https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111175
Bug ID: 111175
Summary: Initialization of a structure with a flexible array
member with c23 storage class specifier causes
corruption, and ICE
Product: gcc
Version: 13.1.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: Araknod at hotmail dot it
Target Milestone: ---
Created attachment 55803
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=55803&action=edit
output of gcc -fsanitize=address -Wall -Wextra -std=c2x -Og in.c -S -o in.s
Using the new C23 storage class specifier to allocate a structure with a
flexible array member causes memory corruption (detected with address
sanitizer), and causes an ICE if compiled with -fanalyzer or
-fsanitize=undefined
in.c:
#include <stdio.h>
struct T { int size, data[]; };
int main() {
auto v = &(static struct T){ .size = 3, .data = { 1, 2, 3, } };
for (int i = 0; i < v->size; i++) {
printf("%d\n", v->data[i]);
}
}
gcc -fsanitize=address -Wall -Wextra -std=c2x -Og in.c -o main
/tmp/ccseyF4n.s: Assembler messages:
/tmp/ccseyF4n.s:64: Warning: .space repeat count is zero, ignored
Attached is the gcc -S -o in.s output
When run the corruption message is:
=================================================================
==29798==ERROR: AddressSanitizer: global-buffer-overflow on address
0x55c6806af064 at pc 0x55c6806ae254 bp 0x7ffe996ceda0 sp 0x7ffe996ced90
READ of size 4 at 0x55c6806af064 thread T0
#0 0x55c6806ae253 in main (/home/lorenzo/dev/sig/cred/main+0x1253)
(BuildId: 9cf4495a35299e33afc1afe22e07ca096fce2722)
#1 0x7f3c4e8e9a8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#2 0x7f3c4e8e9b48 in __libc_start_main_impl ../csu/libc-start.c:360
#3 0x55c6806ae124 in _start (/home/lorenzo/dev/sig/cred/main+0x1124)
(BuildId: 9cf4495a35299e33afc1afe22e07ca096fce2722)
0x55c6806af064 is located 0 bytes after global variable '__compound_literal.0'
defined in 'vla1.c:6:32' (0x55c6806af060) of size 4
When compiled with -fsanitize=undefined
during GIMPLE pass: ccp
in.c: In function ‘main’:
in.c:10:1: internal compiler error: Segmentation fault
10 | }
| ^
0xc5ed7e crash_signal
../../src/gcc/toplev.cc:314
0x7f17628464af ???
./signal/../sysdeps/unix/sysv/linux/x86_64/libc_sigaction.c:0
0x17e9f04 tree_fits_poly_int64_p(tree_node const*)
../../src/gcc/tree.cc:6378
0x17e9f04 tree_to_poly_int64(tree_node const*)
../../src/gcc/tree.cc:3285
0x81450e component_ref_size(tree_node*, special_array_member*)
../../src/gcc/tree.cc:13199
0x7e5cc2 decl_init_size(tree_node*, bool)
../../src/gcc/tree-object-size.cc:493
0x16d50a7 addr_object_size
../../src/gcc/tree-object-size.cc:568
0x6bfbae fold_builtin_object_size
../../src/gcc/builtins.cc:10808
0x6bfbae fold_builtin_2
../../src/gcc/builtins.cc:9841
0x6bfbae fold_builtin_n(unsigned int, tree_node*, tree_node*, tree_node**, int,
bool) [clone .isra.0]
../../src/gcc/builtins.cc:9949
0x12e7e30 gimple_fold_stmt_to_constant_1(gimple*, tree_node* (*)(tree_node*),
tree_node* (*)(tree_node*))
../../src/gcc/gimple-fold.cc:7713
0x12dc66b ccp_fold
../../src/gcc/tree-ssa-ccp.cc:1289
0x12dc66b evaluate_stmt
../../src/gcc/tree-ssa-ccp.cc:2222
0x12d8a32 visit_assignment
../../src/gcc/tree-ssa-ccp.cc:2855
0x12d8a32 ccp_propagate::visit_stmt(gimple*, edge_def**, tree_node**)
../../src/gcc/tree-ssa-ccp.cc:2933
0x12d84ed ssa_propagation_engine::simulate_stmt(gimple*)
../../src/gcc/tree-ssa-propagate.cc:220
0x12d82fa ssa_propagation_engine::simulate_block(basic_block_def*)
../../src/gcc/tree-ssa-propagate.cc:327
0x12d637c ssa_propagation_engine::ssa_propagate()
../../src/gcc/tree-ssa-propagate.cc:477
0x12d31e2 do_ssa_ccp
../../src/gcc/tree-ssa-ccp.cc:2974
0x12d31e2 execute
../../src/gcc/tree-ssa-ccp.cc:3020
And when run with -fanalyzer
during IPA pass: analyzer
in.c: In function ‘main’:
in.c:7:26: internal compiler error: Segmentation fault
7 | for (int i = 0; i < v->size; i++) {
| ~^~~~~~
0xc5ed7e crash_signal
../../src/gcc/toplev.cc:314
0x7f6b9e4604af ???
./signal/../sysdeps/unix/sysv/linux/x86_64/libc_sigaction.c:0
0x17e9f04 tree_fits_poly_int64_p(tree_node const*)
../../src/gcc/tree.cc:6378
0x17e9f04 tree_to_poly_int64(tree_node const*)
../../src/gcc/tree.cc:3285
0x81450e component_ref_size(tree_node*, special_array_member*)
../../src/gcc/tree.cc:13199
0x7e5cc2 decl_init_size(tree_node*, bool)
../../src/gcc/tree-object-size.cc:493
0xce2e44 ana::region_model::get_capacity(ana::region const*) const
../../src/gcc/analyzer/region-model.cc:2757
0x109335f ana::region_model::check_region_bounds(ana::region const*,
ana::access_direction, ana::region_model_context*) const
../../src/gcc/analyzer/bounds-checking.cc:852
0xcda88a ana::region_model::check_region_access(ana::region const*,
ana::access_direction, ana::region_model_context*) const
../../src/gcc/analyzer/region-model.cc:2817
0xce1287 ana::region_model::check_region_for_read(ana::region const*,
ana::region_model_context*) const
../../src/gcc/analyzer/region-model.cc:2847
0xce1287 ana::region_model::get_store_value(ana::region const*,
ana::region_model_context*) const
../../src/gcc/analyzer/region-model.cc:2399
0xce1b3e ana::region_model::get_rvalue(ana::path_var,
ana::region_model_context*) const
../../src/gcc/analyzer/region-model.cc:2297
0xce3790 ana::region_model::on_assignment(gassign const*,
ana::region_model_context*)
../../src/gcc/analyzer/region-model.cc:1156
0xce9850 ana::exploded_node::on_stmt(ana::exploded_graph&, ana::supernode
const*, gimple const*, ana::program_state*, ana::uncertainty_t*,
ana::path_context*)
../../src/gcc/analyzer/engine.cc:1471
0xce9df1 ana::exploded_graph::process_node(ana::exploded_node*)
../../src/gcc/analyzer/engine.cc:4063
0xceae37 ana::exploded_graph::process_worklist()
../../src/gcc/analyzer/engine.cc:3466
0xceb1f2 ana::impl_run_checkers(ana::logger*)
../../src/gcc/analyzer/engine.cc:6125
0xceba9e ana::run_checkers()
../../src/gcc/analyzer/engine.cc:6213
0xcebaef execute
../../src/gcc/analyzer/analyzer-pass.cc:87
