public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "manu at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug c++/59500] Bogus maybe-uninitialized (|| converted to nested-if)
Date: Fri, 12 Sep 2014 21:03:00 -0000 [thread overview]
Message-ID: <bug-59500-4-oMzzNAJs9E@http.gcc.gnu.org/bugzilla/> (raw)
In-Reply-To: <bug-59500-4@http.gcc.gnu.org/bugzilla/>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="UTF-8", Size: 6178 bytes --]
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=59500
Manuel López-Ibáñez <manu at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Last reconfirmed| |2014-09-12
Blocks| |24639
Summary|Bogus maybe-uninitialized |Bogus maybe-uninitialized
|warning due to |(|| converted to nested-if)
|optimizations |
Ever confirmed|0 |1
--- Comment #5 from Manuel López-Ibáñez <manu at gcc dot gnu.org> ---
(In reply to Andy Lutomirski from comment #1)
> This might be a duplicate of PR56574
I think not. In this case the problem is that
# value = PHI<value(D),intval()>
if (!valid || intval() < value)
is converted to
# value = PHI<value(D),intval() >
if(!valid)
else if (intval() < value)
and I think the uninit pass is not smart enough to realize that the use is
guarded by valid != 0 but the default definition implies valid == 0.
Perhaps it is also a missed-optimization, since "if(cond())" could jump
directly to "if (intval() < value)".
>From gcc-bugs-return-461728-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Fri Sep 12 22:27:29 2014
Return-Path: <gcc-bugs-return-461728-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 1171 invoked by alias); 12 Sep 2014 22:27:28 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 1104 invoked by uid 48); 12 Sep 2014 22:27:21 -0000
From: "dvyukov at google dot com" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug sanitizer/63251] New: tsan: corrupted shadow stack
Date: Fri, 12 Sep 2014 22:27:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: sanitizer
X-Bugzilla-Version: 5.0
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: dvyukov at google dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc attachments.created
Message-ID: <bug-63251-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-09/txt/msg01562.txt.bz2
Content-length: 3053
https://gcc.gnu.org/bugzilla/show_bug.cgi?idc251
Bug ID: 63251
Summary: tsan: corrupted shadow stack
Product: gcc
Version: 5.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: dvyukov at google dot com
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org
Created attachment 33486
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id3486&actioníit
reproducer
Reported in the ThreadSanitizer bug tracker, but it looks like gcc
instrumentation issue:
https://code.google.com/p/thread-sanitizer/issues/detail?idv
gcc version 5.0.0 20140830 (experimental) (GCC)
$ g++ -fsanitize=thread /tmp/stack.cc -pie -fPIE -g
$ ./a.out
=================WARNING: ThreadSanitizer: data race (pid'898)
...
Thread T2 (tid'901, running) created by main thread at:
#0 pthread_create ../../.././libsanitizer/tsan/tsan_interceptors.cc:853
(libtsan.so.0+0x000000026eb4)
#1 main /tmp/stack.cc:28 (a.out+0x000000001017)
#2 void std::__introsort_loop<__gnu_cxx::__normal_iterator<int*,
std::vector<int, std::allocator<int> > >, long,
__gnu_cxx::__ops::_Iter_less_iter>(__gnu_cxx::__normal_iterator<int*,
std::vector<int, std::allocator<int> > >, __gnu_cxx::__normal_iterator<int*,
std::vector<int, std::allocator<int> > >, long,
__gnu_cxx::__ops::_Iter_less_iter)
/ssd/src/gcc_trunk/install/include/c++/5.0.0/bits/stl_algo.h:1952
(a.out+0x000000001d60)
#3 void std::__sort<__gnu_cxx::__normal_iterator<int*, std::vector<int,
std::allocator<int> > >,
__gnu_cxx::__ops::_Iter_less_iter>(__gnu_cxx::__normal_iterator<int*,
std::vector<int, std::allocator<int> > >, __gnu_cxx::__normal_iterator<int*,
std::vector<int, std::allocator<int> > >, __gnu_cxx::__ops::_Iter_less_iter)
/ssd/src/gcc_trunk/install/include/c++/5.0.0/bits/stl_algo.h:1967
(a.out+0x00000000182c)
#4 void std::sort<__gnu_cxx::__normal_iterator<int*, std::vector<int,
std::allocator<int> > > >(__gnu_cxx::__normal_iterator<int*, std::vector<int,
std::allocator<int> > >, __gnu_cxx::__normal_iterator<int*, std::vector<int,
std::allocator<int> > >)
/ssd/src/gcc_trunk/install/include/c++/5.0.0/bits/stl_algo.h:4676
(a.out+0x00000000130a)
#5 main /tmp/stack.cc:24 (a.out+0x000000000fd9)
Frames #1-4 are bogus and must not be present in the thread creation stack.
Clang produces a correct stack, which is:
Thread T2 (tid\x12121, running) created by main thread at:
#0 pthread_create
/ssd/src/llvm/build/../projects/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:847
(a.out+0x000000048403)
#1 main /tmp/stack.cc:28:3 (a.out+0x000000095bcf)
Looking at the symptoms I think that the sort-related functions do not call
__tsan_func_exit and so they are left on the shadow stack.
It's not only about report quality. If it happens enough times, then it will
overflow and blow up tsan shadow stack.
prev parent reply other threads:[~2014-09-12 21:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-59500-4@http.gcc.gnu.org/bugzilla/>
2014-01-14 23:51 ` [Bug c++/59500] Bogus maybe-unintialized warning due to optimizations luto at mit dot edu
2014-09-12 18:43 ` [Bug c++/59500] Bogus maybe-uninitialized " luto at mit dot edu
2014-09-12 18:44 ` luto at mit dot edu
2014-09-12 21:03 ` manu at gcc dot gnu.org [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-59500-4-oMzzNAJs9E@http.gcc.gnu.org/bugzilla/ \
--to=gcc-bugzilla@gcc.gnu.org \
--cc=gcc-bugs@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).