[Bug c++/63928] [5 Regression] use after free in cp/constexpr.c

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug c++/63928] [5 Regression] use after free in cp/constexpr.c
       [not found] <bug-63928-4@http.gcc.gnu.org/bugzilla/>
@ 2014-11-18 10:23 ` rguenth at gcc dot gnu.org
  2014-11-19  8:46 ` trippels at gcc dot gnu.org
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 5+ messages in thread
From: rguenth at gcc dot gnu.org @ 2014-11-18 10:23 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63928

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P3                          |P1
   Target Milestone|---                         |5.0


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug c++/63928] [5 Regression] use after free in cp/constexpr.c
       [not found] <bug-63928-4@http.gcc.gnu.org/bugzilla/>
  2014-11-18 10:23 ` [Bug c++/63928] [5 Regression] use after free in cp/constexpr.c rguenth at gcc dot gnu.org
@ 2014-11-19  8:46 ` trippels at gcc dot gnu.org
  2014-11-19 13:04 ` trippels at gcc dot gnu.org
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 5+ messages in thread
From: trippels at gcc dot gnu.org @ 2014-11-19  8:46 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63928

--- Comment #1 from Markus Trippelsdorf <trippels at gcc dot gnu.org> ---
Created attachment 34034
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=34034&action=edit
testcase

Also reproducible with valgrind:

trippels@gcc2-power8 c++11 % valgrind -q --track-origins=yes
--trace-children=yes ~/gcc_test/usr/local/bin/g++ -std=gnu++11 -O2 -w
condition_variable.ii
==80030== Invalid read of size 8
==80030==    at 0x103EB1BC: cxx_eval_store_expression (constexpr.c:2552)
==80030==    by 0x103EB1BC: cxx_eval_constant_expression(constexpr_ctx const*,
tree_node*, bool, bool*, bool*, tree_node**) (constexpr.c:2943)
==80030==    by 0x103EACAB: cxx_eval_constant_expression(constexpr_ctx const*,
tree_node*, bool, bool*, bool*, tree_node**) (constexpr.c:2955)
==80030==    by 0x103EB297: cxx_eval_constant_expression(constexpr_ctx const*,
tree_node*, bool, bool*, bool*, tree_node**) (constexpr.c:3047)
==80030==    by 0x103EB66B: cxx_eval_constant_expression(constexpr_ctx const*,
tree_node*, bool, bool*, bool*, tree_node**) (constexpr.c:3214)
==80030==    by 0x103E9A3B: cxx_eval_call_expression(constexpr_ctx const*,
tree_node*, bool, bool*, bool*) (constexpr.c:1328)
==80030==    by 0x103EB623: cxx_eval_constant_expression(constexpr_ctx const*,
tree_node*, bool, bool*, bool*, tree_node**) (constexpr.c:2865)
==80030==    by 0x103F0F7B: cxx_eval_outermost_constant_expr(tree_node*, bool,
tree_node*) (constexpr.c:3340)
==80030==    by 0x103F5603: maybe_constant_value(tree_node*, tree_node*)
(constexpr.c:3453)
==80030==    by 0x103506AB: finish_static_assert(tree_node*, tree_node*,
unsigned int, bool) (semantics.c:7046)
==80030==    by 0x102B02C7: cp_parser_static_assert(cp_parser*, bool)
(parser.c:12139)
==80030==    by 0x102D35EF: cp_parser_member_declaration(cp_parser*)
(parser.c:20673)
==80030==    by 0x102A290B: cp_parser_member_specification_opt (parser.c:20542)
==80030==    by 0x102A290B: cp_parser_class_specifier_1 (parser.c:19734)
==80030==    by 0x102A290B: cp_parser_class_specifier (parser.c:19970)
==80030==    by 0x102A290B: cp_parser_type_specifier(cp_parser*, int,
cp_decl_specifier_seq*, bool, int*, bool*) (parser.c:14630)
==80030==  Address 0xb69b348 is 104 bytes inside a block of size 208 free'd
==80030==    at 0x407764C: free (vg_replace_malloc.c:473)
==80030==    by 0x1022934B: data_free (hash-table.h:233)
==80030==    by 0x1022934B: hash_table<hash_map<tree_node*, tree_node*,
default_hashmap_traits>::hash_entry, xcallocator, true>::expand()
(hash-table.h:1346)
==80030==    by 0x10229583: find_slot_with_hash (hash-table.h:1455)
==80030==    by 0x10229583: hash_map<tree_node*, tree_node*,
default_hashmap_traits>::put(tree_node* const&, tree_node* const&)
(hash-map.h:207)
==80030==    by 0x103EC5EF: cxx_eval_constant_expression(constexpr_ctx const*,
tree_node*, bool, bool*, bool*, tree_node**) (constexpr.c:2917)
==80030==    by 0x103EB57F: cxx_eval_constant_expression(constexpr_ctx const*,
tree_node*, bool, bool*, bool*, tree_node**) (constexpr.c:2985)
==80030==    by 0x103E93A3: cxx_bind_parameters_in_call (constexpr.c:1071)
==80030==    by 0x103E93A3: cxx_eval_call_expression(constexpr_ctx const*,
tree_node*, bool, bool*, bool*) (constexpr.c:1234)
==80030==    by 0x103EB623: cxx_eval_constant_expression(constexpr_ctx const*,
tree_node*, bool, bool*, bool*, tree_node**) (constexpr.c:2865)
==80030==    by 0x103ED93F: cxx_eval_binary_expression(constexpr_ctx const*,
tree_node*, bool, bool*, bool*) (constexpr.c:1491)
==80030==    by 0x103EB31F: cxx_eval_constant_expression(constexpr_ctx const*,
tree_node*, bool, bool*, bool*, tree_node**) (constexpr.c:3092)
==80030==    by 0x103EB193: cxx_eval_store_expression (constexpr.c:2540)
==80030==    by 0x103EB193: cxx_eval_constant_expression(constexpr_ctx const*,
tree_node*, bool, bool*, bool*, tree_node**) (constexpr.c:2943)
==80030==    by 0x103EACAB: cxx_eval_constant_expression(constexpr_ctx const*,
tree_node*, bool, bool*, bool*, tree_node**) (constexpr.c:2955)
==80030==    by 0x103EB297: cxx_eval_constant_expression(constexpr_ctx const*,
tree_node*, bool, bool*, bool*, tree_node**) (constexpr.c:3047)
==80030==


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug c++/63928] [5 Regression] use after free in cp/constexpr.c
       [not found] <bug-63928-4@http.gcc.gnu.org/bugzilla/>
  2014-11-18 10:23 ` [Bug c++/63928] [5 Regression] use after free in cp/constexpr.c rguenth at gcc dot gnu.org
  2014-11-19  8:46 ` trippels at gcc dot gnu.org
@ 2014-11-19 13:04 ` trippels at gcc dot gnu.org
  2014-11-19 19:03 ` jason at gcc dot gnu.org
  2014-11-19 19:05 ` jason at gcc dot gnu.org
  4 siblings, 0 replies; 5+ messages in thread
From: trippels at gcc dot gnu.org @ 2014-11-19 13:04 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63928

Markus Trippelsdorf <trippels at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |y.gribov at samsung dot com

--- Comment #2 from Markus Trippelsdorf <trippels at gcc dot gnu.org> ---
*** Bug 63961 has been marked as a duplicate of this bug. ***


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug c++/63928] [5 Regression] use after free in cp/constexpr.c
       [not found] <bug-63928-4@http.gcc.gnu.org/bugzilla/>
                   ` (2 preceding siblings ...)
  2014-11-19 13:04 ` trippels at gcc dot gnu.org
@ 2014-11-19 19:03 ` jason at gcc dot gnu.org
  2014-11-19 19:05 ` jason at gcc dot gnu.org
  4 siblings, 0 replies; 5+ messages in thread
From: jason at gcc dot gnu.org @ 2014-11-19 19:03 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63928

--- Comment #3 from Jason Merrill <jason at gcc dot gnu.org> ---
Author: jason
Date: Wed Nov 19 19:03:20 2014
New Revision: 217790

URL: https://gcc.gnu.org/viewcvs?rev=217790&root=gcc&view=rev
Log:
    PR c++/63928
    * constexpr.c (cxx_eval_store_expression): Return init, not *valp.

Modified:
    trunk/gcc/cp/ChangeLog
    trunk/gcc/cp/constexpr.c


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug c++/63928] [5 Regression] use after free in cp/constexpr.c
       [not found] <bug-63928-4@http.gcc.gnu.org/bugzilla/>
                   ` (3 preceding siblings ...)
  2014-11-19 19:03 ` jason at gcc dot gnu.org
@ 2014-11-19 19:05 ` jason at gcc dot gnu.org
  4 siblings, 0 replies; 5+ messages in thread
From: jason at gcc dot gnu.org @ 2014-11-19 19:05 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63928

Jason Merrill <jason at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |FIXED
           Assignee|unassigned at gcc dot gnu.org      |jason at gcc dot gnu.org

--- Comment #4 from Jason Merrill <jason at gcc dot gnu.org> ---
Fixed.


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2014-11-19 19:05 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <bug-63928-4@http.gcc.gnu.org/bugzilla/>
2014-11-18 10:23 ` [Bug c++/63928] [5 Regression] use after free in cp/constexpr.c rguenth at gcc dot gnu.org
2014-11-19  8:46 ` trippels at gcc dot gnu.org
2014-11-19 13:04 ` trippels at gcc dot gnu.org
2014-11-19 19:03 ` jason at gcc dot gnu.org
2014-11-19 19:05 ` jason at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).