https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97538
--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> --- Created attachment 49428 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49428&action=edit test-case I see it also on x86_64-linux-gnu with ASAN: $ /home/marxin/Programming/gcc2/objdir/gcc/xg++ -B /home/marxin/Programming/gcc2/objdir/gcc/ utf.ii -c -O2 utf.ii: In instantiation of ‘_ForwardIterator __uninitialized_copy_a(_InputIterator, _InputIterator, _ForwardIterator, _Tp) [with _InputIterator = const short unsigned int*; _ForwardIterator = short unsigned int*; _Tp = _Vector_base::_Vector_impl]’: utf.ii:128:25: required from ‘void vector< <template-parameter-1-1>, <template-parameter-1-2> >::_M_range_insert(vector< <template-parameter-1-1>, <template-parameter-1-2> >::iterator, _ForwardIterator, _ForwardIterator, int) [with _ForwardIterator = const short unsigned int*; <template-parameter-1-1> = short int; <template-parameter-1-2> = short int; vector< <template-parameter-1-1>, <template-parameter-1-2> >::iterator = __normal_iterator<short unsigned int*, vector<short int> >]’ utf.ii:105:20: required from ‘void vector< <template-parameter-1-1>, <template-parameter-1-2> >::_M_insert_dispatch(vector< <template-parameter-1-1>, <template-parameter-1-2> >::iterator, _InputIterator, _InputIterator, int) [with _InputIterator = const short unsigned int*; <template-parameter-1-1> = short int; <template-parameter-1-2> = short int; vector< <template-parameter-1-1>, <template-parameter-1-2> >::iterator = __normal_iterator<short unsigned int*, vector<short int> >]’ utf.ii:99:23: required from ‘void vector< <template-parameter-1-1>, <template-parameter-1-2> >::insert(vector< <template-parameter-1-1>, <template-parameter-1-2> >::const_iterator, _InputIterator, _InputIterator) [with _InputIterator = const short unsigned int*; <template-parameter-1-1> = short int; <template-parameter-1-2> = short int; vector< <template-parameter-1-1>, <template-parameter-1-2> >::const_iterator = __normal_iterator<int, vector<short int> >]’ utf.ii:150:48: required from here utf.ii:67:11: warning: address of local variable ‘__trans_tmp_25’ returned [-Wreturn-local-addr] 67 | return &__trans_tmp_25; | ^~~~~~~~~~~~~~ utf.ii:65:18: note: declared here 65 | unsigned short __trans_tmp_25; | ^~~~~~~~~~~~~~ utf.ii: In instantiation of ‘_OI __copy_move_a1(_II, _II, _OI) [with int <anonymous> = 0; _II = const short unsigned int*; _OI = short unsigned int*]’: utf.ii:32:28: required from ‘void __copy_move_a(_II, _II, _OI) [with int _IsMove = 0; _II = const short unsigned int*; _OI = short unsigned int*]’ utf.ii:36:47: required from ‘void copy(_II, _II, _OI) [with _II = const short unsigned int*; _OI = short unsigned int*]’ utf.ii:66:7: required from ‘_ForwardIterator __uninitialized_copy_a(_InputIterator, _InputIterator, _ForwardIterator, _Tp) [with _InputIterator = const short unsigned int*; _ForwardIterator = short unsigned int*; _Tp = _Vector_base::_Vector_impl]’ utf.ii:128:25: required from ‘void vector< <template-parameter-1-1>, <template-parameter-1-2> >::_M_range_insert(vector< <template-parameter-1-1>, <template-parameter-1-2> >::iterator, _ForwardIterator, _ForwardIterator, int) [with _ForwardIterator = const short unsigned int*; <template-parameter-1-1> = short int; <template-parameter-1-2> = short int; vector< <template-parameter-1-1>, <template-parameter-1-2> >::iterator = __normal_iterator<short unsigned int*, vector<short int> >]’ utf.ii:105:20: required from ‘void vector< <template-parameter-1-1>, <template-parameter-1-2> >::_M_insert_dispatch(vector< <template-parameter-1-1>, <template-parameter-1-2> >::iterator, _InputIterator, _InputIterator, int) [with _InputIterator = const short unsigned int*; <template-parameter-1-1> = short int; <template-parameter-1-2> = short int; vector< <template-parameter-1-1>, <template-parameter-1-2> >::iterator = __normal_iterator<short unsigned int*, vector<short int> >]’ utf.ii:99:23: required from ‘void vector< <template-parameter-1-1>, <template-parameter-1-2> >::insert(vector< <template-parameter-1-1>, <template-parameter-1-2> >::const_iterator, _InputIterator, _InputIterator) [with _InputIterator = const short unsigned int*; <template-parameter-1-1> = short int; <template-parameter-1-2> = short int; vector< <template-parameter-1-1>, <template-parameter-1-2> >::const_iterator = __normal_iterator<int, vector<short int> >]’ utf.ii:150:48: required from here utf.ii:27:11: warning: address of local variable ‘__trans_tmp_33’ returned [-Wreturn-local-addr] 27 | return &__trans_tmp_33; | ^~~~~~~~~~~~~~ utf.ii:25:18: note: declared here 25 | unsigned short __trans_tmp_33; | ^~~~~~~~~~~~~~ ================================================================= ==636==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffcb78 at pc 0x0000019f4ab8 bp 0x7fffffffc380 sp 0x7fffffffc378 READ of size 8 at 0x7fffffffcb78 thread T0 #0 0x19f4ab7 in generic_wide_int<wide_int_ref_storage<false, true> >::elt(unsigned int) const ../../gcc/wide-int.h:912 #1 0x3517131 in wide_int_to_tree_1 ../../gcc/tree.c:1532 #2 0x35189de in wide_int_to_tree(tree_node*, poly_int<1u, generic_wide_int<wide_int_ref_storage<false, true> > > const&) ../../gcc/tree.c:1724 #3 0x1596e31 in get_size_range(range_query*, tree_node*, gimple*, tree_node**, int) ../../gcc/calls.c:1382 #4 0x1d9becc in builtin_memref ../../gcc/gimple-ssa-warn-restrict.c:259 #5 0x1db412c in check_bounds_or_overlap(range_query*, gimple*, tree_node*, tree_node*, tree_node*, tree_node*, bool, bool) ../../gcc/gimple-ssa-warn-restrict.c:2011 #6 0x1db3f23 in check_call ../../gcc/gimple-ssa-warn-restrict.c:1977 #7 0x1d9b20a in wrestrict_walk ../../gcc/gimple-ssa-warn-restrict.c:93 #8 0x1d9b41d in execute ../../gcc/gimple-ssa-warn-restrict.c:103 #9 0x25a938a in execute_one_pass(opt_pass*) ../../gcc/passes.c:2517 #10 0x25a9c40 in execute_pass_list_1 ../../gcc/passes.c:2605 #11 0x25a9cbb in execute_pass_list_1 ../../gcc/passes.c:2606 #12 0x25a9d5f in execute_pass_list(function*, opt_pass*) ../../gcc/passes.c:2616 #13 0x1732da9 in cgraph_node::expand() ../../gcc/cgraphunit.c:2310 #14 0x1734080 in expand_all_functions ../../gcc/cgraphunit.c:2478 #15 0x17360dd in symbol_table::compile() ../../gcc/cgraphunit.c:2842 #16 0x173691e in symbol_table::finalize_compilation_unit() ../../gcc/cgraphunit.c:3023 #17 0x29e9817 in compile_file ../../gcc/toplev.c:485 #18 0x29f2bfb in do_compile ../../gcc/toplev.c:2321 #19 0x29f345f in toplev::main(int, char**) ../../gcc/toplev.c:2460 #20 0x56db7dd in main ../../gcc/main.c:39 #21 0x7ffff6eaae09 in __libc_start_main ../csu/libc-start.c:314 #22 0x9fce19 in _start (/home/marxin/Programming/gcc2/objdir/gcc/cc1plus+0x9fce19) Address 0x7fffffffcb78 is located in stack of thread T0 at offset 1400 in frame #0 0x1594a65 in get_size_range(range_query*, tree_node*, gimple*, tree_node**, int) ../../gcc/calls.c:1250 This frame has 38 object(s): [48, 52) '<unknown>' [64, 68) '<unknown>' [80, 84) '<unknown>' [96, 100) '<unknown>' [112, 116) '<unknown>' [128, 132) '<unknown>' [144, 148) '<unknown>' [160, 164) '<unknown>' [176, 180) '<unknown>' [192, 196) '<unknown>' [208, 212) '<unknown>' [224, 228) '<unknown>' [240, 244) '<unknown>' [256, 272) '<unknown>' [288, 304) '<unknown>' [320, 336) '<unknown>' [352, 368) '<unknown>' [384, 416) 'min' (line 1264) [448, 480) 'max' (line 1264) [512, 544) 'vr' (line 1269) [576, 608) '<unknown>' [640, 672) '<unknown>' [704, 736) '<unknown>' [768, 800) '<unknown>' [832, 864) '<unknown>' [896, 928) 'maxsize' (line 1337) [960, 992) '<unknown>' [1024, 1056) '<unknown>' [1088, 1120) '<unknown>' [1152, 1184) '<unknown>' [1216, 1248) 'maxsize' (line 1347) [1280, 1312) '<unknown>' [1344, 1376) '<unknown>' [1408, 1440) '<unknown>' <== Memory access at offset 1400 underflows this variable [1472, 1504) '<unknown>' [1536, 1568) '<unknown>' [1600, 1632) '<unknown>' [1664, 1696) '<unknown>' HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow ../../gcc/wide-int.h:912 in generic_wide_int<wide_int_ref_storage<false, true> >::elt(unsigned int) const Shadow bytes around the buggy address: 0x10007fff7910: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 0x10007fff7920: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 0x10007fff7930: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 0x10007fff7940: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 0x10007fff7950: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 =>0x10007fff7960: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2[f2] 0x10007fff7970: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 0x10007fff7980: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 0x10007fff7990: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 0x10007fff79a0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 f8 f2 0x10007fff79b0: f8 f2 f8 f2 f8 f2 04 f2 04 f2 04 f2 04 f2 04 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==636==ABORTING
