[Bug middle-end/55407] New: stack-buffer-overflow in compute_working_sets

[hjl.tools at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55407



             Bug #: 55407

           Summary: stack-buffer-overflow in compute_working_sets

    Classification: Unclassified

           Product: gcc

           Version: 4.8.0

            Status: UNCONFIRMED

          Severity: normal

          Priority: P3

         Component: middle-end

        AssignedTo: unassig...@gcc.gnu.org

        ReportedBy: hjl.to...@gmail.com





hjl@gnu-mic-2 gcc]$ cat /tmp/y.i

extern void abort (void);

extern void exit (int);



int expect_do1 = 1, expect_do2 = 2;



static int doit(int x){

  __label__ lbl1;

  __label__ lbl2;

  static int jtab_init = 0;

  static void *jtab[2];



  if(!jtab_init) {

    jtab[0] = &&lbl1;

    jtab[1] = &&lbl2;

    jtab_init = 1;

  }

  goto *jtab[x];

lbl1:

  return 1;

lbl2:

  return 2;

}



static void do1(void) {

  if (doit(0) != expect_do1)

    abort ();

}



static void do2(void){

  if (doit(1) != expect_do2)

    abort ();

}



int main(void){

  do1();

  do2();

  exit(0);

}

[hjl@gnu-mic-2 gcc]$ ./xgcc -B./ -O3  -fprofile-arcs /tmp/y.i  

[hjl@gnu-mic-2 gcc]$ ./a.out

[hjl@gnu-mic-2 gcc]$ ./xgcc -B./ -O3 -S -fbranch-probabilities /tmp/y.i

=================================================================

==18365== ERROR: AddressSanitizer stack-buffer-overflow on address

0x7ffff9a5ee70 at pc 0xeeef8a bp 0x7ffff9a5e950 sp 0x7ffff9a5e948

READ of size 8 at 0x7ffff9a5ee70 thread T0

    #0 0xeeef89

(/export/build/gnu/gcc-asan/build-x86_64-linux/gcc/cc1+0xeeef89)

Address 0x7ffff9a5ee70 is located at offset 1184 in frame

<compute_branch_probabilities> of T0's stack:

  This frame has 2 object(s):

    [32, 112) 'hist_br_prob'

    [160, 1184) 'working_set_cum_values'

HINT: this may be a false positive if your program uses some custom stack

unwind mechanism

      (longjmp and C++ exceptions *are* supported)

Shadow byte and word:

  0x1fffff34bdce: f3

  0x1fffff34bdc8: 00 00 00 00 00 00 f3 f3

More shadow bytes:

  0x1fffff34bda8: 00 00 00 00 00 00 00 00

  0x1fffff34bdb0: 00 00 00 00 00 00 00 00

  0x1fffff34bdb8: 00 00 00 00 00 00 00 00

  0x1fffff34bdc0: 00 00 00 00 00 00 00 00

=>0x1fffff34bdc8: 00 00 00 00 00 00 f3 f3

  0x1fffff34bdd0: f3 f3 00 00 00 00 00 00

  0x1fffff34bdd8: 00 00 00 00 00 00 00 00

  0x1fffff34bde0: 00 00 00 00 00 00 00 00

  0x1fffff34bde8: 00 00 00 00 00 00 00 00

Stats: 2M malloced (2M for red zones) by 5642 calls

Stats: 0M realloced by 344 calls

Stats: 2M freed by 3566 calls

Stats: 0M really freed by 0 calls

Stats: 8M (2059 full pages) mmaped in 16 calls

  mmaps   by size class: 7:4095; 8:2047; 9:1023; 10:511; 11:255; 12:384;

13:128; 14:32; 15:48; 16:8; 18:2; 

  mallocs by size class: 7:3557; 8:1180; 9:156; 10:80; 11:213; 12:305; 13:89;

14:17; 15:43; 16:1; 18:1; 

  frees   by size class: 7:2011; 8:794; 9:122; 10:73; 11:142; 12:301; 13:64;

14:17; 15:42; 

  rfrees  by size class: 

Stats: malloc large: 45 small slow: 115

==18365== ABORTING

[hjl@gnu-mic-2 gcc]$ 

(gdb) bt

#0  __asan_report_error (pc=15658890, bp=140737488343840, sp=140737488343832, 

    addr=140737488345152, is_write=<optimized out>, access_size=8)

    at /export/gnu/import/git/gcc/libsanitizer/asan/asan_report.cc:464

#1  0x0000000001f2b2a4 in __asan::__asan_report_load8 (addr=<optimized out>)

    at /export/gnu/import/git/gcc/libsanitizer/asan/asan_rtl.cc:195

#2  0x0000000000eeef8a in compute_working_sets ()

    at /export/gnu/import/git/gcc/gcc/profile.c:294

#3  get_exec_counts (lineno_checksum=0, cfg_checksum=0)

    at /export/gnu/import/git/gcc/gcc/profile.c:377

#4  compute_branch_probabilities (cfg_checksum=cfg_checksum@entry=4088700122, 

    lineno_checksum=lineno_checksum@entry=728892799)

    at /export/gnu/import/git/gcc/gcc/profile.c:611

#5  0x0000000000ef1e76 in branch_prob ()

    at /export/gnu/import/git/gcc/gcc/profile.c:1371

#6  0x0000000001207d7b in tree_profiling ()

    at /export/gnu/import/git/gcc/gcc/tree-profile.c:483

#7  0x0000000000eb4f84 in execute_one_pass (

    pass=pass@entry=0x264a680 <pass_ipa_tree_profile>)

    at /export/gnu/import/git/gcc/gcc/passes.c:2339

#8  0x0000000000eb6653 in execute_ipa_pass_list (

    pass=0x264a680 <pass_ipa_tree_profile>)

    at /export/gnu/import/git/gcc/gcc/passes.c:2705

#9  0x000000000087cf79 in ipa_passes ()

---Type <return> to continue, or q <return> to quit---

    at /export/gnu/import/git/gcc/gcc/cgraphunit.c:1871

#10 compile () at /export/gnu/import/git/gcc/gcc/cgraphunit.c:1994

#11 0x000000000087e58a in finalize_compilation_unit ()

    at /export/gnu/import/git/gcc/gcc/cgraphunit.c:2122

#12 0x000000000059aec1 in c_write_global_declarations ()

    at /export/gnu/import/git/gcc/gcc/c/c-decl.c:10128

#13 0x000000000107b11a in compile_file ()

    at /export/gnu/import/git/gcc/gcc/toplev.c:559

#14 0x000000000107f407 in do_compile ()

    at /export/gnu/import/git/gcc/gcc/toplev.c:1881

#15 toplev_main (argc=15, argv=0x7fffffffe0d8)

    at /export/gnu/import/git/gcc/gcc/toplev.c:1957

#16 0x00000038f3a21675 in __libc_start_main () from /lib64/libc.so.6

#17 0x000000000055c761 in _start ()

(gdb)