public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "marxin at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug target/94482] Inserting into vector with optimization enabled on x86 generates incorrect result
Date: Sun, 05 Apr 2020 14:46:18 +0000 [thread overview]
Message-ID: <bug-94482-4-VkOCcEfIBZ@http.gcc.gnu.org/bugzilla/> (raw)
In-Reply-To: <bug-94482-4@http.gcc.gnu.org/bugzilla/>
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94482
--- Comment #6 from Martin Liška <marxin at gcc dot gnu.org> ---
But I bet it's invalid code:
$ gcc -fsanitize=undefined pr94482.c -O2 && ./a.out
pr94482.c:14:11: runtime error: index 2 out of bounds for type 'long int [2]'
pr94482.c:14:15: runtime error: store to address 0x7fffffffe2f0 with
insufficient space for an object of type 'long int'
0x7fffffffe2f0: note: pointer points here
00 00 00 00 00 00 00 00 00 00 00 00 eb 4c 48 f7 ff 7f 00 00 e0 d9 61 f7 ff
7f 00 00 e8 e3 ff ff
^
pr94482.c:14:11: runtime error: index 3 out of bounds for type 'long int [2]'
pr94482.c:14:15: runtime error: store to address 0x7fffffffe2f8 with
insufficient space for an object of type 'long int'
0x7fffffffe2f8: note: pointer points here
00 00 00 00 eb 4c 48 f7 ff 7f 00 00 e0 d9 61 f7 ff 7f 00 00 e8 e3 ff ff ff
7f 00 00 00 1c 01 00
^
pr94482.c:14:11: runtime error: index 4 out of bounds for type 'long int [2]'
pr94482.c:14:15: runtime error: store to address 0x7fffffffe300 with
insufficient space for an object of type 'long int'
0x7fffffffe300: note: pointer points here
00 00 00 00 e0 d9 61 f7 ff 7f 00 00 e8 e3 ff ff ff 7f 00 00 00 1c 01 00 01
00 00 00 70 10 40 00
^
pr94482.c:14:11: runtime error: index 5 out of bounds for type 'long int [2]'
pr94482.c:14:15: runtime error: store to address 0x7fffffffe308 with
insufficient space for an object of type 'long int'
0x7fffffffe308: note: pointer points here
00 00 00 00 e8 e3 ff ff ff 7f 00 00 00 1c 01 00 01 00 00 00 70 10 40 00 00
00 00 00 60 15 40 00
^
pr94482.c:14:11: runtime error: index 6 out of bounds for type 'long int [2]'
pr94482.c:14:15: runtime error: store to address 0x7fffffffe310 with
insufficient space for an object of type 'long int'
0x7fffffffe310: note: pointer points here
00 00 00 00 00 1c 01 00 01 00 00 00 70 10 40 00 00 00 00 00 60 15 40 00 00
00 00 00 1d 45 5c 9d
^
pr94482.c:14:11: runtime error: index 7 out of bounds for type 'long int [2]'
pr94482.c:14:15: runtime error: store to address 0x7fffffffe318 with
insufficient space for an object of type 'long int'
0x7fffffffe318: note: pointer points here
00 00 00 00 70 10 40 00 00 00 00 00 60 15 40 00 00 00 00 00 1d 45 5c 9d 3a
72 cd ab 60 12 40 00
^
Segmentation fault (core dumped)
$ gcc -fsanitize=address pr94482.c -O2 && ./a.out
=================================================================
==18733==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffffffe290 at pc 0x0000004015d1 bp 0x7fffffffe150 sp 0x7fffffffe148
WRITE of size 8 at 0x7fffffffe290 thread T0
#0 0x4015d0 in main (/home/marxin/Programming/testcases/a.out+0x4015d0)
#1 0x7ffff73c3cea in __libc_start_main ../csu/libc-start.c:308
#2 0x401659 in _start (/home/marxin/Programming/testcases/a.out+0x401659)
Address 0x7fffffffe290 is located in stack of thread T0 at offset 304 in frame
#0 0x40111f in main (/home/marxin/Programming/testcases/a.out+0x40111f)
This frame has 11 object(s):
[32, 48) 'n' (line 42)
[64, 80) 'o' (line 43)
[96, 112) 'r_' (line 47)
[128, 144) 'n' (line 23)
[160, 176) 'o' (line 24)
[192, 208) 'r_' (line 26)
[224, 240) 'n' (line 29)
[256, 272) 'o' (line 30)
[288, 304) 'r_' (line 12) <== Memory access at offset 304 overflows this
variable
[320, 336) 'n' (line 15)
[352, 368) 'o' (line 16)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/home/marxin/Programming/testcases/a.out+0x4015d0) in main
Shadow bytes around the buggy address:
0x10007fff7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c20: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10007fff7c30: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2
0x10007fff7c40: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2
=>0x10007fff7c50: 00 00[f2]f2 00 00 f2 f2 00 00 f3 f3 00 00 00 00
0x10007fff7c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==18733==ABORTING
next prev parent reply other threads:[~2020-04-05 14:46 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-03 22:40 [Bug target/94482] New: " evan@coeus-group.com
2020-04-04 9:36 ` [Bug target/94482] " marxin at gcc dot gnu.org
2020-04-04 17:33 ` evan@coeus-group.com
2020-04-04 21:44 ` ubizjak at gmail dot com
2020-04-04 21:50 ` ubizjak at gmail dot com
2020-04-05 14:44 ` marxin at gcc dot gnu.org
2020-04-05 14:46 ` marxin at gcc dot gnu.org [this message]
2020-04-05 21:08 ` evan@coeus-group.com
2020-04-05 22:19 ` evan@coeus-group.com
2020-04-06 6:35 ` marxin at gcc dot gnu.org
2020-04-06 6:47 ` jakub at gcc dot gnu.org
2020-04-06 6:55 ` marxin at gcc dot gnu.org
2020-04-06 7:14 ` jakub at gcc dot gnu.org
2020-04-06 7:20 ` rguenth at gcc dot gnu.org
2020-04-06 7:28 ` [Bug target/94482] [8/9/10 Regression] " jakub at gcc dot gnu.org
2020-04-06 7:29 ` marxin at gcc dot gnu.org
2020-04-06 7:30 ` jakub at gcc dot gnu.org
2020-04-06 8:32 ` rguenth at gcc dot gnu.org
2020-04-06 8:44 ` rguenth at gcc dot gnu.org
2020-04-06 8:54 ` rguenth at gcc dot gnu.org
2020-04-06 9:32 ` rguenth at gcc dot gnu.org
2020-04-06 12:59 ` [Bug tree-optimization/94482] " rguenth at gcc dot gnu.org
2020-04-06 13:40 ` jamborm at gcc dot gnu.org
2020-04-06 16:36 ` rguenth at gcc dot gnu.org
2020-04-09 12:43 ` cvs-commit at gcc dot gnu.org
2020-04-09 12:46 ` [Bug tree-optimization/94482] [8/9 " jamborm at gcc dot gnu.org
2020-04-10 3:39 ` evan@coeus-group.com
2020-04-11 5:51 ` cvs-commit at gcc dot gnu.org
2020-04-21 12:22 ` cvs-commit at gcc dot gnu.org
2020-04-21 15:42 ` cvs-commit at gcc dot gnu.org
2020-04-21 16:37 ` jamborm at gcc dot gnu.org
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-94482-4-VkOCcEfIBZ@http.gcc.gnu.org/bugzilla/ \
--to=gcc-bugzilla@gcc.gnu.org \
--cc=gcc-bugs@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).