https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80911
--- Comment #9 from Tom de Vries <vries at gcc dot gnu.org> ---
(In reply to Tom de Vries from comment #3)
> When run from command line:
> ...
> nobootstrap/build/gcc/gcov gcov-1.c
> gcov-1.gcno:corrupted
> gcov-1.gcda:profile mismatch for 'main'
> Segmentation fault
> ...
The corruption is detected while reading the arcs:
...
(gdb) n
914 fns = read_graph_file ();
(gdb) s
read_graph_file () at
/home/vries/gcc_versions/data/ref-master-17-05-24/src/gcc/gcov.c:1304
1304 unsigned current_tag = 0;
(gdb) n
1305 function_t *fn = NULL;
(gdb)
1306 function_t *fns = NULL;
(gdb)
1307 function_t **fns_end = &fns;
(gdb)
1310 if (!gcov_open (bbg_file_name, 1))
(gdb)
1315 bbg_file_time = gcov_time ();
(gdb)
1316 if (!gcov_magic (gcov_read_unsigned (), GCOV_NOTE_MAGIC))
(gdb)
1323 version = gcov_read_unsigned ();
(gdb)
1324 if (version != GCOV_VERSION)
(gdb)
1334 bbg_stamp = gcov_read_unsigned ();
(gdb)
1336 while ((tag = gcov_read_unsigned ()))
(gdb)
1338 unsigned length = gcov_read_unsigned ();
(gdb)
1339 gcov_position_t base = gcov_position ();
(gdb)
1341 if (tag == GCOV_TAG_FUNCTION)
(gdb)
1347 ident = gcov_read_unsigned ();
(gdb)
1348 lineno_checksum = gcov_read_unsigned ();
(gdb)
1349 cfg_checksum = gcov_read_unsigned ();
(gdb)
1350 function_name = xstrdup (gcov_read_string ());
(gdb)
1351 unsigned src_idx = find_source (gcov_read_string ());
(gdb)
1352 lineno = gcov_read_unsigned ();
(gdb)
1354 fn = new function_t;
(gdb)
1355 fn->name = function_name;
(gdb)
1356 if (flag_demangled_names)
(gdb)
1362 fn->ident = ident;
(gdb)
1363 fn->lineno_checksum = lineno_checksum;
(gdb)
1364 fn->cfg_checksum = cfg_checksum;
(gdb)
1365 fn->src = src_idx;
(gdb)
1366 fn->line = lineno;
(gdb)
1368 fn->next_file_fn = NULL;
(gdb)
1369 fn->next = NULL;
(gdb)
1370 *fns_end = fn;
(gdb)
1371 fns_end = &fn->next;
(gdb)
1372 current_tag = tag;
(gdb)
1487 gcov_sync (base, length);
(gdb)
1488 if (gcov_is_error ())
(gdb)
1336 while ((tag = gcov_read_unsigned ()))
(gdb)
1338 unsigned length = gcov_read_unsigned ();
(gdb)
1339 gcov_position_t base = gcov_position ();
(gdb)
1341 if (tag == GCOV_TAG_FUNCTION)
(gdb)
1374 else if (fn && tag == GCOV_TAG_BLOCKS)
(gdb)
1376 if (!fn->blocks.empty ())
(gdb)
1380 fn->blocks.resize (gcov_read_unsigned ());
(gdb)
1374 else if (fn && tag == GCOV_TAG_BLOCKS)
(gdb)
1487 gcov_sync (base, length);
(gdb)
1488 if (gcov_is_error ())
(gdb)
1336 while ((tag = gcov_read_unsigned ()))
(gdb)
1338 unsigned length = gcov_read_unsigned ();
(gdb)
1339 gcov_position_t base = gcov_position ();
(gdb)
1341 if (tag == GCOV_TAG_FUNCTION)
(gdb)
1374 else if (fn && tag == GCOV_TAG_BLOCKS)
(gdb)
1382 else if (fn && tag == GCOV_TAG_ARCS)
(gdb)
1384 unsigned src = gcov_read_unsigned ();
(gdb)
1385 fn->blocks[src].id = src;
(gdb)
1386 unsigned num_dests = GCOV_TAG_ARCS_NUM (length);
(gdb)
1387 block_t *src_blk = &fn->blocks[src];
(gdb)
1388 unsigned mark_catches = 0;
(gdb)
1391 if (src >= fn->blocks.size () || fn->blocks[src].succ)
(gdb)
1392 goto corrupt;
(gdb)
1491 fnotice (stderr, "%s:corrupted\n", bbg_file_name);
(gdb)
gcov-1.gcno:corrupted
1492 break;
(gdb)
1495 gcov_close ();
(gdb)
1497 if (!fns)
(gdb)
1500 return fns;
(gdb)
1501 }
...
When we try to free the function_info, we run into problem with those arcs:
...
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7338ee0 in free () from /lib/libc.so.6
(gdb) bt
#0 0x00007ffff7338ee0 in free () from /lib/libc.so.6
#1 0x0000000000403aa1 in function_info::~function_info (this=0x6d7560,
__in_chrg=<optimized out>)
at src/gcc/gcov.c:454
#2 0x0000000000404e8d in process_file (file_name=0x7fffffffe6ba "gcov-1.c")
at src/gcc/gcov.c:974
#3 0x000000000040454d in main (argc=2, argv=0x7fffffffe438)
at src/gcc/gcov.c:666
(gdb) up
#1 0x0000000000403aa1 in function_info::~function_info (this=0x6d7560,
__in_chrg=<optimized out>)
at src/gcc/gcov.c:454
454 free (arc);
(gdb) l
449 arc_t *arc, *arc_n;
450
451 for (arc = blocks[i].succ; arc; arc = arc_n)
452 {
453 arc_n = arc->succ_next;
454 free (arc);
455 }
456 }
457 free (counts);
458 if (flag_demangled_names && demangled_name != name)
...
