[Bug sanitizer/56245] New: -fsanitize=address miscompiles GCC

[Bug sanitizer/56245] New: -fsanitize=address miscompiles GCC

[hjl.tools at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56245

             Bug #: 56245
           Summary: -fsanitize=address miscompiles GCC
    Classification: Unclassified
           Product: gcc
           Version: 4.8.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: hjl.tools@gmail.com
                CC: dodji@gcc.gnu.org, dvyukov@gcc.gnu.org,
                    jakub@gcc.gnu.org, kcc@gcc.gnu.org


On hjl/asan-bad branch, bootstrapping GCC with

--enable-languages=c,c++,fortran,java,lto,objc,obj-c++,go --disable-werror
--with-build-config="bootstrap-asan"

gave

/export/build/gnu/gcc-asan/build-x86_64-linux/./prev-gcc/xg++
-B/export/build/gnu/gcc-asan/build-x86_64-linux/./prev-gcc/
-B/usr/local/x86_64-unknown-linux-gnu/bin/ -nostdinc++
-B/export/build/gnu/gcc-asan/build-x86_64-linux/prev-x86_64-unknown-linux-gnu/libstdc++-v3/src/.libs
-B/export/build/gnu/gcc-asan/build-x86_64-linux/prev-x86_64-unknown-linux-gnu/libstdc++-v3/libsupc++/.libs
-I/export/build/gnu/gcc-asan/build-x86_64-linux/prev-x86_64-unknown-linux-gnu/libstdc++-v3/include/x86_64-unknown-linux-gnu
-I/export/build/gnu/gcc-asan/build-x86_64-linux/prev-x86_64-unknown-linux-gnu/libstdc++-v3/include
-I/export/gnu/import/git/gcc/libstdc++-v3/libsupc++
-L/export/build/gnu/gcc-asan/build-x86_64-linux/prev-x86_64-unknown-linux-gnu/libstdc++-v3/src/.libs
-L/export/build/gnu/gcc-asan/build-x86_64-linux/prev-x86_64-unknown-linux-gnu/libstdc++-v3/libsupc++/.libs
  -O2 -g  -fsanitize=address -DIN_GCC   -fno-exceptions -fno-rtti
-fasynchronous-unwind-tables -W -Wall -Wno-narrowing -Wwrite-strings
-Wcast-qual -Wmissing-format-attribute -pedantic -Wno-long-long
-Wno-variadic-macros -Wno-overlength-strings -fno-common  -DHAVE_CONFIG_H
-DGENERATOR_FILE -static-libstdc++ -static-libgcc -fsanitize=address
-static-libasan
-B/export/build/gnu/gcc-asan/build-x86_64-linux/prev-x86_64-unknown-linux-gnu/libsanitizer/asan/.libs
 -o build/gengtype \
    build/gengtype.o build/errors.o build/gengtype-lex.o build/gengtype-parse.o
build/gengtype-state.o build/version.o .././libiberty/libiberty.a
build/gengtype  \
                    -S /export/gnu/import/git/gcc/gcc -I gtyp-input.list -w
tmp-gtype.state
/bin/sh /export/gnu/import/git/gcc/gcc/../move-if-change tmp-gtype.state
gtype.state
build/gengtype  \
                    -r gtype.state
gengtype: Internal error: abort in get_output_file_with_visibility, at
gengtype.c:2183
make[5]: *** [s-gtype] Error 1
make[5]: *** Waiting for unfinished jobs....
rm gcj-dbtool.pod gcov.pod jcf-dump.pod cpp.pod jv-convert.pod gcj.pod
gc-analyze.pod gfdl.pod grmic.pod gij.pod gfortran.pod gcc.pod fsf-funding.pod
gccgo.pod
make[5]: Leaving directory `/export/build/gnu/gcc-asan/build-x86_64-linux/gcc'
make[4]: *** [all-stage2-gcc] Error 2
make[4]: Leaving directory `/export/build/gnu/gcc-asan/build-x86_64-linux'
make[3]: *** [stage2-bubble] Error 2
make[3]: Leaving directory `/export/build/gnu/gcc-asan/build-x86_64-linux'
make[2]: *** [bootstrap] Error 2
make[2]: Leaving directory `/export/build/gnu/gcc-asan/build-x86_64-linux'
1348.17user 91.95system 7:04.60elapsed 339%CPU (0avgtext+0avgdata
581820maxresident)k
338704inputs+4772512outputs (11984major+55486772minor)pagefaults 0swaps
make[1]: *** [bootstrap] Error 2
make[1]: Leaving directory `/export/build/gnu/gcc-asan'

[Bug sanitizer/56245] -fsanitize=address miscompiles GCC

[hjl.tools at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56245

--- Comment #1 from H.J. Lu <hjl.tools at gmail dot com> 2013-02-07 23:00:53 UTC ---
It is caused by revision 195404:

http://gcc.gnu.org/ml/gcc-cvs/2013-01/msg00659.html

[Bug sanitizer/56245] -fsanitize=address miscompiles GCC

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56245

--- Comment #2 from Jakub Jelinek <jakub at gcc dot gnu.org> 2013-02-08 14:32:13 UTC ---
I don't see how a libasan change could cause a "miscompilation" of gengtype.
Anyway, I've rebuild build/gengtype* with
rm -f build/gengtype*
make CXX='./xg++ -B ./ -fsanitize=address
`../x86_64-unknown-linux-gnu/libstdc++-v3/scripts/testsuite_flags
--build-includes`' build/gengtype
LD_LIBRARY_PATH=../x86_64-unknown-linux-gnu/libsanitizer/asan/.libs/
build/gengtype -S ../../gcc -I gtyp-input.list -w tmp-gtype.state
and it works just fine.

[Bug sanitizer/56245] -fsanitize=address miscompiles GCC

[hjl.tools at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56245

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2013-02-08
     Ever Confirmed|0                           |1

--- Comment #3 from H.J. Lu <hjl.tools at gmail dot com> 2013-02-08 16:39:35 UTC ---
(In reply to comment #2)
> I don't see how a libasan change could cause a "miscompilation" of gengtype.
> Anyway, I've rebuild build/gengtype* with
> rm -f build/gengtype*
> make CXX='./xg++ -B ./ -fsanitize=address
> `../x86_64-unknown-linux-gnu/libstdc++-v3/scripts/testsuite_flags
> --build-includes`' build/gengtype
> LD_LIBRARY_PATH=../x86_64-unknown-linux-gnu/libsanitizer/asan/.libs/
> build/gengtype -S ../../gcc -I gtyp-input.list -w tmp-gtype.state
> and it works just fine.

Please try:

build/gengtype -r gtype.state

I got:

gengtype: Internal error: abort in get_output_file_with_visibility, at
gengtype.c:2183

[Bug other/56245] -fsanitize=address miscompiles GCC

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56245

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|sanitizer                   |other

--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> 2013-02-08 17:37:05 UTC ---
Libiberty bug.

[Bug other/56245] -fsanitize=address miscompiles GCC

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56245

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
         AssignedTo|unassigned at gcc dot       |jakub at gcc dot gnu.org
                   |gnu.org                     |

--- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> 2013-02-08 17:39:05 UTC ---
Created attachment 29399
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=29399
gcc48-pr56245.patch

Untested fix.

[Bug sanitizer/56245] -fsanitize=address miscompiles GCC

[hjl.tools at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56245

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |NEW
          Component|other                       |sanitizer

--- Comment #6 from H.J. Lu <hjl.tools at gmail dot com> 2013-02-08 17:49:03 UTC ---
(In reply to comment #5)
> Created attachment 29399 [details]
> gcc48-pr56245.patch
> 
> Untested fix.

Shouldn't it be fixed upstream in glibc first?

[Bug other/56245] -fsanitize=address miscompiles GCC

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56245

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
          Component|sanitizer                   |other

--- Comment #7 from Jakub Jelinek <jakub at gcc dot gnu.org> 2013-02-08 17:51:08 UTC ---
glibc doesn't use this regex code for many years.

[Bug other/56245] -fsanitize=address miscompiles GCC

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56245

--- Comment #8 from Kostya Serebryany <kcc at gcc dot gnu.org> 2013-02-08 18:28:43 UTC ---
Ah, so this *is* caused by the asan merge, although it's not an asan bug. 
The new asan allocator often returns pointers that are >4Gb apart from 
each other so that int is not working for pointer differences any more.
BTW, I think that subtracting one pointer from another if they belong 
to different heap allocations is just plain wrong standard-wise.

[Bug other/56245] -fsanitize=address miscompiles GCC

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56245

--- Comment #9 from Jakub Jelinek <jakub at gcc dot gnu.org> 2013-02-08 20:05:19 UTC ---
(In reply to comment #8)
> Ah, so this *is* caused by the asan merge, although it's not an asan bug. 
> The new asan allocator often returns pointers that are >4Gb apart from 
> each other so that int is not working for pointer differences any more.
> BTW, I think that subtracting one pointer from another if they belong 
> to different heap allocations is just plain wrong standard-wise.

I guess for standard-wise correctness it would need to cast all the involved
pointers to (uintptr_t) or similar and do arithmetic in integers.  It is a
general issue of having pointers pointing into the same heap object, when you
need to realloc that heap object, you need to adjust it.  In any case, for
whatever reason libiberty contains the prehistoric GNU regex code rather than
the far newer code that is included in glibc.

[Bug other/56245] -fsanitize=address miscompiles GCC

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56245

--- Comment #10 from Jakub Jelinek <jakub at gcc dot gnu.org> 2013-02-09 18:41:05 UTC ---
Author: jakub
Date: Sat Feb  9 18:41:00 2013
New Revision: 195918

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=195918
Log:
    PR other/56245
    * regex.c (PTR_INT_TYPE): Define.
    (EXTEND_BUFFER): Change incr type from int to PTR_INT_TYPE.

Modified:
    trunk/libiberty/ChangeLog
    trunk/libiberty/regex.c

[Bug other/56245] -fsanitize=address miscompiles GCC

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56245

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED
   Target Milestone|---                         |4.8.0

--- Comment #11 from Jakub Jelinek <jakub at gcc dot gnu.org> 2013-02-09 18:45:14 UTC ---
Fixed.

[Bug other/56245] -fsanitize=address miscompiles GCC

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56245

--- Comment #12 from Jakub Jelinek <jakub at gcc dot gnu.org> 2013-02-19 17:27:06 UTC ---
Author: jakub
Date: Tue Feb 19 17:26:56 2013
New Revision: 196148

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=196148
Log:
    Backported from mainline
    2013-02-09  Jakub Jelinek  <jakub@redhat.com>

    PR other/56245
    * regex.c (PTR_INT_TYPE): Define.
    (EXTEND_BUFFER): Change incr type from int to PTR_INT_TYPE.

Modified:
    branches/gcc-4_7-branch/libiberty/ChangeLog
    branches/gcc-4_7-branch/libiberty/regex.c