[Bug other/61016] New: use of uninitialized memory in gcc/config/i386/i386.c

[Bug other/61016] New: use of uninitialized memory in gcc/config/i386/i386.c

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61016

            Bug ID: 61016
           Summary: use of uninitialized memory in gcc/config/i386/i386.c
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: other
          Assignee: unassigned at gcc dot gnu.org
          Reporter: kcc at gcc dot gnu.org
                CC: eugeni.stepanov at gmail dot com

Created attachment 32715
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=32715&action=edit
z.cc

This is revision 209930 on x86_64 Linux. 

% valgrind --track-origins=yes gcc/cc1plus -quiet   z.cc    -O2 -o /dev/null

==12029== Conditional jump or move depends on uninitialised value(s)
==12029==    at 0xDBEF66: classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) (gcc/config/i386/i386.c:6361)
==12029==    by 0xDBF2D4: classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) (gcc/config/i386/i386.c:6501)
==12029==    by 0xDBA097: ix86_function_arg_advance(cumulative_args_t,
machine_mode, tree_node const*, bool) (gcc/config/i386/i386.c:6818)
==12029==    by 0x92B40A: gimplify_parameters() (gcc/function.c:3624)
==12029==    by 0x978AEA: gimplify_body(tree_node*, bool) (gcc/gimplify.c:8620)
==12029==    by 0x9794AC: gimplify_function_tree(tree_node*)
(gcc/gimplify.c:8777)
==12029==    by 0x7EBC14: analyze_function(cgraph_node*) (gcc/cgraphunit.c:649)
==12029==    by 0x7EECD2: analyze_functions() (gcc/cgraphunit.c:1017)
==12029==    by 0x7EEACB: finalize_compilation_unit() (gcc/cgraphunit.c:2320)
==12029==    by 0x5E67D3: cp_write_global_declarations() (gcc/cp/decl2.c:4619)
==12029==    by 0xB19A20: compile_file() (gcc/toplev.c:562)
==12029==    by 0xB197D7: toplev_main(int, char**) (gcc/toplev.c:1914)
==12029==  Uninitialised value was created by a stack allocation
==12029==    at 0xDBE920: classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) (gcc/config/i386/i386.c:6412)


The bug was initially detected by MemorySanitizer (which is a bit trickier to
use with gcc at the moment)

==5348== WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7f265400f64d in merge_classes(x86_64_reg_class, x86_64_reg_class)
gcc/config/i386/i386.c:6361
    #1 0x7f265400f64d in classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) gcc/config/i386/i386.c:6557
    #2 0x7f265400dbfa in classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) gcc/config/i386/i386.c:6501
    #3 0x7f2653fef8fc in examine_argument(machine_mode, tree_node const*, int,
int*, int*) gcc/config/i386/i386.c:6817
    #4 0x7f2653fef8fc in function_arg_advance_64(ix86_args*, machine_mode,
tree_node const*, long, bool) gcc/config/i386/i386.c:7199
    #5 0x7f2653fef8fc in ix86_function_arg_advance(cumulative_args_t,
machine_mode, tree_node const*, bool) gcc/config/i386/i386.c:7253
    #6 0x7f26523a1ae1 in gimplify_parameters() gcc/function.c:3624
    #7 0x7f2652594737 in gimplify_body(tree_node*, bool) gcc/gimplify.c:8620
    #8 0x7f2652598479 in gimplify_function_tree(tree_node*) gcc/gimplify.c:8777
    #9 0x7f2651bee7db in analyze_function(cgraph_node*) gcc/cgraphunit.c:649
    #10 0x7f2651c01aa1 in analyze_functions() gcc/cgraphunit.c:1017
    #11 0x7f2651c01088 in finalize_compilation_unit() gcc/cgraphunit.c:2320
    #12 0x7f2650f8da6e in cp_write_global_declarations() gcc/cp/decl2.c:4619
    #13 0x7f2652fa249d in compile_file() gcc/toplev.c:562
    #14 0x7f2652fa06ff in do_compile() gcc/toplev.c:1914
    #15 0x7f2652fa06ff in toplev_main(int, char**) gcc/toplev.c:1990
    #16 0x7f26552563b3 in main gcc/main.c:36
    #17 0x7f264f30276c in __libc_start_main
/build/buildd/eglibc-2.15/csu/libc-start.c:226
    #18 0x7f26509f8960 in _start
(/usr/local/google/ssd/msan-gcc/inst/libexec/gcc/x86_64-unknown-linux-gnu/4.10.0/cc1plus+0x2f4960)

  Uninitialized value was created by an allocation of 'subclasses' in the stack
frame of function 'classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int)'
    #0 0x7f265400a310 in classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) gcc/config/i386/i386.c:6412


Confirmed by printf:

Index: gcc/config/i386/i386.c
===================================================================
--- gcc/config/i386/i386.c      (revision 209930)
+++ gcc/config/i386/i386.c      (working copy)
@@ -6428,6 +6428,7 @@
       int i;
       tree field;
       enum x86_64_reg_class subclasses[MAX_CLASSES];
+      subclasses[1] = (enum x86_64_reg_class)0xab;

       /* On x86-64 we pass structures larger than 64 bytes on the stack.  */
       if (bytes > 64)
@@ -6553,8 +6554,10 @@
                                           bit_offset);
                  if (!num)
                    return 0;
-                 for (i = 0; i < num; i++)
+                 for (i = 0; i < num; i++) {
+                    fprintf(stderr, "ZZZ[%d] %x\n", i, classes[i]);
                    classes[i] = merge_classes (subclasses[i], classes[i]);
+                  }
                }
            }
          break;



ZZZ[0] 0
ZZZ[1] ab       <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

[Bug other/61016] use of uninitialized memory in gcc/config/i386/i386.c

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61016

--- Comment #1 from Kostya Serebryany <kcc at gcc dot gnu.org> ---
Slightly more reduced test: 


template <typename T>
struct vector {
  void resize(int, T = T()) {}
};
class UnknownField;
class UnknownFieldSet {
  void DeleteByNumber (int);
  vector < UnknownField > *fields_;
};
class UnknownField {
  long a;
  union {
    void *b;
  };
};
void UnknownFieldSet::DeleteByNumber (int) {
  fields_->resize (0);
}

[Bug other/61016] use of uninitialized memory in gcc/config/i386/i386.c

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61016

Kostya Serebryany <kcc at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hubicka at gcc dot gnu.org

--- Comment #2 from Kostya Serebryany <kcc at gcc dot gnu.org> ---
"svn blame" tells that the uninitialized array was introduced by hubicka@: 

 45726    hubicka       enum x86_64_reg_class subclasses[MAX_CLASSES];

[Bug other/61016] use of uninitialized memory in gcc/config/i386/i386.c

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61016

--- Comment #3 from Kostya Serebryany <kcc at gcc dot gnu.org> ---
Ping. Any interest? 
The bug is still present in r212279

[Bug other/61016] use of uninitialized memory in gcc/config/i386/i386.c

[ubizjak at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61016

Uroš Bizjak <ubizjak at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |DUPLICATE

--- Comment #4 from Uroš Bizjak <ubizjak at gmail dot com> ---
This is handled in PR 61656.

*** This bug has been marked as a duplicate of bug 61656 ***
>From gcc-bugs-return-456063-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Thu Jul 10 15:28:23 2014
Return-Path: <gcc-bugs-return-456063-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 9045 invoked by alias); 10 Jul 2014 15:28:22 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 8793 invoked by uid 48); 10 Jul 2014 15:28:14 -0000
From: "ubizjak at gmail dot com" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug target/61656] Undefined behavior in classify_argument
Date: Thu, 10 Jul 2014 15:28:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: target
X-Bugzilla-Version: 4.10.0
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: ubizjak at gmail dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-61656-4-FJ2P0maTwo@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-61656-4@http.gcc.gnu.org/bugzilla/>
References: <bug-61656-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-07/txt/msg00654.txt.bz2
Content-length: 443

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61656

Uroš Bizjak <ubizjak at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kcc at gcc dot gnu.org

--- Comment #2 from Uroš Bizjak <ubizjak at gmail dot com> ---
*** Bug 61016 has been marked as a duplicate of this bug. ***
>From gcc-bugs-return-456065-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Thu Jul 10 15:30:53 2014
Return-Path: <gcc-bugs-return-456065-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 15287 invoked by alias); 10 Jul 2014 15:30:53 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 14830 invoked by uid 48); 10 Jul 2014 15:30:42 -0000
From: "jakub at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug target/61656] Undefined behavior in classify_argument
Date: Thu, 10 Jul 2014 15:30:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: target
X-Bugzilla-Version: 4.10.0
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: jakub at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields:
Message-ID: <bug-61656-4-BJImZ03P9I@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-61656-4@http.gcc.gnu.org/bugzilla/>
References: <bug-61656-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-07/txt/msg00656.txt.bz2
Content-length: 203

https://gcc.gnu.org/bugzilla/show_bug.cgi?ida656

--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
So, are you ok with the #c0 pseudo patch?  I guess I can bootstrap/regtest it
today.