[Bug middle-end/55407] New: stack-buffer-overflow in compute_working_sets

[Bug middle-end/55407] New: stack-buffer-overflow in compute_working_sets

[hjl.tools at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55407

             Bug #: 55407
           Summary: stack-buffer-overflow in compute_working_sets
    Classification: Unclassified
           Product: gcc
           Version: 4.8.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: middle-end
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: hjl.tools@gmail.com


hjl@gnu-mic-2 gcc]$ cat /tmp/y.i
extern void abort (void);
extern void exit (int);

int expect_do1 = 1, expect_do2 = 2;

static int doit(int x){
  __label__ lbl1;
  __label__ lbl2;
  static int jtab_init = 0;
  static void *jtab[2];

  if(!jtab_init) {
    jtab[0] = &&lbl1;
    jtab[1] = &&lbl2;
    jtab_init = 1;
  }
  goto *jtab[x];
lbl1:
  return 1;
lbl2:
  return 2;
}

static void do1(void) {
  if (doit(0) != expect_do1)
    abort ();
}

static void do2(void){
  if (doit(1) != expect_do2)
    abort ();
}

int main(void){
  do1();
  do2();
  exit(0);
}
[hjl@gnu-mic-2 gcc]$ ./xgcc -B./ -O3  -fprofile-arcs /tmp/y.i  
[hjl@gnu-mic-2 gcc]$ ./a.out
[hjl@gnu-mic-2 gcc]$ ./xgcc -B./ -O3 -S -fbranch-probabilities /tmp/y.i
=================================================================
==18365== ERROR: AddressSanitizer stack-buffer-overflow on address
0x7ffff9a5ee70 at pc 0xeeef8a bp 0x7ffff9a5e950 sp 0x7ffff9a5e948
READ of size 8 at 0x7ffff9a5ee70 thread T0
    #0 0xeeef89
(/export/build/gnu/gcc-asan/build-x86_64-linux/gcc/cc1+0xeeef89)
Address 0x7ffff9a5ee70 is located at offset 1184 in frame
<compute_branch_probabilities> of T0's stack:
  This frame has 2 object(s):
    [32, 112) 'hist_br_prob'
    [160, 1184) 'working_set_cum_values'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism
      (longjmp and C++ exceptions *are* supported)
Shadow byte and word:
  0x1fffff34bdce: f3
  0x1fffff34bdc8: 00 00 00 00 00 00 f3 f3
More shadow bytes:
  0x1fffff34bda8: 00 00 00 00 00 00 00 00
  0x1fffff34bdb0: 00 00 00 00 00 00 00 00
  0x1fffff34bdb8: 00 00 00 00 00 00 00 00
  0x1fffff34bdc0: 00 00 00 00 00 00 00 00
=>0x1fffff34bdc8: 00 00 00 00 00 00 f3 f3
  0x1fffff34bdd0: f3 f3 00 00 00 00 00 00
  0x1fffff34bdd8: 00 00 00 00 00 00 00 00
  0x1fffff34bde0: 00 00 00 00 00 00 00 00
  0x1fffff34bde8: 00 00 00 00 00 00 00 00
Stats: 2M malloced (2M for red zones) by 5642 calls
Stats: 0M realloced by 344 calls
Stats: 2M freed by 3566 calls
Stats: 0M really freed by 0 calls
Stats: 8M (2059 full pages) mmaped in 16 calls
  mmaps   by size class: 7:4095; 8:2047; 9:1023; 10:511; 11:255; 12:384;
13:128; 14:32; 15:48; 16:8; 18:2; 
  mallocs by size class: 7:3557; 8:1180; 9:156; 10:80; 11:213; 12:305; 13:89;
14:17; 15:43; 16:1; 18:1; 
  frees   by size class: 7:2011; 8:794; 9:122; 10:73; 11:142; 12:301; 13:64;
14:17; 15:42; 
  rfrees  by size class: 
Stats: malloc large: 45 small slow: 115
==18365== ABORTING
[hjl@gnu-mic-2 gcc]$ 
(gdb) bt
#0  __asan_report_error (pc=15658890, bp=140737488343840, sp=140737488343832, 
    addr=140737488345152, is_write=<optimized out>, access_size=8)
    at /export/gnu/import/git/gcc/libsanitizer/asan/asan_report.cc:464
#1  0x0000000001f2b2a4 in __asan::__asan_report_load8 (addr=<optimized out>)
    at /export/gnu/import/git/gcc/libsanitizer/asan/asan_rtl.cc:195
#2  0x0000000000eeef8a in compute_working_sets ()
    at /export/gnu/import/git/gcc/gcc/profile.c:294
#3  get_exec_counts (lineno_checksum=0, cfg_checksum=0)
    at /export/gnu/import/git/gcc/gcc/profile.c:377
#4  compute_branch_probabilities (cfg_checksum=cfg_checksum@entry=4088700122, 
    lineno_checksum=lineno_checksum@entry=728892799)
    at /export/gnu/import/git/gcc/gcc/profile.c:611
#5  0x0000000000ef1e76 in branch_prob ()
    at /export/gnu/import/git/gcc/gcc/profile.c:1371
#6  0x0000000001207d7b in tree_profiling ()
    at /export/gnu/import/git/gcc/gcc/tree-profile.c:483
#7  0x0000000000eb4f84 in execute_one_pass (
    pass=pass@entry=0x264a680 <pass_ipa_tree_profile>)
    at /export/gnu/import/git/gcc/gcc/passes.c:2339
#8  0x0000000000eb6653 in execute_ipa_pass_list (
    pass=0x264a680 <pass_ipa_tree_profile>)
    at /export/gnu/import/git/gcc/gcc/passes.c:2705
#9  0x000000000087cf79 in ipa_passes ()
---Type <return> to continue, or q <return> to quit---
    at /export/gnu/import/git/gcc/gcc/cgraphunit.c:1871
#10 compile () at /export/gnu/import/git/gcc/gcc/cgraphunit.c:1994
#11 0x000000000087e58a in finalize_compilation_unit ()
    at /export/gnu/import/git/gcc/gcc/cgraphunit.c:2122
#12 0x000000000059aec1 in c_write_global_declarations ()
    at /export/gnu/import/git/gcc/gcc/c/c-decl.c:10128
#13 0x000000000107b11a in compile_file ()
    at /export/gnu/import/git/gcc/gcc/toplev.c:559
#14 0x000000000107f407 in do_compile ()
    at /export/gnu/import/git/gcc/gcc/toplev.c:1881
#15 toplev_main (argc=15, argv=0x7fffffffe0d8)
    at /export/gnu/import/git/gcc/gcc/toplev.c:1957
#16 0x00000038f3a21675 in __libc_start_main () from /lib64/libc.so.6
#17 0x000000000055c761 in _start ()
(gdb)

[Bug middle-end/55407] stack-buffer-overflow in compute_working_sets

[hjl.tools at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55407

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|                            |DUPLICATE

--- Comment #1 from H.J. Lu <hjl.tools at gmail dot com> 2012-11-21 14:28:00 UTC ---
Dup.

*** This bug has been marked as a duplicate of bug 55417 ***