https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63293
Bug ID: 63293
Summary: [AArch64] can read from deallocated stack
Product: gcc
Version: 5.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: jiong.wang at arm dot com
With GCC: (GNU) 5.0.0 20140917
give the following testcase
typedef double t;
void bar (t*);
t g ()
{
t data[8192];
data[4293] = data[4266] = 0;
bar(data);
return data[4293] + data[4266];
}
Compiling with "-O2 -mno-lra -fomit-frame-pointer" we get:
.cpu generic+fp+simd
.file "test.c"
.text
.align 2
.global f
.type f, %function
f:
add x1, x0, 4093
add x0, x0, 4096
ldr d1, [x1]
ldr d0, [x0, 170]
fadd d0, d1, d0
ret
.size f, .-f
.align 2
.global g
.type g, %function
g:
sub sp, sp, #65536
fmov d0, xzr
str x30, [sp, -16]!
add x1, sp, 32768
add x0, sp, 16
str d0, [x1, 1376]
str d0, [x1, 1592]
bl bar
add x0, sp, 32768
ldr x30, [sp], 16
ldr d0, [x0, 1376]
add sp, sp, 65536
ldr d1, [x0, 1592]
fadd d0, d1, d0
ret
Note that at the end we have x0=sp+32768; sp+=65536; ldr [x0+1592]
Which means the last load is from deallocated stack space.
This is a silent wrong-code bug of the worst kind; programs could fail
sporadically with this if an interrupt happens at the wrong instant in time and
data was written onto the current stack.
