[Bug gcov-profile/55417] [4.8 Regression] AddressSanitizer reports stack-buffer-overflow in profiling code

[tejohnson at google dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55417



--- Comment #2 from Teresa Johnson <tejohnson at google dot com> 2012-11-21 
05:51:12 UTC ---

The following patch should fix it. I am running regression testing

now, but am leaving town imminently for several days and can send the

patch for review when I get back Sunday.



Teresa



2012-11-20  Teresa Johnson  <tejohn...@google.com>



        PR gcov-profile/55417

        * profile.c (compute_working_sets): Check index first

        to avoid out-of-bounds array access.



Index: profile.c

===================================================================

--- profile.c   (revision 193614)

+++ profile.c   (working copy)

@@ -291,8 +291,8 @@ compute_working_sets (void)

           /* Next walk through successive working set entries and fill in

             the statistics for any whose size we have reached by accumulating

             this histogram counter.  */

-          while (tmp_cum >= working_set_cum_values[ws_ix]

-                 && ws_ix < NUM_GCOV_WORKING_SETS)

+          while (ws_ix < NUM_GCOV_WORKING_SETS

+                 && tmp_cum >= working_set_cum_values[ws_ix])

             {

               gcov_working_sets[ws_ix].num_counters = count;

               gcov_working_sets[ws_ix].min_counter



On Tue, Nov 20, 2012 at 1:06 PM, markus at trippelsdorf dot de

<gcc-bugzi...@gcc.gnu.org> wrote:

>

> http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55417

>

> --- Comment #1 from Markus Trippelsdorf <markus at trippelsdorf dot de> 
> 2012-11-20 21:06:46 UTC ---

> Valgrind shows:

>

>  % /var/tmp/gcc_valgrind/usr/local/bin/g++ -w -fprofile-use -O3

> /home/markus/bench.cpp

> ==522== Conditional jump or move depends on uninitialised value(s)

> ==522==    at 0x9E082B: compute_branch_probabilities(unsigned int, unsigned

> int) (profile.c:294)

> ==522==    by 0x9E2544: branch_prob() (profile.c:1371)

> ==522==    by 0xAFF5F5: tree_profiling() (tree-profile.c:483)

> ==522==    by 0x9CBD2A: execute_one_pass(opt_pass*) (passes.c:2327)

> ==522==    by 0x9CC789: execute_ipa_pass_list(opt_pass*) (passes.c:2692)

> ==522==    by 0x79429F: compile() (cgraphunit.c:1869)

> ==522==    by 0x794B99: finalize_compilation_unit() (cgraphunit.c:2120)

> ==522==    by 0x5B4A0E: cp_write_global_declarations() (decl2.c:4287)

> ==522==    by 0xA6D5BC: compile_file() (toplev.c:559)

> ==522==    by 0xA6F479: toplev_main(int, char**) (toplev.c:1881)

> ==522==    by 0x4ECD894: (below main) (libc-start.c:258)

> ==522==

>  %

>

> --

> Configure bugmail: http://gcc.gnu.org/bugzilla/userprefs.cgi?tab=email

> ------- You are receiving this mail because: -------

> You are on the CC list for the bug.