public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug tree-optimization/58396] New: [4.9 Regression] heap-use-after-free at gcc/tree-loop-distribution.c:1959
@ 2013-09-11 18:27 markus at trippelsdorf dot de
2013-09-12 8:34 ` [Bug tree-optimization/58396] " rguenth at gcc dot gnu.org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: markus at trippelsdorf dot de @ 2013-09-11 18:27 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58396
Bug ID: 58396
Summary: [4.9 Regression] heap-use-after-free at
gcc/tree-loop-distribution.c:1959
Product: gcc
Version: 4.9.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: tree-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: markus at trippelsdorf dot de
bootstrap-asan with -O3 gives:
/var/tmp/gcc_build_dir/./gcc/xgcc -shared-libgcc -B/var/tmp/gcc_build_dir/./gcc
-nostdinc++ -L/var/tmp/gcc_build_dir/x86_64-unknown-linux-gnu/libstdc++-v3/src
-L/var/tmp/gcc_build_dir/x86_64-unknown-linux-gnu/libstdc++-v3/src/.libs
-L/var/tmp/gcc_build_dir/x86_64-unknown-linux-gnu/libstdc++-v3/libsupc++/.libs
-B/usr/local/x86_64-unknown-linux-gnu/bin/
-B/usr/local/x86_64-unknown-linux-gnu/lib/ -isystem
/usr/local/x86_64-unknown-linux-gnu/include -isystem
/usr/local/x86_64-unknown-linux-gnu/sys-include
-I/var/tmp/gcc/libstdc++-v3/../libgcc
-I/var/tmp/gcc_build_dir/x86_64-unknown-linux-gnu/libstdc++-v3/include/x86_64-unknown-linux-gnu
-I/var/tmp/gcc_build_dir/x86_64-unknown-linux-gnu/libstdc++-v3/include
-I/var/tmp/gcc/libstdc++-v3/libsupc++ -D_GLIBCXX_SHARED -fno-implicit-templates
-Wall -Wextra -Wwrite-strings -Wcast-qual -Wabi
-fdiagnostics-show-location=once -ffunction-sections -fdata-sections
-frandom-seed=bitmap_allocator.lo -march=native -O3 -g -pipe -c
../../../../../gcc/libstdc++-v3/src/c++98/bitmap_allocator.cc -fPIC -DPIC
-D_GLIBCXX_SHARED -o bitmap_allocator.o 2>&1 | asan_symbolize.py | c++filt
=================================================================
==20268== ERROR: AddressSanitizer: heap-use-after-free on address
0x6006001646e4 at pc 0x15abf35 bp 0x7fffc85df980 sp 0x7fffc85df978
READ of size 4 at 0x6006001646e4 thread T0
#0 0x15abf34 in build_rdg
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/vec.h:1238
#1 0x15ad344 in distribute_loop
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-loop-distribution.c:1959
#2 0x11f91cf in execute_one_pass(opt_pass*)
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/passes.c:2201
#3 0x11fa99b in execute_pass_list
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/passes.c:2253
#4 0xb3336b in expand_function
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:1723
#5 0xb370a1 in expand_all_functions
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:1828
#6 0xb37f44 in compile
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:2065
#7 0x6d7569 in cp_write_global_declarations()
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cp/decl2.c:4364
#8 0x14726da in compile_file
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/toplev.c:560
#9 0x1476537 in do_compile
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/toplev.c:1891
#10 0x7f76ffe3aa74 in __libc_start_main
/home/markus/glibc/csu/libc-start.c:269
#11 0x5439e0 in _start /home/markus/glibc/csu/../sysdeps/x86_64/start.S:122
0x6006001646e4 is located 4 bytes inside of 32-byte region
[0x6006001646e0,0x600600164700)
freed by thread T0 here:
#0 0x557e4a in __interceptor_free _asan_rtl_
#1 0x15aa68b in release<loop*>
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/vec.h:319
previously allocated by thread T0 here:
#0 0x557f4a in __interceptor_malloc _asan_rtl_
#1 0x24cfa74 in xrealloc
/var/tmp/gcc_build_dir/libiberty/../../gcc/libiberty/xmalloc.c:177
Shadow bytes around the buggy address:
0x0c0140024880: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c0140024890: fd fa fa fa fd fd fd fa fa fa 00 00 00 00 fa fa
0x0c01400248a0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
0x0c01400248b0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
0x0c01400248c0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
=>0x0c01400248d0: 00 00 00 fa fa fa 00 00 00 fa fa fa[fd]fd fd fd
0x0c01400248e0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c01400248f0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
0x0c0140024900: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
0x0c0140024910: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
0x0c0140024920: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==20268== ABORTING
I guess r202431 is to blame.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tree-optimization/58396] [4.9 Regression] heap-use-after-free at gcc/tree-loop-distribution.c:1959
2013-09-11 18:27 [Bug tree-optimization/58396] New: [4.9 Regression] heap-use-after-free at gcc/tree-loop-distribution.c:1959 markus at trippelsdorf dot de
@ 2013-09-12 8:34 ` rguenth at gcc dot gnu.org
2013-09-12 10:11 ` markus at trippelsdorf dot de
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: rguenth at gcc dot gnu.org @ 2013-09-12 8:34 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58396
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2013-09-12
Target Milestone|--- |4.9.0
Ever confirmed|0 |1
--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
Hmm. Mine.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tree-optimization/58396] [4.9 Regression] heap-use-after-free at gcc/tree-loop-distribution.c:1959
2013-09-11 18:27 [Bug tree-optimization/58396] New: [4.9 Regression] heap-use-after-free at gcc/tree-loop-distribution.c:1959 markus at trippelsdorf dot de
2013-09-12 8:34 ` [Bug tree-optimization/58396] " rguenth at gcc dot gnu.org
@ 2013-09-12 10:11 ` markus at trippelsdorf dot de
2013-09-12 11:18 ` rguenth at gcc dot gnu.org
2013-09-12 11:19 ` rguenth at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: markus at trippelsdorf dot de @ 2013-09-12 10:11 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58396
--- Comment #2 from Markus Trippelsdorf <markus at trippelsdorf dot de> ---
Hopefully a better trace. gcc build with -Og. Testcase needs -O3 to trigger.
==3882== ERROR: AddressSanitizer: heap-use-after-free on address 0x600600321644
at pc 0x17d7480 bp 0x7fff6d493880 sp 0x7fff6d493878
READ of size 4 at 0x600600321644 thread T0
#0 0x17d747f in vec<loop*, va_heap, vl_embed>::length() const
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/vec.h:566
#1 0x17db2f1 in create_rdg_edges
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-loop-distribution.c:385
#2 0x17e3020 in build_rdg
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-loop-distribution.c:564
#3 0x17e7af0 in distribute_loop
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-loop-distribution.c:1813
#4 0x17e9849 in tree_loop_distribution
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-loop-distribution.c:1914
#5 0x17e9b82 in execute
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-loop-distribution.c:1977
#6 0x144e83d in execute_one_pass(opt_pass*)
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/passes.c:2201
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tree-optimization/58396] [4.9 Regression] heap-use-after-free at gcc/tree-loop-distribution.c:1959
2013-09-11 18:27 [Bug tree-optimization/58396] New: [4.9 Regression] heap-use-after-free at gcc/tree-loop-distribution.c:1959 markus at trippelsdorf dot de
2013-09-12 8:34 ` [Bug tree-optimization/58396] " rguenth at gcc dot gnu.org
2013-09-12 10:11 ` markus at trippelsdorf dot de
@ 2013-09-12 11:18 ` rguenth at gcc dot gnu.org
2013-09-12 11:19 ` rguenth at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: rguenth at gcc dot gnu.org @ 2013-09-12 11:18 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58396
--- Comment #3 from Richard Biener <rguenth at gcc dot gnu.org> ---
Author: rguenth
Date: Thu Sep 12 11:18:46 2013
New Revision: 202521
URL: http://gcc.gnu.org/viewcvs?rev=202521&root=gcc&view=rev
Log:
2013-09-12 Richard Biener <rguenther@suse.de>
PR tree-optimization/58396
* tree-loop-distribution.c (create_rdg_edges): Free unused DDRs.
(build_rdg): Take a loop-nest parameter, fix memleaks.
(distribute_loop): Compute loop-nest here and pass it to build_rdg.
Modified:
trunk/gcc/ChangeLog
trunk/gcc/tree-loop-distribution.c
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tree-optimization/58396] [4.9 Regression] heap-use-after-free at gcc/tree-loop-distribution.c:1959
2013-09-11 18:27 [Bug tree-optimization/58396] New: [4.9 Regression] heap-use-after-free at gcc/tree-loop-distribution.c:1959 markus at trippelsdorf dot de
` (2 preceding siblings ...)
2013-09-12 11:18 ` rguenth at gcc dot gnu.org
@ 2013-09-12 11:19 ` rguenth at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: rguenth at gcc dot gnu.org @ 2013-09-12 11:19 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58396
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Richard Biener <rguenth at gcc dot gnu.org> ---
Fixed.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-09-12 11:19 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-09-11 18:27 [Bug tree-optimization/58396] New: [4.9 Regression] heap-use-after-free at gcc/tree-loop-distribution.c:1959 markus at trippelsdorf dot de
2013-09-12 8:34 ` [Bug tree-optimization/58396] " rguenth at gcc dot gnu.org
2013-09-12 10:11 ` markus at trippelsdorf dot de
2013-09-12 11:18 ` rguenth at gcc dot gnu.org
2013-09-12 11:19 ` rguenth at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).