public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug tree-optimization/60914] New: ICE: SIGSEGV (use after free) in bitmap_obstack_alloc_stat() with -flto -fvtable-verify=preinit
@ 2014-04-21 10:47 zsojka at seznam dot cz
2014-04-22 5:58 ` [Bug tree-optimization/60914] " jakub at gcc dot gnu.org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: zsojka at seznam dot cz @ 2014-04-21 10:47 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60914
Bug ID: 60914
Summary: ICE: SIGSEGV (use after free) in
bitmap_obstack_alloc_stat() with -flto
-fvtable-verify=preinit
Product: gcc
Version: 4.10.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: tree-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: zsojka at seznam dot cz
Created attachment 32649
--> http://gcc.gnu.org/bugzilla/attachment.cgi?id=32649&action=edit
reduced testcase
Compiler output (under valgrind):
$ gcc -O -flto -fvtable-verify=preinit testcase.C
==14546== Invalid write of size 8
==14546== at 0x8B8E31: bitmap_obstack_alloc_stat(bitmap_obstack*)
(bitmap.h:277)
==14546== by 0xD5A222: (anonymous
namespace)::pass_build_ssa::execute(function*) (tree-into-ssa.c:2234)
==14546== by 0xBFCF20: execute_one_pass(opt_pass*) (passes.c:2159)
==14546== by 0xBFD1C5: execute_pass_list(opt_pass*) (passes.c:2212)
==14546== by 0x93AE8E: cgraph_process_new_functions() [clone .part.42]
(cgraphunit.c:338)
==14546== by 0x845546: vtv_generate_init_routine()
(vtable-class-hierarchy.c:1191)
==14546== by 0x721E8D: cp_write_global_declarations() (decl2.c:4628)
==14546== by 0xCF096C: compile_file() (toplev.c:562)
==14546== by 0xCF293F: toplev_main(int, char**) (toplev.c:1914)
==14546== by 0x5A46BF4: (below main) (in /lib64/libc-2.17.so)
==14546== Address 0x64b4490 is 96 bytes inside a block of size 4,064 free'd
==14546== at 0x4C2B57C: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14546== by 0x5AA8144: obstack_free (in /lib64/libc-2.17.so)
==14546== by 0x93A5A2: analyze_function(cgraph_node*) (cgraphunit.c:665)
==14546== by 0x93AE4F: cgraph_process_new_functions() [clone .part.42]
(cgraphunit.c:334)
==14546== by 0x845546: vtv_generate_init_routine()
(vtable-class-hierarchy.c:1191)
==14546== by 0x721E8D: cp_write_global_declarations() (decl2.c:4628)
==14546== by 0xCF096C: compile_file() (toplev.c:562)
==14546== by 0xCF293F: toplev_main(int, char**) (toplev.c:1914)
==14546== by 0x5A46BF4: (below main) (in /lib64/libc-2.17.so)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tree-optimization/60914] ICE: SIGSEGV (use after free) in bitmap_obstack_alloc_stat() with -flto -fvtable-verify=preinit
2014-04-21 10:47 [Bug tree-optimization/60914] New: ICE: SIGSEGV (use after free) in bitmap_obstack_alloc_stat() with -flto -fvtable-verify=preinit zsojka at seznam dot cz
@ 2014-04-22 5:58 ` jakub at gcc dot gnu.org
2014-04-22 21:14 ` ctice at gcc dot gnu.org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: jakub at gcc dot gnu.org @ 2014-04-22 5:58 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60914
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Last reconfirmed| |2014-04-22
CC| |jakub at gcc dot gnu.org
Ever confirmed|0 |1
--- Comment #1 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Yeah, I've seen this too on g++.dg/ubsan/pr59437.C testcase.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tree-optimization/60914] ICE: SIGSEGV (use after free) in bitmap_obstack_alloc_stat() with -flto -fvtable-verify=preinit
2014-04-21 10:47 [Bug tree-optimization/60914] New: ICE: SIGSEGV (use after free) in bitmap_obstack_alloc_stat() with -flto -fvtable-verify=preinit zsojka at seznam dot cz
2014-04-22 5:58 ` [Bug tree-optimization/60914] " jakub at gcc dot gnu.org
@ 2014-04-22 21:14 ` ctice at gcc dot gnu.org
2014-04-27 8:01 ` zsojka at seznam dot cz
2021-09-20 8:57 ` pinskia at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: ctice at gcc dot gnu.org @ 2014-04-22 21:14 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60914
--- Comment #2 from ctice at gcc dot gnu.org ---
Running your tests, I get a different ICE:
gcc-fsf-root/usr/local/bin/gcc -O -flto -fvtable-verify=preinit pr59437.C
pr59437.C: In function ‘_GLOBAL__sub_I.00099_cout’:
pr59437.C:24:1: internal compiler error: Segmentation fault
}
^
0xd6bfc1 crash_signal
../../gcc-fsf.clean/gcc/toplev.c:337
0x8a8ea5 bitmap_obstack_free(bitmap_head*)
../../gcc-fsf.clean/gcc/bitmap.c:408
0xdb3a83 cleanup_tree_cfg_1
../../gcc-fsf.clean/gcc/tree-cfgcleanup.c:698
0xdb3ae8 cleanup_tree_cfg_noloop
../../gcc-fsf.clean/gcc/tree-cfgcleanup.c:731
0xdb3bf5 cleanup_tree_cfg()
../../gcc-fsf.clean/gcc/tree-cfgcleanup.c:786
0xc7a8dc execute_function_todo
../../gcc-fsf.clean/gcc/passes.c:1741
0xc79cd8 do_per_function
../../gcc-fsf.clean/gcc/passes.c:1504
0xc7ab37 execute_todo
../../gcc-fsf.clean/gcc/passes.c:1817
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <http://gcc.gnu.org/bugs.html> for instructions.
I will investigate this, but I am concerned that I cannot seem to reproduce
your problem?
>From gcc-bugs-return-449615-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Tue Apr 22 21:15:45 2014
Return-Path: <gcc-bugs-return-449615-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 17180 invoked by alias); 22 Apr 2014 21:15:45 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 17152 invoked by uid 48); 22 Apr 2014 21:15:42 -0000
From: "burnus at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug fortran/58880] [4.9/4.10 Regression] [OOP] ICE on valid with FINAL function and type extension
Date: Tue, 22 Apr 2014 21:15:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: fortran
X-Bugzilla-Version: 4.9.0
X-Bugzilla-Keywords: ice-on-valid-code
X-Bugzilla-Severity: normal
X-Bugzilla-Who: burnus at gcc dot gnu.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P4
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: 4.9.1
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_status resolution
Message-ID: <bug-58880-4-tMF0dKBZJE@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-58880-4@http.gcc.gnu.org/bugzilla/>
References: <bug-58880-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-04/txt/msg01635.txt.bz2
Content-length: 495
http://gcc.gnu.org/bugzilla/show_bug.cgi?idX880
Tobias Burnus <burnus at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #16 from Tobias Burnus <burnus at gcc dot gnu.org> ---
And now also FIXED on the 4.9 branch (for GCC 4.9.1).
Thanks for the report!
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tree-optimization/60914] ICE: SIGSEGV (use after free) in bitmap_obstack_alloc_stat() with -flto -fvtable-verify=preinit
2014-04-21 10:47 [Bug tree-optimization/60914] New: ICE: SIGSEGV (use after free) in bitmap_obstack_alloc_stat() with -flto -fvtable-verify=preinit zsojka at seznam dot cz
2014-04-22 5:58 ` [Bug tree-optimization/60914] " jakub at gcc dot gnu.org
2014-04-22 21:14 ` ctice at gcc dot gnu.org
@ 2014-04-27 8:01 ` zsojka at seznam dot cz
2021-09-20 8:57 ` pinskia at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: zsojka at seznam dot cz @ 2014-04-27 8:01 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60914
--- Comment #3 from Zdenek Sojka <zsojka at seznam dot cz> ---
(In reply to ctice from comment #2)
> Running your tests, I get a different ICE:
>
> gcc-fsf-root/usr/local/bin/gcc -O -flto -fvtable-verify=preinit pr59437.C
> pr59437.C: In function ‘_GLOBAL__sub_I.00099_cout’:
> pr59437.C:24:1: internal compiler error: Segmentation fault
> }
> ^
> 0xd6bfc1 crash_signal
> ../../gcc-fsf.clean/gcc/toplev.c:337
> 0x8a8ea5 bitmap_obstack_free(bitmap_head*)
> ../../gcc-fsf.clean/gcc/bitmap.c:408
> 0xdb3a83 cleanup_tree_cfg_1
> ../../gcc-fsf.clean/gcc/tree-cfgcleanup.c:698
> 0xdb3ae8 cleanup_tree_cfg_noloop
> ../../gcc-fsf.clean/gcc/tree-cfgcleanup.c:731
> 0xdb3bf5 cleanup_tree_cfg()
> ../../gcc-fsf.clean/gcc/tree-cfgcleanup.c:786
> 0xc7a8dc execute_function_todo
> ../../gcc-fsf.clean/gcc/passes.c:1741
> 0xc79cd8 do_per_function
> ../../gcc-fsf.clean/gcc/passes.c:1504
> 0xc7ab37 execute_todo
> ../../gcc-fsf.clean/gcc/passes.c:1817
> Please submit a full bug report,
> with preprocessed source if appropriate.
> Please include the complete backtrace with any bug report.
> See <http://gcc.gnu.org/bugs.html> for instructions.
>
>
> I will investigate this, but I am concerned that I cannot seem to reproduce
> your problem?
I see the error only when run under valgrind:
$ g++ /mnt/svn/gcc-trunk/gcc/testsuite/g++.dg/ubsan/pr59437.C
-fvtable-verify=std -flto -c -wrapper valgrind,-q
==13523== Invalid write of size 8
==13523== at 0x8B9421: bitmap_obstack_alloc_stat(bitmap_obstack*)
(bitmap.h:277)
==13523== by 0xD5B512: (anonymous
namespace)::pass_build_ssa::execute(function*) (tree-into-ssa.c:2234)
==13523== by 0xBFDAD1: execute_one_pass(opt_pass*) (passes.c:2163)
==13523== by 0xBFDDC5: execute_pass_list(opt_pass*) (passes.c:2216)
==13523== by 0x93B4FE: cgraph_process_new_functions() [clone .part.42]
(cgraphunit.c:338)
==13523== by 0x845696: vtv_generate_init_routine()
(vtable-class-hierarchy.c:1191)
==13523== by 0x721F8D: cp_write_global_declarations() (decl2.c:4628)
==13523== by 0xCF18CC: compile_file() (toplev.c:562)
==13523== by 0xCF389F: toplev_main(int, char**) (toplev.c:1914)
==13523== by 0x5A46BF4: (below main) (in /lib64/libc-2.17.so)
==13523== Address 0x686ebb0 is 96 bytes inside a block of size 4,064 free'd
==13523== at 0x4C2B57C: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==13523== by 0x5AA8144: obstack_free (in /lib64/libc-2.17.so)
==13523== by 0x93AC12: analyze_function(cgraph_node*) (cgraphunit.c:665)
==13523== by 0x93B4BF: cgraph_process_new_functions() [clone .part.42]
(cgraphunit.c:334)
==13523== by 0x845696: vtv_generate_init_routine()
(vtable-class-hierarchy.c:1191)
==13523== by 0x721F8D: cp_write_global_declarations() (decl2.c:4628)
==13523== by 0xCF18CC: compile_file() (toplev.c:562)
==13523== by 0xCF389F: toplev_main(int, char**) (toplev.c:1914)
==13523== by 0x5A46BF4: (below main) (in /lib64/libc-2.17.so)
==13523==
... and 100s of other similar errors.
Due to the nature of the bug, writing to an already free'd memory, the bug may
end in a SIGSEGV, glibc reported memory corruption, any random-looking ICE, or
it may not cause any error at all.
>From gcc-bugs-return-449975-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Sun Apr 27 10:36:37 2014
Return-Path: <gcc-bugs-return-449975-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 24316 invoked by alias); 27 Apr 2014 10:36:36 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 24225 invoked by uid 48); 27 Apr 2014 10:36:32 -0000
From: "doko at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug sanitizer/59758] [4.9/4.10 Regression] bootstrap failure in libsanitizer/asan on sparc-linux-gnu
Date: Sun, 27 Apr 2014 10:36:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: sanitizer
X-Bugzilla-Version: 4.9.0
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: doko at gcc dot gnu.org
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P4
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: 4.9.1
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields:
Message-ID: <bug-59758-4-eXjKYjyUU6@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-59758-4@http.gcc.gnu.org/bugzilla/>
References: <bug-59758-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-04/txt/msg01995.txt.bz2
Content-length: 1061
http://gcc.gnu.org/bugzilla/show_bug.cgi?idY758
--- Comment #7 from Matthias Klose <doko at gcc dot gnu.org> ---
still fails to build with the proposed patch on sparc-linux-gnu
In file included from
../../../../src/libsanitizer/sanitizer_common/sanitizer_platform_limits_linux.cc:20:0:
../../../../src/libsanitizer/sanitizer_common/sanitizer_internal_defs.h:257:72:
error: size of array 'assertion_failed__70' is negative
typedef char IMPL_PASTE(assertion_failed_##_, line)[2*(int)(pred)-1]
^
../../../../src/libsanitizer/sanitizer_common/sanitizer_internal_defs.h:251:30:
note: in expansion of macro 'IMPL_COMPILER_ASSERT'
#define COMPILER_CHECK(pred) IMPL_COMPILER_ASSERT(pred, __LINE__)
^
../../../../src/libsanitizer/sanitizer_common/sanitizer_platform_limits_linux.cc:70:1:
note: in expansion of macro 'COMPILER_CHECK'
COMPILER_CHECK(struct_kernel_stat_sz == sizeof(struct stat));
^
make[6]: *** [sanitizer_platform_limits_linux.lo] Error 1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tree-optimization/60914] ICE: SIGSEGV (use after free) in bitmap_obstack_alloc_stat() with -flto -fvtable-verify=preinit
2014-04-21 10:47 [Bug tree-optimization/60914] New: ICE: SIGSEGV (use after free) in bitmap_obstack_alloc_stat() with -flto -fvtable-verify=preinit zsojka at seznam dot cz
` (2 preceding siblings ...)
2014-04-27 8:01 ` zsojka at seznam dot cz
@ 2021-09-20 8:57 ` pinskia at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: pinskia at gcc dot gnu.org @ 2021-09-20 8:57 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60914
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Known to fail|4.10.0 |
--- Comment #4 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
The support for -flto and -fvtable-verify together was disable at r10-2966. I
am not saying we should close this, just we produce a sorry starting in GCC 10.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-09-20 8:57 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-21 10:47 [Bug tree-optimization/60914] New: ICE: SIGSEGV (use after free) in bitmap_obstack_alloc_stat() with -flto -fvtable-verify=preinit zsojka at seznam dot cz
2014-04-22 5:58 ` [Bug tree-optimization/60914] " jakub at gcc dot gnu.org
2014-04-22 21:14 ` ctice at gcc dot gnu.org
2014-04-27 8:01 ` zsojka at seznam dot cz
2021-09-20 8:57 ` pinskia at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).