public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "marxin at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug target/94482] Inserting into vector with optimization enabled on x86 generates incorrect result Date: Sun, 05 Apr 2020 14:46:18 +0000 [thread overview] Message-ID: <bug-94482-4-VkOCcEfIBZ@http.gcc.gnu.org/bugzilla/> (raw) In-Reply-To: <bug-94482-4@http.gcc.gnu.org/bugzilla/> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94482 --- Comment #6 from Martin Liška <marxin at gcc dot gnu.org> --- But I bet it's invalid code: $ gcc -fsanitize=undefined pr94482.c -O2 && ./a.out pr94482.c:14:11: runtime error: index 2 out of bounds for type 'long int [2]' pr94482.c:14:15: runtime error: store to address 0x7fffffffe2f0 with insufficient space for an object of type 'long int' 0x7fffffffe2f0: note: pointer points here 00 00 00 00 00 00 00 00 00 00 00 00 eb 4c 48 f7 ff 7f 00 00 e0 d9 61 f7 ff 7f 00 00 e8 e3 ff ff ^ pr94482.c:14:11: runtime error: index 3 out of bounds for type 'long int [2]' pr94482.c:14:15: runtime error: store to address 0x7fffffffe2f8 with insufficient space for an object of type 'long int' 0x7fffffffe2f8: note: pointer points here 00 00 00 00 eb 4c 48 f7 ff 7f 00 00 e0 d9 61 f7 ff 7f 00 00 e8 e3 ff ff ff 7f 00 00 00 1c 01 00 ^ pr94482.c:14:11: runtime error: index 4 out of bounds for type 'long int [2]' pr94482.c:14:15: runtime error: store to address 0x7fffffffe300 with insufficient space for an object of type 'long int' 0x7fffffffe300: note: pointer points here 00 00 00 00 e0 d9 61 f7 ff 7f 00 00 e8 e3 ff ff ff 7f 00 00 00 1c 01 00 01 00 00 00 70 10 40 00 ^ pr94482.c:14:11: runtime error: index 5 out of bounds for type 'long int [2]' pr94482.c:14:15: runtime error: store to address 0x7fffffffe308 with insufficient space for an object of type 'long int' 0x7fffffffe308: note: pointer points here 00 00 00 00 e8 e3 ff ff ff 7f 00 00 00 1c 01 00 01 00 00 00 70 10 40 00 00 00 00 00 60 15 40 00 ^ pr94482.c:14:11: runtime error: index 6 out of bounds for type 'long int [2]' pr94482.c:14:15: runtime error: store to address 0x7fffffffe310 with insufficient space for an object of type 'long int' 0x7fffffffe310: note: pointer points here 00 00 00 00 00 1c 01 00 01 00 00 00 70 10 40 00 00 00 00 00 60 15 40 00 00 00 00 00 1d 45 5c 9d ^ pr94482.c:14:11: runtime error: index 7 out of bounds for type 'long int [2]' pr94482.c:14:15: runtime error: store to address 0x7fffffffe318 with insufficient space for an object of type 'long int' 0x7fffffffe318: note: pointer points here 00 00 00 00 70 10 40 00 00 00 00 00 60 15 40 00 00 00 00 00 1d 45 5c 9d 3a 72 cd ab 60 12 40 00 ^ Segmentation fault (core dumped) $ gcc -fsanitize=address pr94482.c -O2 && ./a.out ================================================================= ==18733==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffe290 at pc 0x0000004015d1 bp 0x7fffffffe150 sp 0x7fffffffe148 WRITE of size 8 at 0x7fffffffe290 thread T0 #0 0x4015d0 in main (/home/marxin/Programming/testcases/a.out+0x4015d0) #1 0x7ffff73c3cea in __libc_start_main ../csu/libc-start.c:308 #2 0x401659 in _start (/home/marxin/Programming/testcases/a.out+0x401659) Address 0x7fffffffe290 is located in stack of thread T0 at offset 304 in frame #0 0x40111f in main (/home/marxin/Programming/testcases/a.out+0x40111f) This frame has 11 object(s): [32, 48) 'n' (line 42) [64, 80) 'o' (line 43) [96, 112) 'r_' (line 47) [128, 144) 'n' (line 23) [160, 176) 'o' (line 24) [192, 208) 'r_' (line 26) [224, 240) 'n' (line 29) [256, 272) 'o' (line 30) [288, 304) 'r_' (line 12) <== Memory access at offset 304 overflows this variable [320, 336) 'n' (line 15) [352, 368) 'o' (line 16) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/marxin/Programming/testcases/a.out+0x4015d0) in main Shadow bytes around the buggy address: 0x10007fff7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7c20: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x10007fff7c30: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 0x10007fff7c40: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 =>0x10007fff7c50: 00 00[f2]f2 00 00 f2 f2 00 00 f3 f3 00 00 00 00 0x10007fff7c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==18733==ABORTING
next prev parent reply other threads:[~2020-04-05 14:46 UTC|newest] Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-04-03 22:40 [Bug target/94482] New: " evan@coeus-group.com 2020-04-04 9:36 ` [Bug target/94482] " marxin at gcc dot gnu.org 2020-04-04 17:33 ` evan@coeus-group.com 2020-04-04 21:44 ` ubizjak at gmail dot com 2020-04-04 21:50 ` ubizjak at gmail dot com 2020-04-05 14:44 ` marxin at gcc dot gnu.org 2020-04-05 14:46 ` marxin at gcc dot gnu.org [this message] 2020-04-05 21:08 ` evan@coeus-group.com 2020-04-05 22:19 ` evan@coeus-group.com 2020-04-06 6:35 ` marxin at gcc dot gnu.org 2020-04-06 6:47 ` jakub at gcc dot gnu.org 2020-04-06 6:55 ` marxin at gcc dot gnu.org 2020-04-06 7:14 ` jakub at gcc dot gnu.org 2020-04-06 7:20 ` rguenth at gcc dot gnu.org 2020-04-06 7:28 ` [Bug target/94482] [8/9/10 Regression] " jakub at gcc dot gnu.org 2020-04-06 7:29 ` marxin at gcc dot gnu.org 2020-04-06 7:30 ` jakub at gcc dot gnu.org 2020-04-06 8:32 ` rguenth at gcc dot gnu.org 2020-04-06 8:44 ` rguenth at gcc dot gnu.org 2020-04-06 8:54 ` rguenth at gcc dot gnu.org 2020-04-06 9:32 ` rguenth at gcc dot gnu.org 2020-04-06 12:59 ` [Bug tree-optimization/94482] " rguenth at gcc dot gnu.org 2020-04-06 13:40 ` jamborm at gcc dot gnu.org 2020-04-06 16:36 ` rguenth at gcc dot gnu.org 2020-04-09 12:43 ` cvs-commit at gcc dot gnu.org 2020-04-09 12:46 ` [Bug tree-optimization/94482] [8/9 " jamborm at gcc dot gnu.org 2020-04-10 3:39 ` evan@coeus-group.com 2020-04-11 5:51 ` cvs-commit at gcc dot gnu.org 2020-04-21 12:22 ` cvs-commit at gcc dot gnu.org 2020-04-21 15:42 ` cvs-commit at gcc dot gnu.org 2020-04-21 16:37 ` jamborm at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-94482-4-VkOCcEfIBZ@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).