https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63902
Bug ID: 63902
Summary: ix86_valid_target_attribute_tree frees memory still
being used
Product: gcc
Version: 5.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: target
Assignee: unassigned at gcc dot gnu.org
Reporter: hjl.tools at gmail dot com
CC: tmsriram at google dot com
ix86_valid_target_attribute_tree in i386.c has
if (option_strings[IX86_FUNCTION_SPECIFIC_ARCH])
opts->x_ix86_arch_string = option_strings[IX86_FUNCTION_SPECIFIC_ARCH];
else if (!orig_arch_specified)
opts->x_ix86_arch_string = NULL;
if (option_strings[IX86_FUNCTION_SPECIFIC_TUNE])
opts->x_ix86_tune_string = option_strings[IX86_FUNCTION_SPECIFIC_TUNE];
...
/* Free up memory allocated to hold the strings */
for (i = 0; i < IX86_FUNCTION_SPECIFIC_MAX; i++)
free (option_strings[i]);
It leads to
=================================================================^M
^[[1m^[[31m==32173==ERROR: AddressSanitizer: heap-use-after-free on address
0x602000003bb0 at pc 0x0000006dc085 bp 0x7fffc31b4270 sp 0x7fffc31b3a20^M
^[[1m^[[0m^[[1m^[[34mREAD of size 1 at 0x602000003bb0 thread T0^[[1m^[[0m^M
#0 0x6dc084 in __interceptor_strcmp
/export/gnu/import/git/sources/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:178^M
#1 0x181085f in cl_target_option_eq(cl_target_option const*,
cl_target_option const*)
/export/build/gnu/gcc-asan/build-x86_64-linux/gcc/options-save.c:1880^M
#2 0x20992ca in cl_option_hash_eq
/export/gnu/import/git/sources/gcc/gcc/tree.c:11528^M
#3 0x2cfdc0e in htab_find_slot_with_hash
/export/gnu/import/git/sources/gcc/libiberty/hashtab.c:660^M
#4 0x20c8128 in build_target_option_node(gcc_options*)
/export/gnu/import/git/sources/gcc/gcc/tree.c:11579^M
#5 0x2200767 in ix86_valid_target_attribute_tree(tree_node*, gcc_options*,
gcc_options*) /export/gnu/import/git/sources/gcc/gcc/config/i386/i386.c:4899^M
#6 0x2201524 in get_builtin_code_for_version
/export/gnu/import/git/sources/gcc/gcc/config/i386/i386.c:34153^M
#7 0x2201d8b in ix86_compare_version_priority
/export/gnu/import/git/sources/gcc/gcc/config/i386/i386.c:34317^M
#8 0x770d66 in joust
/export/gnu/import/git/sources/gcc/gcc/cp/call.c:9081^M
#9 0x772b77 in joust
/export/gnu/import/git/sources/gcc/gcc/cp/call.c:9244^M
#10 0x772b77 in tourney
/export/gnu/import/git/sources/gcc/gcc/cp/call.c:9208^M
#11 0x77f520 in perform_overload_resolution
/export/gnu/import/git/sources/gcc/gcc/cp/call.c:3986^M
#12 0x784d87 in build_new_function_call(tree_node*, vec<tree_node*, va_gc,
vl_embed>**, bool, int) /export/gnu/import/git/sources/gcc/gcc/cp/call.c:4059^M
#13 0xb7621e in finish_call_expr(tree_node*, vec<tree_node*, va_gc,
vl_embed>**, bool, bool, int)
/export/gnu/import/git/sources/gcc/gcc/cp/semantics.c:2392^M
#14 0xa292b5 in cp_parser_postfix_expression
/export/gnu/import/git/sources/gcc/gcc/cp/parser.c:6307^M
#15 0xa4409c in cp_parser_unary_expression
/export/gnu/import/git/sources/gcc/gcc/cp/parser.c:7370^M
#16 0xa465de in cp_parser_binary_expression
/export/gnu/import/git/sources/gcc/gcc/cp/parser.c:8104^M
#17 0xa47780 in cp_parser_assignment_expression
/export/gnu/import/git/sources/gcc/gcc/cp/parser.c:8347^M
#18 0xa486ee in cp_parser_constant_expression
/export/gnu/import/git/sources/gcc/gcc/cp/parser.c:8593^M
#19 0xa75bbd in cp_parser_init_declarator
/export/gnu/import/git/sources/gcc/gcc/cp/parser.c:17121^M
#20 0xa7bf68 in cp_parser_simple_declaration
/export/gnu/import/git/sources/gcc/gcc/cp/parser.c:11519^M
#21 0xa7cdcb in cp_parser_block_declaration
/export/gnu/import/git/sources/gcc/gcc/cp/parser.c:11400^M
#22 0xa8c111 in cp_parser_declaration
/export/gnu/import/git/sources/gcc/gcc/cp/parser.c:11297^M
#23 0xa8c88e in cp_parser_declaration_seq_opt
/export/gnu/import/git/sources/gcc/gcc/cp/parser.c:11183^M
#24 0xa8d5a8 in cp_parser_translation_unit
/export/gnu/import/git/sources/gcc/gcc/cp/parser.c:4101^M
#25 0xa8d5a8 in c_parse_file()
/export/gnu/import/git/sources/gcc/gcc/cp/parser.c:32183^M
#26 0xd9e32e in c_common_parse_file()
/export/gnu/import/git/sources/gcc/gcc/c-family/c-opts.c:1039^M
#27 0x1a3b9fe in compile_file
/export/gnu/import/git/sources/gcc/gcc/toplev.c:570^M
#28 0x69c063 in do_compile
/export/gnu/import/git/sources/gcc/gcc/toplev.c:2040^M
#29 0x69c063 in toplev::main(int, char**)
/export/gnu/import/git/sources/gcc/gcc/toplev.c:2137^M
#30 0x69fbb2 in main /export/gnu/import/git/sources/gcc/gcc/main.c:38^M
#31 0x309e821ca4 in __libc_start_main (/lib64/libc.so.6+0x309e821ca4)^M
#32 0x6a068e
(/export/build/gnu/gcc-asan/build-x86_64-linux/gcc/cc1plus+0x6a068e)^M
^[[1m^[[32m0x602000003bb0 is located 0 bytes inside of 6-byte region
[0x602000003bb0,0x602000003bb6)^M
^[[1m^[[0m^[[1m^[[35mfreed by thread T0 here:^[[1m^[[0m^M
#0 0x715c4a in __interceptor_free
/export/gnu/import/git/sources/gcc/libsanitizer/asan/asan_malloc_linux.cc:28^M
#1 0x22007eb in ix86_valid_target_attribute_tree(tree_node*, gcc_options*,
gcc_options*) /export/gnu/import/git/sources/gcc/gcc/config/i386/i386.c:4907^M
^M
^[[1m^[[35mpreviously allocated by thread T0 here:^[[1m^[[0m^M
#0 0x715eea in __interceptor_malloc
/export/gnu/import/git/sources/gcc/libsanitizer/asan/asan_malloc_linux.cc:38^M
#1 0x2d01ff7 in xmalloc
/export/gnu/import/git/sources/gcc/libiberty/xmalloc.c:147^M
