https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63988
Bug ID: 63988
Summary: heap-buffer-overflow in combine.c on ppc64
Product: gcc
Version: 5.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: rtl-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: trippels at gcc dot gnu.org
Host: powerpc64-unknown-linux-gnu
Target: powerpc64-unknown-linux-gnu
Build: powerpc64-unknown-linux-gnu
On ppc64 I get with bootstrap-asan:
trippels@gcc2-power8 asan % ASAN_OPTIONS=detect_odr_violation=0
/home/trippels/gcc_build_dir/./gcc/xgcc -shared-libgcc
-B/home/trippels/gcc_build_dir/./gcc -nostdinc++
-L/home/trippels/gcc_build_dir/powerpc64-unknown-linux-gnu/libstdc++-v3/src
-L/home/trippels/gcc_build_dir/powerpc64-unknown-linux-gnu/libstdc++-v3/src/.libs
-L/home/trippels/gcc_build_dir/powerpc64-unknown-linux-gnu/libstdc++-v3/libsupc++/.libs
-B/usr/local/powerpc64-unknown-linux-gnu/bin/
-B/usr/local/powerpc64-unknown-linux-gnu/lib/ -isystem
/usr/local/powerpc64-unknown-linux-gnu/include -isystem
/usr/local/powerpc64-unknown-linux-gnu/sys-include -D_GNU_SOURCE -D_DEBUG
-D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS
-DASAN_HAS_EXCEPTIONS=1 -DASAN_FLEXIBLE_MAPPING_AND_OFFSET=0
-DASAN_NEEDS_SEGV=1 -I. -I../../../../gcc/libsanitizer/asan -I.. -I
../../../../gcc/libsanitizer/include -I ../../../../gcc/libsanitizer -Wall -W
-Wno-unused-parameter -Wwrite-strings -pedantic -Wno-long-long -fPIC
-fno-builtin -fno-exceptions -fno-rtti -fomit-frame-pointer -funwind-tables
-fvisibility=hidden -Wno-variadic-macros -fno-ipa-icf
-I../../libstdc++-v3/include
-I../../libstdc++-v3/include/powerpc64-unknown-linux-gnu
-I../../../../gcc/libsanitizer/../libstdc++-v3/libsupc++ -std=gnu++11 -g -O2
-D_GNU_SOURCE -MT asan_allocator2.lo -MD -MP -MF .deps/asan_allocator2.Tpo -c
../../../../gcc/libsanitizer/asan/asan_allocator2.cc -fPIC -DPIC -o
.libs/asan_allocator2.o
=================================================================
==108409==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x0b280142ccb8 at pc 0x000012680df8 bp 0x3fffcb9429a0 sp 0x3fffcb942a10
READ of size 4 at 0x0b280142ccb8 thread T0
#0 0x12680df4 in REG_N_SETS ../../gcc/gcc/regs.h:85
#1 0x12680df4 in get_last_value_validate ../../gcc/gcc/combine.c:12644
#2 0x12680228 in get_last_value_validate ../../gcc/gcc/combine.c:12705
#3 0x12699378 in record_value_for_reg ../../gcc/gcc/combine.c:12318
#4 0x11748cc8 in note_stores(rtx_def const*, void (*)(rtx_def*, rtx_def
const*, void*), void*) ../../gcc/gcc/rtlanal.c:1638
#5 0x1269b604 in record_dead_and_set_regs ../../gcc/gcc/combine.c:12450
#6 0x126c9584 in combine_instructions ../../gcc/gcc/combine.c:1487
#7 0x126c9584 in rest_of_handle_combine ../../gcc/gcc/combine.c:13920
#8 0x126c9584 in execute ../../gcc/gcc/combine.c:13963
#9 0x116224e4 in execute_one_pass(opt_pass*) ../../gcc/gcc/passes.c:2274
#10 0x116233c4 in execute_pass_list_1 ../../gcc/gcc/passes.c:2326
#11 0x116233f0 in execute_pass_list_1 ../../gcc/gcc/passes.c:2327
#12 0x116234a8 in execute_pass_list(function*, opt_pass*)
../../gcc/gcc/passes.c:2337
#13 0x10ca15ac in cgraph_node::expand() ../../gcc/gcc/cgraphunit.c:1773
#14 0x10ca6018 in expand_all_functions ../../gcc/gcc/cgraphunit.c:1909
#15 0x10ca6018 in symbol_table::compile() ../../gcc/gcc/cgraphunit.c:2263
#16 0x10cab570 in symbol_table::finalize_compilation_unit()
../../gcc/gcc/cgraphunit.c:2340
#17 0x105c1794 in cp_write_global_declarations()
../../gcc/gcc/cp/decl2.c:4688
#18 0x118847c8 in compile_file ../../gcc/gcc/toplev.c:584
#19 0x101e7c1c in do_compile ../../gcc/gcc/toplev.c:2041
#20 0x101e7c1c in toplev::main(int, char**) ../../gcc/gcc/toplev.c:2138
#21 0x101ed158 in main ../../gcc/gcc/main.c:38
#22 0x3fff975547a8 (/lib64/libc.so.6+0x447a8)
0x0b280142ccb8 is located 0 bytes to the right of 9144-byte region
[0x0b280142a900,0x0b280142ccb8)
allocated by thread T0 here:
#0 0x1028bb20 in __interceptor_malloc
../../../../gcc/libsanitizer/asan/asan_malloc_linux.cc:38
#1 0x12abe6f0 in xmalloc ../../gcc/libiberty/xmalloc.c:147
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../gcc/gcc/regs.h:85
REG_N_SETS
Shadow bytes around the buggy address:
0x036500285940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x036500285950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x036500285960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x036500285970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x036500285980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x036500285990: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
0x0365002859a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0365002859b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0365002859c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0365002859d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0365002859e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==108409==ABORTING
It is the same problem as issue 3 of PR63504.
