From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id C3A593858009; Sat, 20 Mar 2021 11:53:58 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C3A593858009
From: "marxin at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug rtl-optimization/99680] New: [11 Regression] AddressSanitizer:
 global-buffer-overflow since g:04b4828c6dd2
Date: Sat, 20 Mar 2021 11:53:58 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: rtl-optimization
X-Bugzilla-Version: 11.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: marxin at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter cc target_milestone
Message-ID: <bug-99680-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Mar 2021 11:53:58 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D99680

            Bug ID: 99680
           Summary: [11 Regression] AddressSanitizer:
                    global-buffer-overflow since g:04b4828c6dd2
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: rtl-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marxin at gcc dot gnu.org
                CC: vmakarov at gcc dot gnu.org
  Target Milestone: ---

Since the revision I see the following ASAN error for:

$ cat /tmp/ice.i
int __negti2_u2;

int __negti2_u() {
  int uu_0_0 =3D __negti2_u2;
  __int128 w_1 =3D uu_0_0 > 0;
  return w_1;
}

$ /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/objdir/./gcc/xgcc
-B/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/objdir/./gcc/ -O2
/tmp/ice.i -c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D5474=3D=3DERROR: AddressSanitizer: global-buffer-overflow on address
0x0000049fe0a1 at pc 0x00000152ee4a bp 0x7fffffffb400 sp 0x7fffffffb3f8
READ of size 1 at 0x0000049fe0a1 thread T0
    #0 0x152ee49 in skip_contraint_modifiers
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/lra-cons=
traints.c:3401
    #1 0x153cf3b in process_address_1
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/lra-cons=
traints.c:3470
    #2 0x1544432 in process_address
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/lra-cons=
traints.c:3765
    #3 0x1544432 in curr_insn_transform
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/lra-cons=
traints.c:4080
    #4 0x155681e in lra_constraints(bool)
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/lra-cons=
traints.c:5169
    #5 0x151831e in lra(_IO_FILE*)
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/lra.c:23=
36
    #6 0x141b206 in do_reload
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/ira.c:58=
34
    #7 0x141b206 in execute
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/ira.c:60=
20
    #8 0x177a7f1 in execute_one_pass(opt_pass*)
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/passes.c=
:2567
    #9 0x177c1e3 in execute_pass_list_1
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/passes.c=
:2656
    #10 0x177c209 in execute_pass_list_1
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/passes.c=
:2657
    #11 0x177c27f in execute_pass_list(function*, opt_pass*)
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/passes.c=
:2667
    #12 0xc4051f in cgraph_node::expand()
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/cgraphun=
it.c:1830
    #13 0xc43756 in expand_all_functions
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/cgraphun=
it.c:1998
    #14 0xc43756 in symbol_table::compile()
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/cgraphun=
it.c:2362
    #15 0xc4c4e6 in symbol_table::compile()
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/cgraphun=
it.c:2275
    #16 0xc4c4e6 in symbol_table::finalize_compilation_unit()
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/cgraphun=
it.c:2543
    #17 0x1a638b1 in compile_file
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/toplev.c=
:482
    #18 0x697a45 in do_compile
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/toplev.c=
:2201
    #19 0x697a45 in toplev::main(int, char**)
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/toplev.c=
:2340
    #20 0x6a454a in main
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/main.c:39
    #21 0x7ffff7852b24 in __libc_start_main ../csu/libc-start.c:332
    #22 0x6a584d in _start
(/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/objdir/gcc/cc1+0x=
6a584d)

0x0000049fe0a1 is located 63 bytes to the left of global variable '*.LC122'
defined in 'insn-output.c' (0x49fe0e0) of size 22
  '*.LC122' is ascii string 'knotw      {%1, %0|%0, %1}'
0x0000049fe0a1 is located 0 bytes to the right of global variable '*.LC121'
defined in 'insn-output.c' (0x49fe0a0) of size 1
  '*.LC121' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-asan/build/gcc/lra-cons=
traints.c:3401
in skip_contraint_modifiers
Shadow bytes around the buggy address:
  0x000080937bc0: f9 f9 f9 f9 00 00 00 00 00 00 05 f9 f9 f9 f9 f9
  0x000080937bd0: 00 00 00 06 f9 f9 f9 f9 00 00 00 03 f9 f9 f9 f9
  0x000080937be0: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 00 01 f9 f9
  0x000080937bf0: f9 f9 f9 f9 00 00 00 00 00 00 02 f9 f9 f9 f9 f9
  0x000080937c00: 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 00 00 00 06
=3D>0x000080937c10: f9 f9 f9 f9[01]f9 f9 f9 f9 f9 f9 f9 00 00 06 f9
  0x000080937c20: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 00 00 06 f9
  0x000080937c30: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 00 00 00 07
  0x000080937c40: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 00 07
  0x000080937c50: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 00 07
  0x000080937c60: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 00 07
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07=20
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
=3D=3D5474=3D=3DABORTING

The problem is when curr_static_id->operand[nop].constraint is equal to "".=