public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug tree-optimization/58396] New: [4.9 Regression] heap-use-after-free at gcc/tree-loop-distribution.c:1959
@ 2013-09-11 18:27 markus at trippelsdorf dot de
  2013-09-12  8:34 ` [Bug tree-optimization/58396] " rguenth at gcc dot gnu.org
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: markus at trippelsdorf dot de @ 2013-09-11 18:27 UTC (permalink / raw)
  To: gcc-bugs

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58396

            Bug ID: 58396
           Summary: [4.9 Regression] heap-use-after-free at
                    gcc/tree-loop-distribution.c:1959
           Product: gcc
           Version: 4.9.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: markus at trippelsdorf dot de

bootstrap-asan with -O3 gives:

/var/tmp/gcc_build_dir/./gcc/xgcc -shared-libgcc -B/var/tmp/gcc_build_dir/./gcc
-nostdinc++ -L/var/tmp/gcc_build_dir/x86_64-unknown-linux-gnu/libstdc++-v3/src
-L/var/tmp/gcc_build_dir/x86_64-unknown-linux-gnu/libstdc++-v3/src/.libs
-L/var/tmp/gcc_build_dir/x86_64-unknown-linux-gnu/libstdc++-v3/libsupc++/.libs
-B/usr/local/x86_64-unknown-linux-gnu/bin/
-B/usr/local/x86_64-unknown-linux-gnu/lib/ -isystem
/usr/local/x86_64-unknown-linux-gnu/include -isystem
/usr/local/x86_64-unknown-linux-gnu/sys-include
-I/var/tmp/gcc/libstdc++-v3/../libgcc
-I/var/tmp/gcc_build_dir/x86_64-unknown-linux-gnu/libstdc++-v3/include/x86_64-unknown-linux-gnu
-I/var/tmp/gcc_build_dir/x86_64-unknown-linux-gnu/libstdc++-v3/include
-I/var/tmp/gcc/libstdc++-v3/libsupc++ -D_GLIBCXX_SHARED -fno-implicit-templates
-Wall -Wextra -Wwrite-strings -Wcast-qual -Wabi
-fdiagnostics-show-location=once -ffunction-sections -fdata-sections
-frandom-seed=bitmap_allocator.lo -march=native -O3 -g -pipe -c
../../../../../gcc/libstdc++-v3/src/c++98/bitmap_allocator.cc -fPIC -DPIC
-D_GLIBCXX_SHARED -o bitmap_allocator.o 2>&1 | asan_symbolize.py | c++filt
=================================================================
==20268== ERROR: AddressSanitizer: heap-use-after-free on address
0x6006001646e4 at pc 0x15abf35 bp 0x7fffc85df980 sp 0x7fffc85df978
READ of size 4 at 0x6006001646e4 thread T0
    #0 0x15abf34 in build_rdg
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/vec.h:1238
    #1 0x15ad344 in distribute_loop
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-loop-distribution.c:1959
    #2 0x11f91cf in execute_one_pass(opt_pass*)
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/passes.c:2201
    #3 0x11fa99b in execute_pass_list
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/passes.c:2253
    #4 0xb3336b in expand_function
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:1723
    #5 0xb370a1 in expand_all_functions
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:1828
    #6 0xb37f44 in compile
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:2065
    #7 0x6d7569 in cp_write_global_declarations()
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cp/decl2.c:4364
    #8 0x14726da in compile_file
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/toplev.c:560
    #9 0x1476537 in do_compile
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/toplev.c:1891
    #10 0x7f76ffe3aa74 in __libc_start_main
/home/markus/glibc/csu/libc-start.c:269
    #11 0x5439e0 in _start /home/markus/glibc/csu/../sysdeps/x86_64/start.S:122
0x6006001646e4 is located 4 bytes inside of 32-byte region
[0x6006001646e0,0x600600164700)
freed by thread T0 here:
    #0 0x557e4a in __interceptor_free _asan_rtl_
    #1 0x15aa68b in release<loop*>
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/vec.h:319
previously allocated by thread T0 here:
    #0 0x557f4a in __interceptor_malloc _asan_rtl_
    #1 0x24cfa74 in xrealloc
/var/tmp/gcc_build_dir/libiberty/../../gcc/libiberty/xmalloc.c:177
Shadow bytes around the buggy address:
  0x0c0140024880: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c0140024890: fd fa fa fa fd fd fd fa fa fa 00 00 00 00 fa fa
  0x0c01400248a0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x0c01400248b0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
  0x0c01400248c0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
=>0x0c01400248d0: 00 00 00 fa fa fa 00 00 00 fa fa fa[fd]fd fd fd
  0x0c01400248e0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c01400248f0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c0140024900: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c0140024910: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
  0x0c0140024920: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==20268== ABORTING

I guess r202431 is to blame.


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-09-12 11:19 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-09-11 18:27 [Bug tree-optimization/58396] New: [4.9 Regression] heap-use-after-free at gcc/tree-loop-distribution.c:1959 markus at trippelsdorf dot de
2013-09-12  8:34 ` [Bug tree-optimization/58396] " rguenth at gcc dot gnu.org
2013-09-12 10:11 ` markus at trippelsdorf dot de
2013-09-12 11:18 ` rguenth at gcc dot gnu.org
2013-09-12 11:19 ` rguenth at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).