From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 16611 invoked by alias); 20 Nov 2012 01:54:34 -0000 Received: (qmail 15744 invoked by uid 48); 20 Nov 2012 01:54:09 -0000 From: "hjl.tools at gmail dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug middle-end/55407] New: stack-buffer-overflow in compute_working_sets Date: Tue, 20 Nov 2012 01:54:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: middle-end X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: hjl.tools at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-bugs-owner@gcc.gnu.org X-SW-Source: 2012-11/txt/msg01869.txt.bz2 http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55407 Bug #: 55407 Summary: stack-buffer-overflow in compute_working_sets Classification: Unclassified Product: gcc Version: 4.8.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: middle-end AssignedTo: unassigned@gcc.gnu.org ReportedBy: hjl.tools@gmail.com hjl@gnu-mic-2 gcc]$ cat /tmp/y.i extern void abort (void); extern void exit (int); int expect_do1 = 1, expect_do2 = 2; static int doit(int x){ __label__ lbl1; __label__ lbl2; static int jtab_init = 0; static void *jtab[2]; if(!jtab_init) { jtab[0] = &&lbl1; jtab[1] = &&lbl2; jtab_init = 1; } goto *jtab[x]; lbl1: return 1; lbl2: return 2; } static void do1(void) { if (doit(0) != expect_do1) abort (); } static void do2(void){ if (doit(1) != expect_do2) abort (); } int main(void){ do1(); do2(); exit(0); } [hjl@gnu-mic-2 gcc]$ ./xgcc -B./ -O3 -fprofile-arcs /tmp/y.i [hjl@gnu-mic-2 gcc]$ ./a.out [hjl@gnu-mic-2 gcc]$ ./xgcc -B./ -O3 -S -fbranch-probabilities /tmp/y.i ================================================================= ==18365== ERROR: AddressSanitizer stack-buffer-overflow on address 0x7ffff9a5ee70 at pc 0xeeef8a bp 0x7ffff9a5e950 sp 0x7ffff9a5e948 READ of size 8 at 0x7ffff9a5ee70 thread T0 #0 0xeeef89 (/export/build/gnu/gcc-asan/build-x86_64-linux/gcc/cc1+0xeeef89) Address 0x7ffff9a5ee70 is located at offset 1184 in frame of T0's stack: This frame has 2 object(s): [32, 112) 'hist_br_prob' [160, 1184) 'working_set_cum_values' HINT: this may be a false positive if your program uses some custom stack unwind mechanism (longjmp and C++ exceptions *are* supported) Shadow byte and word: 0x1fffff34bdce: f3 0x1fffff34bdc8: 00 00 00 00 00 00 f3 f3 More shadow bytes: 0x1fffff34bda8: 00 00 00 00 00 00 00 00 0x1fffff34bdb0: 00 00 00 00 00 00 00 00 0x1fffff34bdb8: 00 00 00 00 00 00 00 00 0x1fffff34bdc0: 00 00 00 00 00 00 00 00 =>0x1fffff34bdc8: 00 00 00 00 00 00 f3 f3 0x1fffff34bdd0: f3 f3 00 00 00 00 00 00 0x1fffff34bdd8: 00 00 00 00 00 00 00 00 0x1fffff34bde0: 00 00 00 00 00 00 00 00 0x1fffff34bde8: 00 00 00 00 00 00 00 00 Stats: 2M malloced (2M for red zones) by 5642 calls Stats: 0M realloced by 344 calls Stats: 2M freed by 3566 calls Stats: 0M really freed by 0 calls Stats: 8M (2059 full pages) mmaped in 16 calls mmaps by size class: 7:4095; 8:2047; 9:1023; 10:511; 11:255; 12:384; 13:128; 14:32; 15:48; 16:8; 18:2; mallocs by size class: 7:3557; 8:1180; 9:156; 10:80; 11:213; 12:305; 13:89; 14:17; 15:43; 16:1; 18:1; frees by size class: 7:2011; 8:794; 9:122; 10:73; 11:142; 12:301; 13:64; 14:17; 15:42; rfrees by size class: Stats: malloc large: 45 small slow: 115 ==18365== ABORTING [hjl@gnu-mic-2 gcc]$ (gdb) bt #0 __asan_report_error (pc=15658890, bp=140737488343840, sp=140737488343832, addr=140737488345152, is_write=, access_size=8) at /export/gnu/import/git/gcc/libsanitizer/asan/asan_report.cc:464 #1 0x0000000001f2b2a4 in __asan::__asan_report_load8 (addr=) at /export/gnu/import/git/gcc/libsanitizer/asan/asan_rtl.cc:195 #2 0x0000000000eeef8a in compute_working_sets () at /export/gnu/import/git/gcc/gcc/profile.c:294 #3 get_exec_counts (lineno_checksum=0, cfg_checksum=0) at /export/gnu/import/git/gcc/gcc/profile.c:377 #4 compute_branch_probabilities (cfg_checksum=cfg_checksum@entry=4088700122, lineno_checksum=lineno_checksum@entry=728892799) at /export/gnu/import/git/gcc/gcc/profile.c:611 #5 0x0000000000ef1e76 in branch_prob () at /export/gnu/import/git/gcc/gcc/profile.c:1371 #6 0x0000000001207d7b in tree_profiling () at /export/gnu/import/git/gcc/gcc/tree-profile.c:483 #7 0x0000000000eb4f84 in execute_one_pass ( pass=pass@entry=0x264a680 ) at /export/gnu/import/git/gcc/gcc/passes.c:2339 #8 0x0000000000eb6653 in execute_ipa_pass_list ( pass=0x264a680 ) at /export/gnu/import/git/gcc/gcc/passes.c:2705 #9 0x000000000087cf79 in ipa_passes () ---Type to continue, or q to quit--- at /export/gnu/import/git/gcc/gcc/cgraphunit.c:1871 #10 compile () at /export/gnu/import/git/gcc/gcc/cgraphunit.c:1994 #11 0x000000000087e58a in finalize_compilation_unit () at /export/gnu/import/git/gcc/gcc/cgraphunit.c:2122 #12 0x000000000059aec1 in c_write_global_declarations () at /export/gnu/import/git/gcc/gcc/c/c-decl.c:10128 #13 0x000000000107b11a in compile_file () at /export/gnu/import/git/gcc/gcc/toplev.c:559 #14 0x000000000107f407 in do_compile () at /export/gnu/import/git/gcc/gcc/toplev.c:1881 #15 toplev_main (argc=15, argv=0x7fffffffe0d8) at /export/gnu/import/git/gcc/gcc/toplev.c:1957 #16 0x00000038f3a21675 in __libc_start_main () from /lib64/libc.so.6 #17 0x000000000055c761 in _start () (gdb)