[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484 --- Comment #14 from Vittorio Zecca --- I still get it in g++ 5.3.0 You may reproduce this one with a version of g++ compiled with -fsanitize=address [vitti cc]$/home/vitti/1tb/vitti/local/gcc-5.3.0-address/bin/g++ gccerr26.C -S = ==4766==ERROR: AddressSanitizer: heap-use-after-free on address 0x602057d0 at pc 0x2b8838780025 bp 0x7fffdc0e27c0 sp 0x7fffdc0e1f70 READ of size 1 at 0x602057d0 thread T0 #0 0x2b8838780024 in __interceptor_strcmp /home/vitti/gcc-5.3.0/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:178 #1 0x10bc6aa in cl_target_option_eq(cl_target_option const*, cl_target_option const*) /home/vitti/1tb/vitti/gcc-5.3.0-address/gcc/options-save.c:3555 options-save.c:3555 "|| strcmp (ptr1->x_ix86_arch_string, ptr2->x_ix86_arch_string)))"
[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484 Uroš Bizjak changed: What|Removed |Added Target Milestone|6.0 |5.4 --- Comment #13 from Uroš Bizjak --- Also backported to gcc-5 branch.
[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484 --- Comment #12 from uros at gcc dot gnu.org --- Author: uros Date: Mon Dec 14 13:21:43 2015 New Revision: 231614 URL: https://gcc.gnu.org/viewcvs?rev=231614=gcc=rev Log: Backport from mainline 2015-12-11 Martin LiskaUros Bizjak PR target/67484 * config/i386/i386.c (ix86_valid_target_attribute_tree): Use ggc_strdup to copy option_strings to opts->x_ix86_arch_string and opts->x_ix86_tune_string. Modified: branches/gcc-5-branch/gcc/ChangeLog branches/gcc-5-branch/gcc/config/i386/i386.c
[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484 --- Comment #10 from Martin Liška --- Author: marxin Date: Fri Dec 11 10:59:29 2015 New Revision: 231556 URL: https://gcc.gnu.org/viewcvs?rev=231556=gcc=rev Log: Fix PR target/67484 Uros BizjakPR target/67484 * config/i386/i386.c (ix86_valid_target_attribute_tree): Use ggc_strdup to copy option_strings to opts->x_ix86_arch_string and opts->x_ix86_tune_string. Modified: trunk/gcc/ChangeLog trunk/gcc/config/i386/i386.c
[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484 Martin Liška changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #11 from Martin Liška --- Fixed in trunk.
[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484 Martin Liška changed: What|Removed |Added CC||marxin at gcc dot gnu.org --- Comment #8 from Martin Liška --- *** Bug 68310 has been marked as a duplicate of this bug. ***
[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484 --- Comment #9 from Martin Liška --- I've just triggered regression tests with Richard's suggested change: https://gcc.gnu.org/ml/gcc-patches/2015-09/msg01154.html
[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484 Uroš Bizjak changed: What|Removed |Added Status|ASSIGNED|NEW Assignee|ubizjak at gmail dot com |unassigned at gcc dot gnu.org --- Comment #7 from Uroš Bizjak --- This should be implemented with garbage collected strings to avoid leaks. Unassigning, I don't know GCC's garbage collector well.
[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484 Uroš Bizjak changed: What|Removed |Added CC||g...@the-meissners.org --- Comment #2 from Uroš Bizjak --- CC author.
[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484 Uroš Bizjak changed: What|Removed |Added Target||x86 Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2015-09-15 Assignee|unassigned at gcc dot gnu.org |ubizjak at gmail dot com Target Milestone|--- |6.0 Ever confirmed|0 |1 --- Comment #6 from Uroš Bizjak --- Patch at [1]. [1] https://gcc.gnu.org/ml/gcc-patches/2015-09/msg01116.html
[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484 --- Comment #3 from Uroš Bizjak --- (In reply to Vittorio Zecca from comment #0) > //to make happy the sanitizer I commented out the for loop in i386.c lines /* Save the current options unless we are validating options for #pragma. */ t = build_target_option_node (opts); opts->x_ix86_arch_string = orig_arch_string; opts->x_ix86_tune_string = orig_tune_string; opts_set->x_ix86_fpmath = orig_fpmath_set; /* Free up memory allocated to hold the strings */ for (i = 0; i < IX86_FUNCTION_SPECIFIC_MAX; i++) free (option_strings[i]); Indeed. We saved current options in build_target_option_node, where only *pointers* to strings were saved. We should not free the memory, pointed by the saved pointer.
[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484 --- Comment #4 from Uroš Bizjak --- Patch in testing: --cut here-- Index: config/i386/i386.c === --- config/i386/i386.c (revision 22) +++ config/i386/i386.c (working copy) @@ -5080,12 +5080,14 @@ ix86_valid_target_attribute_tree (tree args, /* If we are using the default tune= or arch=, undo the string assigned, and use the default. */ if (option_strings[IX86_FUNCTION_SPECIFIC_ARCH]) - opts->x_ix86_arch_string = option_strings[IX86_FUNCTION_SPECIFIC_ARCH]; + opts->x_ix86_arch_string + = xstrdup (option_strings[IX86_FUNCTION_SPECIFIC_ARCH]); else if (!orig_arch_specified) opts->x_ix86_arch_string = NULL; if (option_strings[IX86_FUNCTION_SPECIFIC_TUNE]) - opts->x_ix86_tune_string = option_strings[IX86_FUNCTION_SPECIFIC_TUNE]; + opts->x_ix86_tune_string + = xstrdup (option_strings[IX86_FUNCTION_SPECIFIC_TUNE]); else if (orig_tune_defaulted) opts->x_ix86_tune_string = NULL; --cut here--
[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484 --- Comment #5 from Vittorio Zecca --- Uros, I applied your patch and the sanitizer message disappeared. Is this still an UNCONFIRMED bug?
[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484 Vittorio Zecca changed: What|Removed |Added Version|5.2.0 |6.0 --- Comment #1 from Vittorio Zecca --- Same bug on the trunk. The following is the sanitizer output: ~/1tb/vitti/local/gcc-trunk-sanitized/bin/g++ -S gccerr26.C = ==25114==ERROR: AddressSanitizer: heap-use-after-free on address 0x60205850 at pc 0x2b7d193c94a5 bp 0x7ffe44d41860 sp 0x7ffe44d41010 READ of size 1 at 0x60205850 thread T0 #0 0x2b7d193c94a4 in __interceptor_strcmp ../../../../gcc-5.2.0/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:178 #1 0x170f87f in cl_target_option_eq(cl_target_option const*, cl_target_option const*) /home/vitti/test/gcc-sanitized/gcc/options-save.c:3491 #2 0x202ee44 in cl_option_hasher::equal(tree_node*, tree_node*) ../../gcc/gcc/tree.c:11866 #3 0x204559b in hash_table::find_slot_with_hash(tree_node* const&, unsigned int, insert_option) ../../gcc/gcc/hash-table.h:838 #4 0x2042095 in hash_table ::find_slot(tree_node* const&, insert_option) ../../gcc/gcc/hash-table.h:408 #5 0x202efc4 in build_target_option_node(gcc_options*) ../../gcc/gcc/tree.c:11914 #6 0x21218b0 in ix86_valid_target_attribute_tree(tree_node*, gcc_options*, gcc_options*) ../../gcc/gcc/config/i386/i386.c:5110 #7 0x21af79c in get_builtin_code_for_version ../../gcc/gcc/config/i386/i386.c:34678 #8 0x21b00b2 in ix86_compare_version_priority ../../gcc/gcc/config/i386/i386.c:34846 #9 0x780078 in joust ../../gcc/gcc/cp/call.c:9234 #10 0x781a8e in tourney ../../gcc/gcc/cp/call.c:9361 #11 0x7544bf in perform_overload_resolution ../../gcc/gcc/cp/call.c:4016 #12 0x754942 in build_new_function_call(tree_node*, vec **, bool, int) ../../gcc/gcc/cp/call.c:4089 #13 0xb66c40 in finish_call_expr(tree_node*, vec **, bool, bool, int) ../../gcc/gcc/cp/semantics.c:2391 #14 0xa0b32a in cp_parser_postfix_expression ../../gcc/gcc/cp/parser.c:6422 #15 0xa0fec8 in cp_parser_unary_expression ../../gcc/gcc/cp/parser.c:7486 #16 0xa11a49 in cp_parser_cast_expression ../../gcc/gcc/cp/parser.c:8122 #17 0xa11bb4 in cp_parser_binary_expression ../../gcc/gcc/cp/parser.c:8223 #18 0xa13696 in cp_parser_assignment_expression ../../gcc/gcc/cp/parser.c:8481 #19 0xa14197 in cp_parser_constant_expression ../../gcc/gcc/cp/parser.c:8727 #20 0xa42158 in cp_parser_initializer_clause ../../gcc/gcc/cp/parser.c:19925 #21 0xa41e9b in cp_parser_initializer ../../gcc/gcc/cp/parser.c:19866 #22 0xa3813e in cp_parser_init_declarator ../../gcc/gcc/cp/parser.c:17793 #23 0xa215bc in cp_parser_simple_declaration ../../gcc/gcc/cp/parser.c:11681 #24 0xa210aa in cp_parser_block_declaration ../../gcc/gcc/cp/parser.c:11555 #25 0xa208bb in cp_parser_declaration ../../gcc/gcc/cp/parser.c:11452 #26 0xa1fe63 in cp_parser_declaration_seq_opt ../../gcc/gcc/cp/parser.c:11334 #27 0xa0181d in cp_parser_translation_unit ../../gcc/gcc/cp/parser.c:4154 #28 0xa843f8 in c_parse_file() ../../gcc/gcc/cp/parser.c:34273 #29 0xdb2e46 in c_common_parse_file() ../../gcc/gcc/c-family/c-opts.c:1058 #30 0x19b8f12 in compile_file ../../gcc/gcc/toplev.c:544 #31 0x19bf8f0 in do_compile ../../gcc/gcc/toplev.c:2034 #32 0x19bff60 in toplev::main(int, char**) ../../gcc/gcc/toplev.c:2141 #33 0x2d332c0 in main ../../gcc/gcc/main.c:39 #34 0x390da1ffdf in __libc_start_main (/lib64/libc.so.6+0x390da1ffdf) #35 0x737768 (/home/vitti/1tb/vitti/local/gcc-trunk-sanitized/libexec/gcc/x86_64-pc-linux-gnu/6.0.0/cc1plus+0x737768) 0x60205850 is located 0 bytes inside of 6-byte region [0x60205850,0x60205856) freed by thread T0 here: #0 0x2b7d194171dd in __interceptor_free ../../../../gcc-5.2.0/libsanitizer/asan/asan_malloc_linux.cc:28 #1 0x21219df in ix86_valid_target_attribute_tree(tree_node*, gcc_options*, gcc_options*) ../../gcc/gcc/config/i386/i386.c:5118 #2 0x2121e77 in ix86_valid_target_attribute_p ../../gcc/gcc/config/i386/i386.c:5166 #3 0xd5e237 in handle_target_attribute ../../gcc/gcc/c-family/c-common.c:9777 #4 0xce2e48 in decl_attributes(tree_node**, tree_node*, int) ../../gcc/gcc/attribs.c:557 #5 0x9a5e3a in cplus_decl_attributes(tree_node**, tree_node*, int) ../../gcc/gcc/cp/decl2.c:1493 #6 0x7d65a7 in grokfndecl ../../gcc/gcc/cp/decl.c:8100 #7 0x7ea399 in grokdeclarator(cp_declarator const*, cp_decl_specifier_seq*, decl_context, int, tree_node**) ../../gcc/gcc/cp/decl.c:11265 #8 0x7bcb26 in start_decl(cp_declarator const*, cp_decl_specifier_seq*, int, tree_node*, tree_node*, tree_node**) ../../gcc/gcc/cp/decl.c:4740 #9 0xa37c1f in