https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103449
Bug ID: 103449
Summary: [12 Regression] use-after-free in
ipa_param_body_adjustments::prepare_debug_expressions(
tree_node*) (ipa-param-manipulation.c:1283)
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Keywords: ice-on-valid-code
Severity: normal
Priority: P3
Component: ipa
Assignee: unassigned at gcc dot gnu.org
Reporter: zsojka at seznam dot cz
CC: marxin at gcc dot gnu.org
Target Milestone: ---
Host: x86_64-pc-linux-gnu
Created attachment 51887
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=51887&action=edit
auto-reduced testcase
Compiler output:
$ x86_64-pc-linux-gnu-gcc -O2 -fno-tree-ccp -fno-tree-forwprop -fno-tree-fre -g
-c -w mcf.ii -wrapper valgrind,-q
==23072== Invalid read of size 8
==23072== at 0x140040E: hash_map<tree_node*, tree_node*,
simple_hashmap_traits<default_hash_traits<tree_node*>, tree_node*>
>::put(tree_node* const&, tree_node* const&) [clone .isra.0] (hash-map.h:176)
==23072== by 0x14016B6:
ipa_param_body_adjustments::prepare_debug_expressions(tree_node*)
(ipa-param-manipulation.c:1283)
==23072== by 0x1400EDB:
ipa_param_body_adjustments::prepare_debug_expressions(tree_node*)
(ipa-param-manipulation.c:1263)
==23072== by 0x14021D7:
ipa_param_body_adjustments::common_initialization(tree_node*, tree_node**,
vec<ipa_replace_map*, va_gc, vl_embed>*) (ipa-param-manipulation.c:1461)
==23072== by 0x16C8094: tree_function_versioning(tree_node*, tree_node*,
vec<ipa_replace_map*, va_gc, vl_embed>*, ipa_param_adjustments*, bool,
bitmap_head*, basic_block_def*) (tree-inline.c:6303)
==23072== by 0x11738AD: cgraph_node::materialize_clone()
(cgraphclones.c:1142)
==23072== by 0x1162035: cgraph_node::get_untransformed_body()
(cgraph.c:3965)
==23072== by 0x13BE9CB: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:720)
==23072== by 0x13BE9FC: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:715)
==23072== by 0x13BE9FC: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:715)
==23072== by 0x13C08CB: inline_transform(cgraph_node*)
(ipa-inline-transform.c:777)
==23072== by 0x1539F15: execute_one_ipa_transform_pass (passes.c:2290)
==23072== by 0x1539F15: execute_all_ipa_transforms(bool) (passes.c:2337)
==23072== Address 0x5abaf68 is 168 bytes inside a block of size 208 free'd
==23072== at 0x484240F: free (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==23072== by 0x1400448: find_slot_with_hash (hash-table.h:967)
==23072== by 0x1400448: hash_map<tree_node*, tree_node*,
simple_hashmap_traits<default_hash_traits<tree_node*>, tree_node*>
>::put(tree_node* const&, tree_node* const&) [clone .isra.0] (hash-map.h:170)
==23072== by 0x14016B6:
ipa_param_body_adjustments::prepare_debug_expressions(tree_node*)
(ipa-param-manipulation.c:1283)
==23072== by 0x1400EDB:
ipa_param_body_adjustments::prepare_debug_expressions(tree_node*)
(ipa-param-manipulation.c:1263)
==23072== by 0x14021D7:
ipa_param_body_adjustments::common_initialization(tree_node*, tree_node**,
vec<ipa_replace_map*, va_gc, vl_embed>*) (ipa-param-manipulation.c:1461)
==23072== by 0x16C8094: tree_function_versioning(tree_node*, tree_node*,
vec<ipa_replace_map*, va_gc, vl_embed>*, ipa_param_adjustments*, bool,
bitmap_head*, basic_block_def*) (tree-inline.c:6303)
==23072== by 0x11738AD: cgraph_node::materialize_clone()
(cgraphclones.c:1142)
==23072== by 0x1162035: cgraph_node::get_untransformed_body()
(cgraph.c:3965)
==23072== by 0x13BE9CB: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:720)
==23072== by 0x13BE9FC: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:715)
==23072== by 0x13BE9FC: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:715)
==23072== by 0x13C08CB: inline_transform(cgraph_node*)
(ipa-inline-transform.c:777)
==23072== Block was alloc'd at
==23072== at 0x4844C0F: calloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==23072== by 0x28070D4: xcalloc (xmalloc.c:164)
==23072== by 0x100E416: data_alloc (hash-table.h:275)
==23072== by 0x100E416: alloc_entries (hash-table.h:711)
==23072== by 0x100E416: hash_table<hash_map<tree_node*, tree_node*,
simple_hashmap_traits<default_hash_traits<tree_node*>, tree_node*>
>::hash_entry, false, xcallocator>::hash_table(unsigned long, bool, bool, bool,
mem_alloc_origin) (hash-table.h:628)
==23072== by 0x1402F5A: hash_map (hash-map.h:142)
==23072== by 0x1402F5A:
ipa_param_body_adjustments::ipa_param_body_adjustments(ipa_param_adjustments*,
tree_node*, tree_node*, copy_body_data*, tree_node**, vec<ipa_replace_map*,
va_gc, vl_embed>*) (ipa-param-manipulation.c:1516)
==23072== by 0x16C8094: tree_function_versioning(tree_node*, tree_node*,
vec<ipa_replace_map*, va_gc, vl_embed>*, ipa_param_adjustments*, bool,
bitmap_head*, basic_block_def*) (tree-inline.c:6303)
==23072== by 0x11738AD: cgraph_node::materialize_clone()
(cgraphclones.c:1142)
==23072== by 0x1162035: cgraph_node::get_untransformed_body()
(cgraph.c:3965)
==23072== by 0x13BE9CB: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:720)
==23072== by 0x13BE9FC: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:715)
==23072== by 0x13BE9FC: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:715)
==23072== by 0x13C08CB: inline_transform(cgraph_node*)
(ipa-inline-transform.c:777)
==23072== by 0x1539F15: execute_one_ipa_transform_pass (passes.c:2290)
==23072== by 0x1539F15: execute_all_ipa_transforms(bool) (passes.c:2337)
==23072==
==23072== Invalid read of size 8
==23072== at 0x14016B7:
ipa_param_body_adjustments::prepare_debug_expressions(tree_node*)
(ipa-param-manipulation.c:1284)
==23072== by 0x1400EDB:
ipa_param_body_adjustments::prepare_debug_expressions(tree_node*)
(ipa-param-manipulation.c:1263)
==23072== by 0x14021D7:
ipa_param_body_adjustments::common_initialization(tree_node*, tree_node**,
vec<ipa_replace_map*, va_gc, vl_embed>*) (ipa-param-manipulation.c:1461)
==23072== by 0x16C8094: tree_function_versioning(tree_node*, tree_node*,
vec<ipa_replace_map*, va_gc, vl_embed>*, ipa_param_adjustments*, bool,
bitmap_head*, basic_block_def*) (tree-inline.c:6303)
==23072== by 0x11738AD: cgraph_node::materialize_clone()
(cgraphclones.c:1142)
==23072== by 0x1162035: cgraph_node::get_untransformed_body()
(cgraph.c:3965)
==23072== by 0x13BE9CB: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:720)
==23072== by 0x13BE9FC: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:715)
==23072== by 0x13BE9FC: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:715)
==23072== by 0x13C08CB: inline_transform(cgraph_node*)
(ipa-inline-transform.c:777)
==23072== by 0x1539F15: execute_one_ipa_transform_pass (passes.c:2290)
==23072== by 0x1539F15: execute_all_ipa_transforms(bool) (passes.c:2337)
==23072== by 0x116D7ED: expand (cgraphunit.c:1827)
==23072== by 0x116D7ED: cgraph_node::expand() (cgraphunit.c:1787)
==23072== Address 0x5abaf68 is 168 bytes inside a block of size 208 free'd
==23072== at 0x484240F: free (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==23072== by 0x1400448: find_slot_with_hash (hash-table.h:967)
==23072== by 0x1400448: hash_map<tree_node*, tree_node*,
simple_hashmap_traits<default_hash_traits<tree_node*>, tree_node*>
>::put(tree_node* const&, tree_node* const&) [clone .isra.0] (hash-map.h:170)
==23072== by 0x14016B6:
ipa_param_body_adjustments::prepare_debug_expressions(tree_node*)
(ipa-param-manipulation.c:1283)
==23072== by 0x1400EDB:
ipa_param_body_adjustments::prepare_debug_expressions(tree_node*)
(ipa-param-manipulation.c:1263)
==23072== by 0x14021D7:
ipa_param_body_adjustments::common_initialization(tree_node*, tree_node**,
vec<ipa_replace_map*, va_gc, vl_embed>*) (ipa-param-manipulation.c:1461)
==23072== by 0x16C8094: tree_function_versioning(tree_node*, tree_node*,
vec<ipa_replace_map*, va_gc, vl_embed>*, ipa_param_adjustments*, bool,
bitmap_head*, basic_block_def*) (tree-inline.c:6303)
==23072== by 0x11738AD: cgraph_node::materialize_clone()
(cgraphclones.c:1142)
==23072== by 0x1162035: cgraph_node::get_untransformed_body()
(cgraph.c:3965)
==23072== by 0x13BE9CB: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:720)
==23072== by 0x13BE9FC: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:715)
==23072== by 0x13BE9FC: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:715)
==23072== by 0x13C08CB: inline_transform(cgraph_node*)
(ipa-inline-transform.c:777)
==23072== Block was alloc'd at
==23072== at 0x4844C0F: calloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==23072== by 0x28070D4: xcalloc (xmalloc.c:164)
==23072== by 0x100E416: data_alloc (hash-table.h:275)
==23072== by 0x100E416: alloc_entries (hash-table.h:711)
==23072== by 0x100E416: hash_table<hash_map<tree_node*, tree_node*,
simple_hashmap_traits<default_hash_traits<tree_node*>, tree_node*>
>::hash_entry, false, xcallocator>::hash_table(unsigned long, bool, bool, bool,
mem_alloc_origin) (hash-table.h:628)
==23072== by 0x1402F5A: hash_map (hash-map.h:142)
==23072== by 0x1402F5A:
ipa_param_body_adjustments::ipa_param_body_adjustments(ipa_param_adjustments*,
tree_node*, tree_node*, copy_body_data*, tree_node**, vec<ipa_replace_map*,
va_gc, vl_embed>*) (ipa-param-manipulation.c:1516)
==23072== by 0x16C8094: tree_function_versioning(tree_node*, tree_node*,
vec<ipa_replace_map*, va_gc, vl_embed>*, ipa_param_adjustments*, bool,
bitmap_head*, basic_block_def*) (tree-inline.c:6303)
==23072== by 0x11738AD: cgraph_node::materialize_clone()
(cgraphclones.c:1142)
==23072== by 0x1162035: cgraph_node::get_untransformed_body()
(cgraph.c:3965)
==23072== by 0x13BE9CB: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:720)
==23072== by 0x13BE9FC: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:715)
==23072== by 0x13BE9FC: maybe_materialize_called_clones(cgraph_node*) [clone
.isra.0] (ipa-inline-transform.c:715)
==23072== by 0x13C08CB: inline_transform(cgraph_node*)
(ipa-inline-transform.c:777)
==23072== by 0x1539F15: execute_one_ipa_transform_pass (passes.c:2290)
==23072== by 0x1539F15: execute_all_ipa_transforms(bool) (passes.c:2337)
==23072==
$ x86_64-pc-linux-gnu-gcc -v
Using built-in specs.
COLLECT_GCC=/repo/gcc-trunk/binary-latest-amd64/bin/x86_64-pc-linux-gnu-gcc
COLLECT_LTO_WRAPPER=/repo/gcc-trunk/binary-trunk-r12-5555-20211127001619-gf4ed2e3ae7d-checking-yes-rtl-df-extra-nobootstrap-amd64/bin/../libexec/gcc/x86_64-pc-linux-gnu/12.0.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /repo/gcc-trunk//configure --enable-languages=c,c++
--enable-valgrind-annotations --disable-nls --enable-checking=yes,rtl,df,extra
--disable-bootstrap --with-cloog --with-ppl --with-isl
--build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu
--target=x86_64-pc-linux-gnu --with-ld=/usr/bin/x86_64-pc-linux-gnu-ld
--with-as=/usr/bin/x86_64-pc-linux-gnu-as --disable-libstdcxx-pch
--prefix=/repo/gcc-trunk//binary-trunk-r12-5555-20211127001619-gf4ed2e3ae7d-checking-yes-rtl-df-extra-nobootstrap-amd64
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.0.0 20211127 (experimental) (GCC)
