https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81293
Bug ID: 81293
Summary: sanitized g++ crashes heap-use-after-free
gcc/libsanitizer/sanitizer_common/sanitizer_common_int
erceptors_format.inc:543 in printf_common
Product: gcc
Version: 8.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: zeccav at gmail dot com
Target Milestone: ---
// in trunk 249883
// from devirt-45.C
// compile with -fdump-ipa-inline-details -fno-early-inlining -O2
// SUMMARY: AddressSanitizer: heap-use-after-free
../../../../gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:543
in printf_common
struct A {
virtual int foo () {return 1;}
int wrapfoo () {foo();}
A() {wrapfoo();}
};
inline void* operator new(__SIZE_TYPE__ s, void* buf) throw() {
return buf;
}
struct B:A {virtual int foo () {return 2;}};
static void
test (struct A *a)
{
static_cast<B*>(a)->~B();
new(a) B();
}
main()
{
struct B a;
test (&a);
}
/*=================================================================
==10147==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000072470
at pc 0x2b6feac184fb bp 0x7ffcd9ff38e0 sp 0x7ffcd9ff3090
READ of size 2 at 0x602000072470 thread T0
#0 0x2b6feac184fa in printf_common
../../../../gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:543
#1 0x2b6feac534ff in __asan::ErrorDescription::Print()
../../../../gcc/libsanitizer/asan/asan_errors.h:360
#2 0x2b6feac534ff in __asan::ScopedInErrorReport::~ScopedInErrorReport()
../../../../gcc/libsanitizer/asan/asan_report.cc:167
#3 0x2b6feac534ff in __asan::ReportGenericError(unsigned long, unsigned
long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool)
../../../../gcc/libsanitizer/asan/asan_report.cc:397
#4 0x2b6feac1832b in printf_common
../../../../gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:543
#5 0x2b6feac1925b in __interceptor_vfprintf
../../../../gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1328
#6 0x2b6feac19326 in __interceptor_fprintf
../../../../gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1373
#7 0x53ab70c in inline_small_functions ../../gcc/gcc/ipa-inline.c:2048
#8 0x53b10a5 in ipa_inline ../../gcc/gcc/ipa-inline.c:2429
#9 0x53b3fb8 in execute ../../gcc/gcc/ipa-inline.c:2835
#10 0x2833dc7 in execute_one_pass(opt_pass*) ../../gcc/gcc/passes.c:2492
#11 0x28384cc in execute_ipa_pass_list(opt_pass*)
../../gcc/gcc/passes.c:2927
#12 0x178ae2d in ipa_passes ../../gcc/gcc/cgraphunit.c:2388
#13 0x178be18 in symbol_table::compile() ../../gcc/gcc/cgraphunit.c:2474
#14 0x178cec5 in symbol_table::finalize_compilation_unit()
../../gcc/gcc/cgraphunit.c:2633
#15 0x2dbbe22 in compile_file ../../gcc/gcc/toplev.c:493
#16 0x2dc3f8a in do_compile ../../gcc/gcc/toplev.c:2021
#17 0x2dc49aa in toplev::main(int, char**) ../../gcc/gcc/toplev.c:2155
#18 0x56b3cbe in main ../../gcc/gcc/main.c:39
#19 0x2b6fed475400 in __libc_start_main (/usr/lib64/libc.so.6+0x20400)
#20 0x78a619 in _start
(/home/vitti/1tb/vitti/local/gcc-249691-sanitized/libexec/gcc/x86_64-pc-linux-gnu/8.0.0/cc1plus+0x78a619)
0x602000072470 is located 0 bytes inside of 7-byte region
[0x602000072470,0x602000072477)
freed by thread T0 here:
#0 0x2b6feac49088 in __interceptor_free
../../../../gcc/libsanitizer/asan/asan_malloc_linux.cc:45
#1 0x11611c1 in cxx_printable_name_internal ../../gcc/gcc/cp/tree.c:2544
#2 0x116153a in cxx_printable_name(tree_node*, int)
../../gcc/gcc/cp/tree.c:2555
#3 0x16fbf9e in symtab_node::name() const ../../gcc/gcc/symtab.c:522
#4 0x53ab69b in inline_small_functions ../../gcc/gcc/ipa-inline.c:2048
#5 0x53b10a5 in ipa_inline ../../gcc/gcc/ipa-inline.c:2429
#6 0x53b3fb8 in execute ../../gcc/gcc/ipa-inline.c:2835
#7 0x2833dc7 in execute_one_pass(opt_pass*) ../../gcc/gcc/passes.c:2492
#8 0x28384cc in execute_ipa_pass_list(opt_pass*)
../../gcc/gcc/passes.c:2927
#9 0x178ae2d in ipa_passes ../../gcc/gcc/cgraphunit.c:2388
#10 0x178be18 in symbol_table::compile() ../../gcc/gcc/cgraphunit.c:2474
#11 0x178cec5 in symbol_table::finalize_compilation_unit()
../../gcc/gcc/cgraphunit.c:2633
#12 0x2dbbe22 in compile_file ../../gcc/gcc/toplev.c:493
#13 0x2dc3f8a in do_compile ../../gcc/gcc/toplev.c:2021
#14 0x2dc49aa in toplev::main(int, char**) ../../gcc/gcc/toplev.c:2155
#15 0x56b3cbe in main ../../gcc/gcc/main.c:39
#16 0x2b6fed475400 in __libc_start_main (/usr/lib64/libc.so.6+0x20400)
previously allocated by thread T0 here:
#0 0x2b6feac493aa in __interceptor_malloc
../../../../gcc/libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x595d890 in xmalloc ../../gcc/libiberty/xmalloc.c:147
#2 0x595db2f in xstrdup ../../gcc/libiberty/xstrdup.c:34
#3 0x1161200 in cxx_printable_name_internal ../../gcc/gcc/cp/tree.c:2546
#4 0x116153a in cxx_printable_name(tree_node*, int)
../../gcc/gcc/cp/tree.c:2555
#5 0x16fbf9e in symtab_node::name() const ../../gcc/gcc/symtab.c:522
#6 0x16fc01c in symtab_node::get_dump_name(bool) const
../../gcc/gcc/symtab.c:529
#7 0x16fc11f in symtab_node::dump_name() const ../../gcc/gcc/symtab.c:541
#8 0x53a1ce1 in update_edge_key ../../gcc/gcc/ipa-inline.c:1232
#9 0x53a304d in update_caller_keys ../../gcc/gcc/ipa-inline.c:1339
#10 0x53ab078 in inline_small_functions ../../gcc/gcc/ipa-inline.c:2035
#11 0x53b10a5 in ipa_inline ../../gcc/gcc/ipa-inline.c:2429
#12 0x53b3fb8 in execute ../../gcc/gcc/ipa-inline.c:2835
#13 0x2833dc7 in execute_one_pass(opt_pass*) ../../gcc/gcc/passes.c:2492
#14 0x28384cc in execute_ipa_pass_list(opt_pass*)
../../gcc/gcc/passes.c:2927
#15 0x178ae2d in ipa_passes ../../gcc/gcc/cgraphunit.c:2388
#16 0x178be18 in symbol_table::compile() ../../gcc/gcc/cgraphunit.c:2474
#17 0x178cec5 in symbol_table::finalize_compilation_unit()
../../gcc/gcc/cgraphunit.c:2633
#18 0x2dbbe22 in compile_file ../../gcc/gcc/toplev.c:493
#19 0x2dc3f8a in do_compile ../../gcc/gcc/toplev.c:2021
#20 0x2dc49aa in toplev::main(int, char**) ../../gcc/gcc/toplev.c:2155
#21 0x56b3cbe in main ../../gcc/gcc/main.c:39
#22 0x2b6fed475400 in __libc_start_main (/usr/lib64/libc.so.6+0x20400)
SUMMARY: AddressSanitizer: heap-use-after-free
../../../../gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:543
in printf_common
Shadow bytes around the buggy address:
0x0c0480006430: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
0x0c0480006440: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x0c0480006450: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480006460: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480006470: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c0480006480: fa fa 00 04 fa fa fd fd fa fa fd fd fa fa[fd]fa
0x0c0480006490: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c04800064a0: fa fa 07 fa fa fa 00 03 fa fa fd fd fa fa fd fd
0x0c04800064b0: fa fa 00 06 fa fa 07 fa fa fa fa fa fa fa fa fa
0x0c04800064c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800064d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10147==ABORTING
