http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58396
Bug ID: 58396
Summary: [4.9 Regression] heap-use-after-free at
gcc/tree-loop-distribution.c:1959
Product: gcc
Version: 4.9.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: tree-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: markus at trippelsdorf dot de
bootstrap-asan with -O3 gives:
/var/tmp/gcc_build_dir/./gcc/xgcc -shared-libgcc -B/var/tmp/gcc_build_dir/./gcc
-nostdinc++ -L/var/tmp/gcc_build_dir/x86_64-unknown-linux-gnu/libstdc++-v3/src
-L/var/tmp/gcc_build_dir/x86_64-unknown-linux-gnu/libstdc++-v3/src/.libs
-L/var/tmp/gcc_build_dir/x86_64-unknown-linux-gnu/libstdc++-v3/libsupc++/.libs
-B/usr/local/x86_64-unknown-linux-gnu/bin/
-B/usr/local/x86_64-unknown-linux-gnu/lib/ -isystem
/usr/local/x86_64-unknown-linux-gnu/include -isystem
/usr/local/x86_64-unknown-linux-gnu/sys-include
-I/var/tmp/gcc/libstdc++-v3/../libgcc
-I/var/tmp/gcc_build_dir/x86_64-unknown-linux-gnu/libstdc++-v3/include/x86_64-unknown-linux-gnu
-I/var/tmp/gcc_build_dir/x86_64-unknown-linux-gnu/libstdc++-v3/include
-I/var/tmp/gcc/libstdc++-v3/libsupc++ -D_GLIBCXX_SHARED -fno-implicit-templates
-Wall -Wextra -Wwrite-strings -Wcast-qual -Wabi
-fdiagnostics-show-location=once -ffunction-sections -fdata-sections
-frandom-seed=bitmap_allocator.lo -march=native -O3 -g -pipe -c
../../../../../gcc/libstdc++-v3/src/c++98/bitmap_allocator.cc -fPIC -DPIC
-D_GLIBCXX_SHARED -o bitmap_allocator.o 2>&1 | asan_symbolize.py | c++filt
=================================================================
==20268== ERROR: AddressSanitizer: heap-use-after-free on address
0x6006001646e4 at pc 0x15abf35 bp 0x7fffc85df980 sp 0x7fffc85df978
READ of size 4 at 0x6006001646e4 thread T0
#0 0x15abf34 in build_rdg
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/vec.h:1238
#1 0x15ad344 in distribute_loop
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/tree-loop-distribution.c:1959
#2 0x11f91cf in execute_one_pass(opt_pass*)
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/passes.c:2201
#3 0x11fa99b in execute_pass_list
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/passes.c:2253
#4 0xb3336b in expand_function
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:1723
#5 0xb370a1 in expand_all_functions
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:1828
#6 0xb37f44 in compile
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cgraphunit.c:2065
#7 0x6d7569 in cp_write_global_declarations()
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/cp/decl2.c:4364
#8 0x14726da in compile_file
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/toplev.c:560
#9 0x1476537 in do_compile
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/toplev.c:1891
#10 0x7f76ffe3aa74 in __libc_start_main
/home/markus/glibc/csu/libc-start.c:269
#11 0x5439e0 in _start /home/markus/glibc/csu/../sysdeps/x86_64/start.S:122
0x6006001646e4 is located 4 bytes inside of 32-byte region
[0x6006001646e0,0x600600164700)
freed by thread T0 here:
#0 0x557e4a in __interceptor_free _asan_rtl_
#1 0x15aa68b in release<loop*>
/var/tmp/gcc_build_dir/gcc/../../gcc/gcc/vec.h:319
previously allocated by thread T0 here:
#0 0x557f4a in __interceptor_malloc _asan_rtl_
#1 0x24cfa74 in xrealloc
/var/tmp/gcc_build_dir/libiberty/../../gcc/libiberty/xmalloc.c:177
Shadow bytes around the buggy address:
0x0c0140024880: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c0140024890: fd fa fa fa fd fd fd fa fa fa 00 00 00 00 fa fa
0x0c01400248a0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
0x0c01400248b0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
0x0c01400248c0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
=>0x0c01400248d0: 00 00 00 fa fa fa 00 00 00 fa fa fa[fd]fd fd fd
0x0c01400248e0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c01400248f0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
0x0c0140024900: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
0x0c0140024910: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
0x0c0140024920: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==20268== ABORTING
I guess r202431 is to blame.
