https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107549
Bug ID: 107549 Summary: heap-buffer-overflow in xt_true_regnum Product: gcc Version: 13.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: target Assignee: unassigned at gcc dot gnu.org Reporter: jcmvbkbc at gcc dot gnu.org Target Milestone: --- building gcc.dg/Winfinite-recursion-2.c testcase by the gcc built with ASAN and configured for target=xtensa-linux-uclibc gives the following report: ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110002cca0a at pc 0x00000303d2eb bp 0x7fff9ebb4c40 sp 0x7fff9ebb4c38 READ of size 2 at 0x6110002cca0a thread T0 #0 0x303d2ea in xt_true_regnum(rtx_def*) /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/config/xtensa/xtensa.cc:501 #1 0x303d9d8 in xtensa_valid_move(machine_mode, rtx_def**) /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/config/xtensa/xtensa.cc:534 #2 0x3044e67 in xtensa_emit_move_sequence(rtx_def**, machine_mode) /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/config/xtensa/xtensa.cc:1274 #3 0x3d80821 in gen_movsi(rtx_def*, rtx_def*) /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/config/xtensa/xtensa.md:1000 #4 0xe8a545 in rtx_insn* insn_gen_fn::operator()<rtx_def*, rtx_def*>(rtx_def*, rtx_def*) const /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/recog.h:407 #5 0x13d970d in emit_move_insn_1(rtx_def*, rtx_def*) /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/expr.cc:4172 #6 0x13dc23c in emit_move_insn(rtx_def*, rtx_def*) /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/expr.cc:4342 #7 0x1aa541a in emit_move_list /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/ira-emit.cc:927 #8 0x1aa69d4 in emit_moves /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/ira-emit.cc:1032 #9 0x1aaa3b8 in ira_emit(bool) /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/ira-emit.cc:1303 #10 0x1a25dc6 in ira /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/ira.cc:5780 #11 0x1a27748 in execute /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/ira.cc:6084 #12 0x1e9b8dc in execute_one_pass(opt_pass*) /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/passes.cc:2644 #13 0x1e9c3bf in execute_pass_list_1 /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/passes.cc:2753 #14 0x1e9c43a in execute_pass_list_1 /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/passes.cc:2754 #15 0x1e9c4de in execute_pass_list(function*, opt_pass*) /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/passes.cc:2764 #16 0x1030e5d in cgraph_node::expand() /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/cgraphunit.cc:1834 #17 0x1032294 in expand_all_functions /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/cgraphunit.cc:2008 #18 0x103418c in symbol_table::compile() /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/cgraphunit.cc:2358 #19 0x1034b20 in symbol_table::finalize_compilation_unit() /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/cgraphunit.cc:2543 #20 0x23f70b5 in compile_file /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/toplev.cc:471 #21 0x23ff98c in do_compile /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/toplev.cc:2125 #22 0x24003f7 in toplev::main(int, char**) /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/toplev.cc:2277 #23 0x4823ffb in main /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/main.cc:39 #24 0x7f7c3b61bd09 in __libc_start_main ../csu/libc-start.c:308 #25 0x9e4609 in _start (/home/jcmvbkbc/ws/tensilica/gcc/builds/gcc-13-3563-gf36bba013361-windowed-be/gcc/cc1+0x9e4609) 0x6110002cca0a is located 0 bytes to the right of 202-byte region [0x6110002cc940,0x6110002cca0a) allocated by thread T0 here: #0 0x7f7c3bdb3e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x49fb608 in xmalloc /home/jcmvbkbc/ws/tensilica/gcc/gcc/libiberty/xmalloc.c:149 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/config/xtensa/xtensa.cc:501 in xt_true_regnum(rtx_def*) Shadow bytes around the buggy address: 0x0c22800518f0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2280051900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280051910: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c2280051920: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c2280051930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c2280051940: 00[02]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2280051950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280051960: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa 0x0c2280051970: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c2280051980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280051990: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa Printing index used to access the reg_renumber array in the xt_true_regnum confirms that it goes way beyond the current reg_info_size.