[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free

2016-04-28 Thread zeccav at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484

--- Comment #14 from Vittorio Zecca  ---
I still get it in g++ 5.3.0

You may reproduce this one with a version of g++ compiled with
-fsanitize=address

[vitti cc]$/home/vitti/1tb/vitti/local/gcc-5.3.0-address/bin/g++ gccerr26.C -S
=
==4766==ERROR: AddressSanitizer: heap-use-after-free on address
0x602057d0 at pc 0x2b8838780025 bp 0x7fffdc0e27c0 sp
0x7fffdc0e1f70
READ of size 1 at 0x602057d0 thread T0
#0 0x2b8838780024 in __interceptor_strcmp
/home/vitti/gcc-5.3.0/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:178
#1 0x10bc6aa in cl_target_option_eq(cl_target_option const*,
cl_target_option const*)
/home/vitti/1tb/vitti/gcc-5.3.0-address/gcc/options-save.c:3555

options-save.c:3555 "|| strcmp (ptr1->x_ix86_arch_string,
ptr2->x_ix86_arch_string)))"

[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free

2015-12-14 Thread ubizjak at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484

Uroš Bizjak  changed:

   What|Removed |Added

   Target Milestone|6.0 |5.4

--- Comment #13 from Uroš Bizjak  ---
Also backported to gcc-5 branch.

[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free

2015-12-14 Thread uros at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484

--- Comment #12 from uros at gcc dot gnu.org ---
Author: uros
Date: Mon Dec 14 13:21:43 2015
New Revision: 231614

URL: https://gcc.gnu.org/viewcvs?rev=231614=gcc=rev
Log:
Backport from mainline
2015-12-11  Martin Liska  
Uros Bizjak  

PR target/67484
* config/i386/i386.c (ix86_valid_target_attribute_tree):
Use ggc_strdup to copy option_strings to opts->x_ix86_arch_string and
opts->x_ix86_tune_string.


Modified:
branches/gcc-5-branch/gcc/ChangeLog
branches/gcc-5-branch/gcc/config/i386/i386.c

[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free

2015-12-11 Thread marxin at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484

--- Comment #10 from Martin Liška  ---
Author: marxin
Date: Fri Dec 11 10:59:29 2015
New Revision: 231556

URL: https://gcc.gnu.org/viewcvs?rev=231556=gcc=rev
Log:
Fix PR target/67484

Uros Bizjak  

PR target/67484
* config/i386/i386.c (ix86_valid_target_attribute_tree):
Use ggc_strdup to copy option_strings to opts->x_ix86_arch_string and
opts->x_ix86_tune_string.

Modified:
trunk/gcc/ChangeLog
trunk/gcc/config/i386/i386.c

[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free

2015-12-11 Thread marxin at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484

Martin Liška  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #11 from Martin Liška  ---
Fixed in trunk.

[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free

2015-12-10 Thread marxin at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484

Martin Liška  changed:

   What|Removed |Added

 CC||marxin at gcc dot gnu.org

--- Comment #8 from Martin Liška  ---
*** Bug 68310 has been marked as a duplicate of this bug. ***

[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free

2015-12-10 Thread marxin at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484

--- Comment #9 from Martin Liška  ---
I've just triggered regression tests with Richard's suggested change:
https://gcc.gnu.org/ml/gcc-patches/2015-09/msg01154.html

[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free

2015-09-16 Thread ubizjak at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484

Uroš Bizjak  changed:

   What|Removed |Added

 Status|ASSIGNED|NEW
   Assignee|ubizjak at gmail dot com   |unassigned at gcc dot 
gnu.org

--- Comment #7 from Uroš Bizjak  ---
This should be implemented with garbage collected strings to avoid leaks.

Unassigning, I don't know GCC's garbage collector well.

[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free

2015-09-15 Thread ubizjak at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484

Uroš Bizjak  changed:

   What|Removed |Added

 CC||g...@the-meissners.org

--- Comment #2 from Uroš Bizjak  ---
CC author.

[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free

2015-09-15 Thread ubizjak at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484

Uroš Bizjak  changed:

   What|Removed |Added

 Target||x86
 Status|UNCONFIRMED |ASSIGNED
   Last reconfirmed||2015-09-15
   Assignee|unassigned at gcc dot gnu.org  |ubizjak at gmail dot com
   Target Milestone|--- |6.0
 Ever confirmed|0   |1

--- Comment #6 from Uroš Bizjak  ---
Patch at [1].

[1] https://gcc.gnu.org/ml/gcc-patches/2015-09/msg01116.html

[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free

2015-09-15 Thread ubizjak at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484

--- Comment #3 from Uroš Bizjak  ---
(In reply to Vittorio Zecca from comment #0)

> //to make happy the sanitizer I commented out the for loop in i386.c lines

  /* Save the current options unless we are validating options for
 #pragma.  */
  t = build_target_option_node (opts);

  opts->x_ix86_arch_string = orig_arch_string;
  opts->x_ix86_tune_string = orig_tune_string;
  opts_set->x_ix86_fpmath = orig_fpmath_set;

  /* Free up memory allocated to hold the strings */
  for (i = 0; i < IX86_FUNCTION_SPECIFIC_MAX; i++)
free (option_strings[i]);

Indeed.  We saved current options in build_target_option_node, where only
*pointers* to strings were saved. We should not free the memory, pointed by the
saved pointer.

[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free

2015-09-15 Thread ubizjak at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484

--- Comment #4 from Uroš Bizjak  ---
Patch in testing:

--cut here--
Index: config/i386/i386.c
===
--- config/i386/i386.c  (revision 22)
+++ config/i386/i386.c  (working copy)
@@ -5080,12 +5080,14 @@ ix86_valid_target_attribute_tree (tree args,
   /* If we are using the default tune= or arch=, undo the string assigned,
 and use the default.  */
   if (option_strings[IX86_FUNCTION_SPECIFIC_ARCH])
-   opts->x_ix86_arch_string = option_strings[IX86_FUNCTION_SPECIFIC_ARCH];
+   opts->x_ix86_arch_string
+ = xstrdup (option_strings[IX86_FUNCTION_SPECIFIC_ARCH]);
   else if (!orig_arch_specified)
opts->x_ix86_arch_string = NULL;

   if (option_strings[IX86_FUNCTION_SPECIFIC_TUNE])
-   opts->x_ix86_tune_string = option_strings[IX86_FUNCTION_SPECIFIC_TUNE];
+   opts->x_ix86_tune_string
+ = xstrdup (option_strings[IX86_FUNCTION_SPECIFIC_TUNE]);
   else if (orig_tune_defaulted)
opts->x_ix86_tune_string = NULL;

--cut here--

[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free

2015-09-15 Thread zeccav at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484

--- Comment #5 from Vittorio Zecca  ---
Uros, I applied your patch and the sanitizer message disappeared.
Is this still an UNCONFIRMED bug?

[Bug target/67484] options-save.c sanitizer asan detects freed storage referenced heap-use-after-free

2015-09-14 Thread zeccav at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67484

Vittorio Zecca  changed:

   What|Removed |Added

Version|5.2.0   |6.0

--- Comment #1 from Vittorio Zecca  ---
Same bug on the trunk.
The following is the sanitizer output:

~/1tb/vitti/local/gcc-trunk-sanitized/bin/g++ -S gccerr26.C
=
==25114==ERROR: AddressSanitizer: heap-use-after-free on address 0x60205850
at pc 0x2b7d193c94a5 bp 0x7ffe44d41860 sp 0x7ffe44d41010
READ of size 1 at 0x60205850 thread T0
#0 0x2b7d193c94a4 in __interceptor_strcmp
../../../../gcc-5.2.0/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:178
#1 0x170f87f in cl_target_option_eq(cl_target_option const*,
cl_target_option const*) /home/vitti/test/gcc-sanitized/gcc/options-save.c:3491
#2 0x202ee44 in cl_option_hasher::equal(tree_node*, tree_node*)
../../gcc/gcc/tree.c:11866
#3 0x204559b in hash_table::find_slot_with_hash(tree_node* const&, unsigned int,
insert_option) ../../gcc/gcc/hash-table.h:838
#4 0x2042095 in hash_table::find_slot(tree_node* const&, insert_option)
../../gcc/gcc/hash-table.h:408
#5 0x202efc4 in build_target_option_node(gcc_options*)
../../gcc/gcc/tree.c:11914
#6 0x21218b0 in ix86_valid_target_attribute_tree(tree_node*, gcc_options*,
gcc_options*) ../../gcc/gcc/config/i386/i386.c:5110
#7 0x21af79c in get_builtin_code_for_version
../../gcc/gcc/config/i386/i386.c:34678
#8 0x21b00b2 in ix86_compare_version_priority
../../gcc/gcc/config/i386/i386.c:34846
#9 0x780078 in joust ../../gcc/gcc/cp/call.c:9234
#10 0x781a8e in tourney ../../gcc/gcc/cp/call.c:9361
#11 0x7544bf in perform_overload_resolution ../../gcc/gcc/cp/call.c:4016
#12 0x754942 in build_new_function_call(tree_node*, vec**, bool, int) ../../gcc/gcc/cp/call.c:4089
#13 0xb66c40 in finish_call_expr(tree_node*, vec**, bool, bool, int) ../../gcc/gcc/cp/semantics.c:2391
#14 0xa0b32a in cp_parser_postfix_expression ../../gcc/gcc/cp/parser.c:6422
#15 0xa0fec8 in cp_parser_unary_expression ../../gcc/gcc/cp/parser.c:7486
#16 0xa11a49 in cp_parser_cast_expression ../../gcc/gcc/cp/parser.c:8122
#17 0xa11bb4 in cp_parser_binary_expression ../../gcc/gcc/cp/parser.c:8223
#18 0xa13696 in cp_parser_assignment_expression
../../gcc/gcc/cp/parser.c:8481
#19 0xa14197 in cp_parser_constant_expression
../../gcc/gcc/cp/parser.c:8727
#20 0xa42158 in cp_parser_initializer_clause
../../gcc/gcc/cp/parser.c:19925
#21 0xa41e9b in cp_parser_initializer ../../gcc/gcc/cp/parser.c:19866
#22 0xa3813e in cp_parser_init_declarator ../../gcc/gcc/cp/parser.c:17793
#23 0xa215bc in cp_parser_simple_declaration
../../gcc/gcc/cp/parser.c:11681
#24 0xa210aa in cp_parser_block_declaration ../../gcc/gcc/cp/parser.c:11555
#25 0xa208bb in cp_parser_declaration ../../gcc/gcc/cp/parser.c:11452
#26 0xa1fe63 in cp_parser_declaration_seq_opt
../../gcc/gcc/cp/parser.c:11334
#27 0xa0181d in cp_parser_translation_unit ../../gcc/gcc/cp/parser.c:4154
#28 0xa843f8 in c_parse_file() ../../gcc/gcc/cp/parser.c:34273
#29 0xdb2e46 in c_common_parse_file() ../../gcc/gcc/c-family/c-opts.c:1058
#30 0x19b8f12 in compile_file ../../gcc/gcc/toplev.c:544
#31 0x19bf8f0 in do_compile ../../gcc/gcc/toplev.c:2034
#32 0x19bff60 in toplev::main(int, char**) ../../gcc/gcc/toplev.c:2141
#33 0x2d332c0 in main ../../gcc/gcc/main.c:39
#34 0x390da1ffdf in __libc_start_main (/lib64/libc.so.6+0x390da1ffdf)
#35 0x737768 
(/home/vitti/1tb/vitti/local/gcc-trunk-sanitized/libexec/gcc/x86_64-pc-linux-gnu/6.0.0/cc1plus+0x737768)

0x60205850 is located 0 bytes inside of 6-byte region
[0x60205850,0x60205856)
freed by thread T0 here:
#0 0x2b7d194171dd in __interceptor_free
../../../../gcc-5.2.0/libsanitizer/asan/asan_malloc_linux.cc:28
#1 0x21219df in ix86_valid_target_attribute_tree(tree_node*, gcc_options*,
gcc_options*) ../../gcc/gcc/config/i386/i386.c:5118
#2 0x2121e77 in ix86_valid_target_attribute_p
../../gcc/gcc/config/i386/i386.c:5166
#3 0xd5e237 in handle_target_attribute
../../gcc/gcc/c-family/c-common.c:9777
#4 0xce2e48 in decl_attributes(tree_node**, tree_node*, int)
../../gcc/gcc/attribs.c:557
#5 0x9a5e3a in cplus_decl_attributes(tree_node**, tree_node*, int)
../../gcc/gcc/cp/decl2.c:1493
#6 0x7d65a7 in grokfndecl ../../gcc/gcc/cp/decl.c:8100
#7 0x7ea399 in grokdeclarator(cp_declarator const*, cp_decl_specifier_seq*,
decl_context, int, tree_node**) ../../gcc/gcc/cp/decl.c:11265
#8 0x7bcb26 in start_decl(cp_declarator const*, cp_decl_specifier_seq*,
int, tree_node*, tree_node*, tree_node**) ../../gcc/gcc/cp/decl.c:4740
#9 0xa37c1f in