https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84272
Bug ID: 84272 Summary: AddressSanitizer: heap-use-after-free ../../gcc/config/aarch64/cortex-a57-fma-steering.c:519 in fma_node::get_parity() Product: gcc Version: unknown Status: UNCONFIRMED Keywords: ice-on-valid-code Severity: normal Priority: P3 Component: target Assignee: unassigned at gcc dot gnu.org Reporter: marxin at gcc dot gnu.org CC: amker at gcc dot gnu.org, kyrylo.tkachov at arm dot com, ramana at gcc dot gnu.org Target Milestone: --- Host: aarch64-linux-gnu Target: aarch64-linux-gnu Seen both on a native machine and cross compiler (on x86_64): $ cat model.ii class a { public: float b, c; a (); a (float, float, float); float operator* (a) { float d = b * b + c * c; return d; } } typedef e; void f () { e g[1]; e h (0, 0, h * g[2]); } $ ./xg++ -B. model.ii -c -march=armv8-a -mtune=cortex-a57 -O2 ================================================================= ==20120==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000023ca8 at pc 0x000002e669b2 bp 0x7fffffffd1b0 sp 0x7fffffffd1a8 READ of size 8 at 0x604000023ca8 thread T0 #0 0x2e669b1 in fma_node::get_parity() ../../gcc/config/aarch64/cortex-a57-fma-steering.c:519 #1 0x2e669b1 in fma_node::rename(fma_forest*) ../../gcc/config/aarch64/cortex-a57-fma-steering.c:600 #2 0x2e67b0a in func_fma_steering::dfs(void (*)(fma_forest*), void (*)(fma_forest*, fma_root_node*), void (*)(fma_forest*, fma_node*), bool) ../../gcc/config/aarch64/cortex-a57-fma-steering.c:882 #3 0x2e686b9 in func_fma_steering::rename_fma_trees() ../../gcc/config/aarch64/cortex-a57-fma-steering.c:1006 #4 0x2e6aac2 in func_fma_steering::execute_fma_steering() ../../gcc/config/aarch64/cortex-a57-fma-steering.c:1036 #5 0x2e6c7ad in pass_fma_steering::execute(function*) ../../gcc/config/aarch64/cortex-a57-fma-steering.c:1071 #6 0x1dadc09 in execute_one_pass(opt_pass*) ../../gcc/passes.c:2497 #7 0x1daf5e2 in execute_pass_list_1 ../../gcc/passes.c:2586 #8 0x1daf60c in execute_pass_list_1 ../../gcc/passes.c:2587 #9 0x1daf60c in execute_pass_list_1 ../../gcc/passes.c:2587 #10 0x1daf68f in execute_pass_list(function*, opt_pass*) ../../gcc/passes.c:2597 #11 0x11619a9 in cgraph_node::expand() ../../gcc/cgraphunit.c:2139 #12 0x116454c in expand_all_functions ../../gcc/cgraphunit.c:2275 #13 0x116454c in symbol_table::compile() ../../gcc/cgraphunit.c:2624 #14 0x116dc76 in symbol_table::finalize_compilation_unit() ../../gcc/cgraphunit.c:2717 #15 0x2132fe4 in compile_file ../../gcc/toplev.c:480 #16 0x690921 in do_compile ../../gcc/toplev.c:2081 #17 0x690921 in toplev::main(int, char**) ../../gcc/toplev.c:2216 #18 0x69b444 in main ../../gcc/main.c:39 #19 0x7ffff5a65f49 in __libc_start_main (/lib64/libc.so.6+0x20f49) #20 0x69dba9 in _start (/home/marxin/Programming/gcc2/objdir2/gcc/cc1plus+0x69dba9) 0x604000023ca8 is located 24 bytes inside of 48-byte region [0x604000023c90,0x604000023cc0) freed by thread T0 here: #0 0x7ffff6f02ff8 in operator delete(void*, unsigned long) (/usr/lib64/libasan.so.4+0xdeff8) #1 0x2e682e5 in func_fma_steering::dfs(void (*)(fma_forest*), void (*)(fma_forest*, fma_root_node*), void (*)(fma_forest*, fma_node*), bool) ../../gcc/config/aarch64/cortex-a57-fma-steering.c:896 #2 0x604000023bcf (<unknown module>) previously allocated by thread T0 here: #0 0x7ffff6f01c70 in operator new(unsigned long) (/usr/lib64/libasan.so.4+0xddc70) #1 0x2e69e52 in func_fma_steering::analyze_fma_fmul_insn(fma_forest*, du_chain*, du_head*) ../../gcc/config/aarch64/cortex-a57-fma-steering.c:774 SUMMARY: AddressSanitizer: heap-use-after-free ../../gcc/config/aarch64/cortex-a57-fma-steering.c:519 in fma_node::get_parity() Shadow bytes around the buggy address: 0x0c087fffc740: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00 0x0c087fffc750: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa 0x0c087fffc760: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 0x0c087fffc770: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa 0x0c087fffc780: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa =>0x0c087fffc790: fa fa fd fd fd[fd]fd fd fa fa 00 00 00 00 00 fa 0x0c087fffc7a0: fa fa 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 0x0c087fffc7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fffc7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fffc7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fffc7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==20120==ABORTING