https://gcc.gnu.org/bugzilla/show_bug.cgi?id=118919
Bug ID: 118919
Summary: asan instrumented gcc: heap-use-after free in
gcc/diagnostic-format-sarif.cc
Product: gcc
Version: 15.0
Status: UNCONFIRMED
Keywords: SARIF
Severity: normal
Priority: P3
Component: other
Assignee: unassigned at gcc dot gnu.org
Reporter: pheeck at gcc dot gnu.org
CC: dmalcolm at gcc dot gnu.org
Blocks: 86656
Target Milestone: ---
Host: x86_64-linux
Target: x86_64-linux
Running asan instrumented GCC on the GCC testsuite file
gfortran.dg/diagnostic-format-sarif-pr105916.f90 with these options:
gcc-asan gfortran.dg/diagnostic-format-sarif-pr105916.f90
-fdiagnostics-plain-output -O -fdiagnostics-format=sarif-file -c
results in the following error:
=================================================================
==11164==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ca5587e07d0
at pc 0x0000008df2a0 bp 0x7ffe934f5380 sp 0x7ffe934f4b40
READ of size 1 at 0x7ca5587e07d0 thread T0
#0 0x0000008df29f in strcmp
/home/worker/buildworker/tiber-gcc-asan/build/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:504
#1 0x00000624eeeb in file_cache::lookup_file(char const*)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/input.cc:333
#2 0x000006251134 in file_cache::lookup_or_add_file(char const*)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/input.cc:601
#3 0x00000625315f in file_cache::get_source_file_content(char const*)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/input.cc:1136
#4 0x0000061eb013 in sarif_builder::maybe_make_artifact_content_object(char
const*) const
/home/worker/buildworker/tiber-gcc-asan/build/gcc/diagnostic-format-sarif.cc:3247
#5 0x0000061eb65e in sarif_artifact::populate_contents(sarif_builder&)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/diagnostic-format-sarif.cc:1034
#6 0x0000061fe07c in
sarif_builder::make_run_object(std::unique_ptr<sarif_invocation,
std::default_delete<sarif_invocation> >, std::unique_ptr<json::array,
std::default_delete<json::array> >)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/diagnostic-format-sarif.cc:3018
#7 0x0000061ff22c in
sarif_builder::make_top_level_object(std::unique_ptr<sarif_invocation,
std::default_delete<sarif_invocation> >, std::unique_ptr<json::array,
std::default_delete<json::array> >)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/diagnostic-format-sarif.cc:2972
#8 0x0000061ff8af in sarif_builder::flush_to_object()
/home/worker/buildworker/tiber-gcc-asan/build/gcc/diagnostic-format-sarif.cc:1812
#9 0x0000061ffaaa in sarif_builder::flush_to_file(_IO_FILE*)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/diagnostic-format-sarif.cc:1824
#10 0x00000620cbed in sarif_file_output_format::~sarif_file_output_format()
/home/worker/buildworker/tiber-gcc-asan/build/gcc/diagnostic-format-sarif.cc:3592
#11 0x00000620cbed in sarif_file_output_format::~sarif_file_output_format()
/home/worker/buildworker/tiber-gcc-asan/build/gcc/diagnostic-format-sarif.cc:3593
#12 0x0000061d19c2 in diagnostic_context::finish()
/home/worker/buildworker/tiber-gcc-asan/build/gcc/diagnostic.cc:396
#13 0x0000008341d3 in diagnostic_finish(diagnostic_context*)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/diagnostic.h:1096
#14 0x0000008341d3 in toplev::main(int, char**)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/toplev.cc:2396
#15 0x0000008417cd in main
/home/worker/buildworker/tiber-gcc-asan/build/gcc/main.cc:39
#16 0x7ff55942a2ad in __libc_start_call_main (/lib64/libc.so.6+0x2a2ad)
(BuildId: 5a474f53e6c2cbfe52719c71021a092d98d77e8d)
#17 0x7ff55942a378 in __libc_start_main@GLIBC_2.2.5
(/lib64/libc.so.6+0x2a378) (BuildId: 5a474f53e6c2cbfe52719c71021a092d98d77e8d)
#18 0x0000008431f4 in _start ../sysdeps/x86_64/start.S:115
0x7ca5587e07d0 is located 0 bytes inside of 109-byte region
[0x7ca5587e07d0,0x7ca5587e083d)
freed by thread T0 here:
#0 0x0000009181f8 in free
/home/worker/buildworker/tiber-gcc-asan/build/libsanitizer/asan/asan_malloc_linux.cpp:51
#1 0x000000c5dec2 in gfc_scanner_done_1()
/home/worker/buildworker/tiber-gcc-asan/build/gcc/fortran/scanner.cc:296
previously allocated by thread T0 here:
#0 0x000000919470 in malloc
/home/worker/buildworker/tiber-gcc-asan/build/libsanitizer/asan/asan_malloc_linux.cpp:67
#1 0x0000063eadfb in xmalloc
/home/worker/buildworker/tiber-gcc-asan/build/libiberty/xmalloc.c:149
SUMMARY: AddressSanitizer: heap-use-after-free
/home/worker/buildworker/tiber-gcc-asan/build/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:504
in strcmp
Shadow bytes around the buggy address:
0x7ca5587e0500: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 05
0x7ca5587e0580: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x7ca5587e0600: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00
0x7ca5587e0680: 00 00 00 00 00 00 00 00 00 00 00 05 fa fa fa fa
0x7ca5587e0700: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x7ca5587e0780: fd fa fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd
0x7ca5587e0800: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x7ca5587e0880: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
0x7ca5587e0900: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x7ca5587e0980: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
0x7ca5587e0a00: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86656
[Bug 86656] [meta-bug] Issues found with -fsanitize=address
