From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 1747 invoked by alias); 17 Mar 2014 14:36:04 -0000 Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-bugs-owner@gcc.gnu.org Received: (qmail 1659 invoked by uid 48); 17 Mar 2014 14:35:59 -0000 From: "mpolacek at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/60535] Link failure with -flto and -fsanitize=undefined Date: Mon, 17 Mar 2014 14:36:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: sanitizer X-Bugzilla-Version: 4.9.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: enhancement X-Bugzilla-Who: mpolacek at gcc dot gnu.org X-Bugzilla-Status: ASSIGNED X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: jakub at gcc dot gnu.org X-Bugzilla-Target-Milestone: 4.9.0 X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2014-03/txt/msg01431.txt.bz2 http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60535 --- Comment #5 from Marek Polacek --- (In reply to Jakub Jelinek from comment #3) > g++.dg/ubsan/pr59437.C > > This one shows a bug either in the -fvtable-* verification stuff, or in > cgraph, but doesn't look related to ubsan: > > ==27993== Invalid write of size 8 > ==27993== at 0x89AEEC: bitmap_initialize_stat(bitmap_head*, > bitmap_obstack*) (bitmap.h:277) > ==27993== by 0x89BA7C: bitmap_obstack_alloc_stat(bitmap_obstack*) > (bitmap.c:376) > ==27993== by 0xDCB7B2: > mark_def_dom_walker::mark_def_dom_walker(cdi_direction) > (tree-into-ssa.c:2234) > ==27993== by 0xDCBA80: rewrite_into_ssa() (tree-into-ssa.c:2331) > ==27993== by 0xDCBD70: (anonymous namespace)::pass_build_ssa::execute() > (tree-into-ssa.c:2403) > ==27993== by 0xC56F9D: execute_one_pass(opt_pass*) (passes.c:2229) > ==27993== by 0xC571B6: execute_pass_list(opt_pass*) (passes.c:2282) > ==27993== by 0xC4B58E: gcc::pass_manager::execute_early_local_passes() > (passes.c:135) > ==27993== by 0x92BCA4: cgraph_process_new_functions() (cgraphunit.c:338) > ==27993== by 0x80DDE3: vtv_generate_init_routine() > (vtable-class-hierarchy.c:1191) > ==27993== by 0x6B534E: cp_write_global_declarations() (decl2.c:4619) > ==27993== by 0xD42091: compile_file() (toplev.c:562) > ==27993== Address 0xbc0cdf0 is 96 bytes inside a block of size 4,064 free'd > ==27993== at 0x4A07577: free (in > /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) > ==27993== by 0x3C5FA84857: obstack_free (in /usr/lib64/libc-2.18.so) > ==27993== by 0x89B901: bitmap_obstack_release(bitmap_obstack*) > (bitmap.c:358) > ==27993== by 0x92C95C: analyze_function(cgraph_node*) (cgraphunit.c:665) > ==27993== by 0x92BC0B: cgraph_process_new_functions() (cgraphunit.c:334) > ==27993== by 0x80DDE3: vtv_generate_init_routine() > (vtable-class-hierarchy.c:1191) > ==27993== by 0x6B534E: cp_write_global_declarations() (decl2.c:4619) > ==27993== by 0xD42091: compile_file() (toplev.c:562) > ==27993== by 0xD441E9: do_compile() (toplev.c:1914) > ==27993== by 0xD44354: toplev_main(int, char**) (toplev.c:1990) > ==27993== by 0x14BD71B: main (main.c:36) > > Apparently this is related to the default obstack freeing and use after > free, either vtable*.c calls cgraph at a pointer where it is not supposed to > (or needs to conditionalize it on cgraph_state), or cgraph doesn't handle > nesting properly. I think this is PR59441.