[Bug gcov-profile/55417] New: [4.8 Regression] AddressSanitizer reports stack-buffer-overflow in profiling code

Tue, 20 Nov 2012 10:52:28 -0800 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55417



             Bug #: 55417

           Summary: [4.8 Regression] AddressSanitizer reports

                    stack-buffer-overflow in profiling code

    Classification: Unclassified

           Product: gcc

           Version: 4.8.0

            Status: UNCONFIRMED

          Severity: normal

          Priority: P3

         Component: gcov-profile

        AssignedTo: unassig...@gcc.gnu.org

        ReportedBy: mar...@trippelsdorf.de





% g++ -fprofile-generate -O3 -march=native tramp3d-v4.cpp

 % ./a.out --cartvis 1.0 0.0 --rhomin 1e-8 -n 20

...



(gcc built with gcc's address-sanitizer)

 % /var/tmp/gcc_sani_gcc/usr/local/bin/g++ -w -fprofile-use -O3 -march=native

tramp3d-v4.cpp 2>&1 | asan_symbolize.py | c++filt

=================================================================

==12985== ERROR: AddressSanitizer stack-buffer-overflow on address

0x7ffff9616080 at pc 0x12c1613 bp 0x7ffff9615b60 sp 0x7ffff9615b58

READ of size 8 at 0x7ffff9616080 thread T0

    #0 0x12c1612 in compute_working_sets /home/markus/gcc/gcc/profile.c:294

Address 0x7ffff9616080 is located at offset 1184 in frame

<compute_branch_probabilities> of T0's stack:

  This frame has 2 object(s):

    [32, 112) 'hist_br_prob'

    [160, 1184) 'working_set_cum_values'

HINT: this may be a false positive if your program uses some custom stack

unwind mechanism

      (longjmp and C++ exceptions *are* supported)

Shadow byte and word:

  0x1fffff2c2c10: f3

  0x1fffff2c2c10: f3 f3 f3 f3 00 00 00 00

More shadow bytes:

  0x1fffff2c2bf0: 00 00 00 00 00 00 00 00

  0x1fffff2c2bf8: 00 00 00 00 00 00 00 00

  0x1fffff2c2c00: 00 00 00 00 00 00 00 00

  0x1fffff2c2c08: 00 00 00 00 00 00 00 00

=>0x1fffff2c2c10: f3 f3 f3 f3 00 00 00 00

  0x1fffff2c2c18: 00 00 00 00 00 00 00 00

  0x1fffff2c2c20: 00 00 00 00 00 00 00 00

  0x1fffff2c2c28: 00 00 00 00 00 00 00 00

  0x1fffff2c2c30: 00 00 00 00 00 00 00 00

Stats: 6791M malloced (6303M for red zones) by 9376941 calls

Stats: 56M realloced by 304143 calls

Stats: 6701M freed by 9250298 calls

Stats: 6668M really freed by 9204559 calls

Stats: 323M (82726 full pages) mmaped in 620 calls

  mmaps   by size class: 7:139230; 8:26611; 9:7161; 10:2044; 11:3060; 12:16256;

13:19264; 14:576; 15:1184; 16:96; 17:16; 18:6; 19:3; 20:3; 21:4; 22:1;

  mallocs by size class: 7:5705562; 8:1531884; 9:365712; 10:67535; 11:73243;

12:1213506; 13:240088; 14:40078; 15:139014; 16:242; 17:39; 18:18; 19:7; 20:5;

21:7; 22:1;

  frees   by size class: 7:5603422; 8:1521617; 9:365436; 10:67516; 11:73162;

12:1212827; 13:226955; 14:40078; 15:139010; 16:204; 17:39; 18:16; 19:7; 20:5;

21:4;

  rfrees  by size class: 7:5575038; 8:1513474; 9:363702; 10:67156; 11:72856;

12:1208081; 13:225869; 14:39895; 15:138214; 16:204; 17:39; 18:16; 19:7; 20:5;

21:3;

Stats: malloc large: 139333 small slow: 278410

==12985== ABORTING



(gcc built with clang's address-sanitizer)

 % /var/tmp/gcc_sani_clang/usr/local/bin/g++ -w -fprofile-use -O3 -march=native

tramp3d-v4.cpp 2>&1 | asan_symbolize.py | c++filt

=================================================================

==13020== ERROR: AddressSanitizer: stack-buffer-overflow on address

0x7fff6d236680 at pc 0x1393105 bp 0x7fff6d236090 sp 0x7fff6d236088

READ of size 8 at 0x7fff6d236680 thread T0

    #0 0x1393104 in get_exec_counts(unsigned int, unsigned int)

/home/markus/gcc/gcc/profile.c:294

    #1 0x16de490 in tree_profiling() /home/markus/gcc/gcc/tree-profile.c:483

Address 0x7fff6d236680 is located at offset 1312 in frame <branch_prob()> of

T0's stack:

  This frame has 15 object(s):

    [32, 60) 'n_histogram_counters.i'

    [96, 152) 'histogram_counts.i'

    [192, 248) 'act_count.i'

    [288, 1312) 'working_set_cum_values.i.i.i'

    [1344, 1424) 'hist_br_prob.i'

    [1472, 1504) ''

    [1536, 1568) ''

    [1600, 1608) 'values'

    [1664, 1696) ''

    [1728, 1760) ''

    [1792, 1824) ''

    [1856, 1888) ''

    [1920, 1924) 'offset8'

    [1984, 2016) 'curr_location'

    [2048, 2080) 'curr_location9'

HINT: this may be a false positive if your program uses some custom stack

unwind mechanism

      (longjmp and C++ exceptions *are* supported)

Shadow byte and word:

  0x1fffeda46cd0: f2

  0x1fffeda46cd0: f2 f2 f2 f2 00 00 00 00

More shadow bytes:

  0x1fffeda46cb0: 00 00 00 00 00 00 00 00

  0x1fffeda46cb8: 00 00 00 00 00 00 00 00

  0x1fffeda46cc0: 00 00 00 00 00 00 00 00

  0x1fffeda46cc8: 00 00 00 00 00 00 00 00

=>0x1fffeda46cd0: f2 f2 f2 f2 00 00 00 00

  0x1fffeda46cd8: 00 00 00 00 00 00 f4 f4

  0x1fffeda46ce0: f2 f2 f2 f2 00 00 00 00

  0x1fffeda46ce8: f2 f2 f2 f2 00 00 00 00

  0x1fffeda46cf0: f2 f2 f2 f2 00 f4 f4 f4

Stats: 6791M malloced (6302M for red zones) by 9367325 calls

Stats: 56M realloced by 303356 calls

Stats: 6701M freed by 9242907 calls

Stats: 6668M really freed by 9197073 calls

Stats: 322M (82470 full pages) mmaped in 618 calls

  mmaps   by size class: 7:135135; 8:24564; 9:7161; 10:2044; 11:3060; 12:16256;

13:19264; 14:576; 15:1184; 16:96; 17:16; 18:6; 19:3; 20:3; 21:4; 22:1;

  mallocs by size class: 7:5696469; 8:1531371; 9:365711; 10:67535; 11:73244;

12:1213506; 13:240081; 14:40076; 15:139014; 16:241; 17:39; 18:18; 19:7; 20:5;

21:7; 22:1;

  frees   by size class: 7:5594161; 8:1523495; 9:365437; 10:67516; 11:73162;

12:1212827; 13:226948; 14:40076; 15:139010; 16:204; 17:39; 18:16; 19:7; 20:5;

21:4;

  rfrees  by size class: 7:5565685; 8:1515347; 9:363703; 10:67156; 11:72856;

12:1208083; 13:225862; 14:39893; 15:138214; 16:204; 17:39; 18:16; 19:7; 20:5;

21:3;

Stats: malloc large: 139332 small slow: 278368

==13020== ABORTING

Reply via email to