593)
==3916==    by 0x8119426: c_common_post_options (c-opts.c:1048)
==3916==    by 0x8369886: toplev_main (toplev.c:1282)
==3916==    by 0x8129C71: main (main.c:36)

And then, when configuring libgcc:

Checking multilib configuration for libgcc...
Configuring in avr/libgcc
configure: loading cache ./config.cache
checking build system type... i686-pc-linux-gnu
checking host system type... avr-unknown-none
checking for --enable-version-specific-runtime-libs... no
checking for a BSD-compatible install... /usr/bin/install -c
checking for gawk... gawk
checking for avr-ar... /local/gnu/install/gcc-4.7/avr/bin/ar
checking for avr-lipo... avr-lipo
checking for avr-nm... /home/georg/gnu/build/gcc-4.7-avr/./gcc/nm
checking for avr-ranlib... /local/gnu/install/gcc-4.7/avr/bin/ranlib
checking for avr-strip... /local/gnu/install/gcc-4.7/avr/bin/strip
checking whether ln -s works... yes
checking for avr-gcc... /home/georg/gnu/build/gcc-4.7-avr/./gcc/xgcc
-B/home/georg/gnu/build/gcc-4.7-avr/./gcc/
-B/local/gnu/install/gcc-4.7/avr/bin/ -B/local/gnu/install/gcc-4.7/avr/lib/
-isystem /local/gnu/install/gcc-4.7/avr/include -isystem
/local/gnu/install/gcc-4.7/avr/sys-include
checking for suffix of object files... configure: error: in
`/home/georg/gnu/build/gcc-4.7-avr/avr/libgcc':
configure: error: cannot compute suffix of object files: cannot compile
See `config.log' for more details.
make[1]: *** [configure-target-libgcc] Error 1
make[1]: Leaving directory `/local/gnu/build/gcc-4.7-avr'
make: *** [all] Error 2


And in ./avr/libgcc/config.log:



configure:3355: $? = 1
configure:3371: /home/georg/gnu/build/gcc-4.7-avr/./gcc/xgcc
-B/home/georg/gnu/build/gcc-4.7-avr/./gcc/
-B/local/gnu/install/gcc-4.7/avr/bin/ -B/local/gnu/install/gcc-4.7/avr/lib/
-isystem /local/gnu/install/gcc-4.7/avr/include -isystem
/local/gnu/install/gcc-4.7/avr/sys-include    -o conftest -g -Os   conftest.c 
>&5
valgrind: mmap(0x0, 688128) failed in UME with error 13 (Permission denied).
configure:3374: $? = 1
configure:3562: checking for suffix of object files
configure:3584: /home/georg/gnu/build/gcc-4.7-avr/./gcc/xgcc
-B/home/georg/gnu/build/gcc-4.7-avr/./gcc/
-B/local/gnu/install/gcc-4.7/avr/bin/ -B/local/gnu/install/gcc-4.7/avr/lib/
-isystem /local/gnu/install/gcc-4.7/avr/include -isystem
/local/gnu/install/gcc-4.7/avr/sys-include    -c -g -Os  conftest.c >&5
valgrind: mmap(0x0, 688128) failed in UME with error 13 (Permission denied).
configure:3588: $? = 1
configure: failed program was:
| /* confdefs.h */
| #define PACKAGE_NAME "GNU C Runtime Library"
| #define PACKAGE_TARNAME "libgcc"
| #define PACKAGE_VERSION "1.0"
| #define PACKAGE_STRING "GNU C Runtime Library 1.0"
| #define PACKAGE_BUGREPORT ""
| #define PACKAGE_URL "http://www.gnu.org/software/libgcc/"
| /* end confdefs.h.  */
| 
| int
| main ()
| {
| 
|   ;
|   return 0;
| }
configure:3602: error: in `/home/georg/gnu/build/gcc-4.7-avr/avr/libgcc':
configure:3605: error: cannot compute suffix of object files: cannot compile
See `config.log' for more details.

## ---------------- ##
## Cache variables. ##
## ---------------- ##

ac_cv_build=i686-pc-linux-gnu
ac_cv_env_CC_set=set
ac_cv_env_CC_value='//home/georg/gnu/build/gcc-4.7-avr/./gcc/xgcc
-B/home/georg/gnu/build/gcc-4.7-avr/./gcc/
-B/local/gnu/install/gcc-4.7/avr/bin/ -B/local/gnu/install/gcc-4.7/avr/lib/
-isystem /local/gnu/install/gcc-4.7/avr/include -isystem
/local/gnu/install/gcc-4.7/avr/sys-include   '
ac_cv_env_CFLAGS_set=set
ac_cv_env_CFLAGS_value='-g -Os'
ac_cv_env_CPPFLAGS_set=set
ac_cv_env_CPPFLAGS_value=
ac_cv_env_CPP_set=
ac_cv_env_CPP_value=
ac_cv_env_LDFLAGS_set=set
ac_cv_env_LDFLAGS_value=
ac_cv_env_LIBS_set=
ac_cv_env_LIBS_value=
ac_cv_env_build_alias_set=set
ac_cv_env_build_alias_value=i686-pc-linux-gnu
ac_cv_env_host_alias_set=set
ac_cv_env_host_alias_value=avr
ac_cv_env_target_alias_set=set
ac_cv_env_target_alias_value=avr
ac_cv_host=avr-unknown-none
ac_cv_prog_AR=/local/gnu/install/gcc-4.7/avr/bin/ar
ac_cv_prog_AWK=gawk
ac_cv_prog_CC='/home/georg/gnu/build/gcc-4.7-avr/./gcc/xgcc
-B/home/georg/gnu/build/gcc-4.7-avr/./gcc/
-B/local/gnu/install/gcc-4.7/avr/bin/ -B/local/gnu/install/gcc-4.7/avr/lib/
-isystem /local/gnu/install/gcc-4.7/avr/include -isystem
/local/gnu/install/gcc-4.7/avr/sys-include   '
ac_cv_prog_LIPO=avr-lipo
ac_cv_prog_NM=/home/georg/gnu/build/gcc-4.7-avr/./gcc/nm
ac_cv_prog_RANLIB=/local/gnu/install/gcc-4.7/avr/bin/ranlib
ac_cv_prog_STRIP=/local/gnu/install/gcc-4.7/avr/bin/strip

## ----------------- ##
## Output variables. ##
## ----------------- ##

AR='/local/gnu/install/gcc-4.7/avr/bin/ar'
AWK='gawk'
CC='/home/georg/gnu/build/gcc-4.7-avr/./gcc/xgcc
-B/home/georg/gnu/build/gcc-4.7-avr/./gcc/
-B/local/gnu/install/gcc-4.7/avr/bin/ -B/local/gnu/install/gcc-4.7/avr/lib/
-isystem /local/gnu/install/gcc-4.7/avr/include -isystem
/local/gnu/install/gcc-4.7/avr/sys-include   '
CFLAGS='-g -Os'
CPP=''
CPPFLAGS=''
DEFS=''
ECHO_C=''
ECHO_N='-n'
ECHO_T=''
EXEEXT=''
INSTALL_DATA='/usr/bin/install -c -m 644'
INSTALL_PROGRAM='/usr/bin/install -c'
INSTALL_SCRIPT='/usr/bin/install -c'
LDFLAGS=''
LIBOBJS=''
LIBS=''
LIPO='avr-lipo'
LN_S='ln -s'
LTLIBOBJS=''
MAINT='#'
NM='/home/georg/gnu/build/gcc-4.7-avr/./gcc/nm'
OBJEXT=''
PACKAGE_BUGREPORT=''
PACKAGE_NAME='GNU C Runtime Library'
PACKAGE_STRING='GNU C Runtime Library 1.0'
PACKAGE_TARNAME='libgcc'
PACKAGE_URL='http://www.gnu.org/software/libgcc/'
PACKAGE_VERSION='1.0'
PATH_SEPARATOR=':'
PICFLAG='-fPIC'
RANLIB='/local/gnu/install/gcc-4.7/avr/bin/ranlib'
SHELL='/bin/sh'
STRIP='/local/gnu/install/gcc-4.7/avr/bin/strip'
ac_ct_CC=''
asm_hidden_op=''
bindir='${exec_prefix}/bin'
build='i686-pc-linux-gnu'
build_alias='i686-pc-linux-gnu'
build_cpu='i686'
build_libsubdir='build-i686-pc-linux-gnu'
build_os='linux-gnu'
build_subdir='build-i686-pc-linux-gnu'
build_vendor='pc'
cpu_type=''
datadir='${datarootdir}'
datarootdir='${prefix}/share'
decimal_float=''
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
double_type_size=''
dvidir='${docdir}'
enable_decimal_float=''
enable_shared='yes'
exec_prefix='NONE'
extra_parts=''
fixed_point=''
host='avr-unknown-none'
host_alias='avr'
host_cpu='avr'
host_noncanonical='avr'
host_os='none'
host_subdir='.'
host_vendor='unknown'
htmldir='${docdir}'
includedir='${prefix}/include'
infodir='${datarootdir}/info'
libdir='${exec_prefix}/lib'
libexecdir='${exec_prefix}/libexec'
libgcc_topdir='../../../../gcc.gnu.org/gcc-4_7-branch/libgcc/..'
localedir='${datarootdir}/locale'
localstatedir='${prefix}/var'
long_double_type_size=''
mandir='${datarootdir}/man'
oldincludedir='/usr/include'
pdfdir='${docdir}'
prefix='/local/gnu/install/gcc-4.7'
program_transform_name='s&^&avr-&'
psdir='${docdir}'
sbindir='${exec_prefix}/sbin'
set_have_cc_tls=''
set_use_emutls=''
sfp_machine_header=''
sharedstatedir='${prefix}/com'
slibdir='$(exec_prefix)/$(host_noncanonical)/lib'
sysconfdir='${prefix}/etc'
target_alias='avr'
target_noncanonical='avr'
target_subdir='avr'
tm_defines=''
tm_file=''
tmake_file=''
toolexecdir='$(exec_prefix)/$(target_noncanonical)'
toolexeclibdir='$(toolexecdir)/lib'
vis_hide=''

## ----------- ##
## confdefs.h. ##
## ----------- ##

/* confdefs.h */
#define PACKAGE_NAME "GNU C Runtime Library"
#define PACKAGE_TARNAME "libgcc"
#define PACKAGE_VERSION "1.0"
#define PACKAGE_STRING "GNU C Runtime Library 1.0"
#define PACKAGE_BUGREPORT ""
#define PACKAGE_URL "http://www.gnu.org/software/libgcc/"

configure: exit 1

[Bug other/53615] Buffer overflow in the compiler?

[gjl at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53615

Georg-Johann Lay <gjl at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |ice-checking
             Status|WAITING                     |NEW
   Last reconfirmed|2012-07-31 00:00:00         |2012-08-03 0:00
      Known to fail|                            |4.7.1