https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81293
Bug ID: 81293 Summary: sanitized g++ crashes heap-use-after-free gcc/libsanitizer/sanitizer_common/sanitizer_common_int erceptors_format.inc:543 in printf_common Product: gcc Version: 8.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c++ Assignee: unassigned at gcc dot gnu.org Reporter: zeccav at gmail dot com Target Milestone: --- // in trunk 249883 // from devirt-45.C // compile with -fdump-ipa-inline-details -fno-early-inlining -O2 // SUMMARY: AddressSanitizer: heap-use-after-free ../../../../gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:543 in printf_common struct A { virtual int foo () {return 1;} int wrapfoo () {foo();} A() {wrapfoo();} }; inline void* operator new(__SIZE_TYPE__ s, void* buf) throw() { return buf; } struct B:A {virtual int foo () {return 2;}}; static void test (struct A *a) { static_cast<B*>(a)->~B(); new(a) B(); } main() { struct B a; test (&a); } /*================================================================= ==10147==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000072470 at pc 0x2b6feac184fb bp 0x7ffcd9ff38e0 sp 0x7ffcd9ff3090 READ of size 2 at 0x602000072470 thread T0 #0 0x2b6feac184fa in printf_common ../../../../gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:543 #1 0x2b6feac534ff in __asan::ErrorDescription::Print() ../../../../gcc/libsanitizer/asan/asan_errors.h:360 #2 0x2b6feac534ff in __asan::ScopedInErrorReport::~ScopedInErrorReport() ../../../../gcc/libsanitizer/asan/asan_report.cc:167 #3 0x2b6feac534ff in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ../../../../gcc/libsanitizer/asan/asan_report.cc:397 #4 0x2b6feac1832b in printf_common ../../../../gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:543 #5 0x2b6feac1925b in __interceptor_vfprintf ../../../../gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1328 #6 0x2b6feac19326 in __interceptor_fprintf ../../../../gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1373 #7 0x53ab70c in inline_small_functions ../../gcc/gcc/ipa-inline.c:2048 #8 0x53b10a5 in ipa_inline ../../gcc/gcc/ipa-inline.c:2429 #9 0x53b3fb8 in execute ../../gcc/gcc/ipa-inline.c:2835 #10 0x2833dc7 in execute_one_pass(opt_pass*) ../../gcc/gcc/passes.c:2492 #11 0x28384cc in execute_ipa_pass_list(opt_pass*) ../../gcc/gcc/passes.c:2927 #12 0x178ae2d in ipa_passes ../../gcc/gcc/cgraphunit.c:2388 #13 0x178be18 in symbol_table::compile() ../../gcc/gcc/cgraphunit.c:2474 #14 0x178cec5 in symbol_table::finalize_compilation_unit() ../../gcc/gcc/cgraphunit.c:2633 #15 0x2dbbe22 in compile_file ../../gcc/gcc/toplev.c:493 #16 0x2dc3f8a in do_compile ../../gcc/gcc/toplev.c:2021 #17 0x2dc49aa in toplev::main(int, char**) ../../gcc/gcc/toplev.c:2155 #18 0x56b3cbe in main ../../gcc/gcc/main.c:39 #19 0x2b6fed475400 in __libc_start_main (/usr/lib64/libc.so.6+0x20400) #20 0x78a619 in _start (/home/vitti/1tb/vitti/local/gcc-249691-sanitized/libexec/gcc/x86_64-pc-linux-gnu/8.0.0/cc1plus+0x78a619) 0x602000072470 is located 0 bytes inside of 7-byte region [0x602000072470,0x602000072477) freed by thread T0 here: #0 0x2b6feac49088 in __interceptor_free ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cc:45 #1 0x11611c1 in cxx_printable_name_internal ../../gcc/gcc/cp/tree.c:2544 #2 0x116153a in cxx_printable_name(tree_node*, int) ../../gcc/gcc/cp/tree.c:2555 #3 0x16fbf9e in symtab_node::name() const ../../gcc/gcc/symtab.c:522 #4 0x53ab69b in inline_small_functions ../../gcc/gcc/ipa-inline.c:2048 #5 0x53b10a5 in ipa_inline ../../gcc/gcc/ipa-inline.c:2429 #6 0x53b3fb8 in execute ../../gcc/gcc/ipa-inline.c:2835 #7 0x2833dc7 in execute_one_pass(opt_pass*) ../../gcc/gcc/passes.c:2492 #8 0x28384cc in execute_ipa_pass_list(opt_pass*) ../../gcc/gcc/passes.c:2927 #9 0x178ae2d in ipa_passes ../../gcc/gcc/cgraphunit.c:2388 #10 0x178be18 in symbol_table::compile() ../../gcc/gcc/cgraphunit.c:2474 #11 0x178cec5 in symbol_table::finalize_compilation_unit() ../../gcc/gcc/cgraphunit.c:2633 #12 0x2dbbe22 in compile_file ../../gcc/gcc/toplev.c:493 #13 0x2dc3f8a in do_compile ../../gcc/gcc/toplev.c:2021 #14 0x2dc49aa in toplev::main(int, char**) ../../gcc/gcc/toplev.c:2155 #15 0x56b3cbe in main ../../gcc/gcc/main.c:39 #16 0x2b6fed475400 in __libc_start_main (/usr/lib64/libc.so.6+0x20400) previously allocated by thread T0 here: #0 0x2b6feac493aa in __interceptor_malloc ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cc:62 #1 0x595d890 in xmalloc ../../gcc/libiberty/xmalloc.c:147 #2 0x595db2f in xstrdup ../../gcc/libiberty/xstrdup.c:34 #3 0x1161200 in cxx_printable_name_internal ../../gcc/gcc/cp/tree.c:2546 #4 0x116153a in cxx_printable_name(tree_node*, int) ../../gcc/gcc/cp/tree.c:2555 #5 0x16fbf9e in symtab_node::name() const ../../gcc/gcc/symtab.c:522 #6 0x16fc01c in symtab_node::get_dump_name(bool) const ../../gcc/gcc/symtab.c:529 #7 0x16fc11f in symtab_node::dump_name() const ../../gcc/gcc/symtab.c:541 #8 0x53a1ce1 in update_edge_key ../../gcc/gcc/ipa-inline.c:1232 #9 0x53a304d in update_caller_keys ../../gcc/gcc/ipa-inline.c:1339 #10 0x53ab078 in inline_small_functions ../../gcc/gcc/ipa-inline.c:2035 #11 0x53b10a5 in ipa_inline ../../gcc/gcc/ipa-inline.c:2429 #12 0x53b3fb8 in execute ../../gcc/gcc/ipa-inline.c:2835 #13 0x2833dc7 in execute_one_pass(opt_pass*) ../../gcc/gcc/passes.c:2492 #14 0x28384cc in execute_ipa_pass_list(opt_pass*) ../../gcc/gcc/passes.c:2927 #15 0x178ae2d in ipa_passes ../../gcc/gcc/cgraphunit.c:2388 #16 0x178be18 in symbol_table::compile() ../../gcc/gcc/cgraphunit.c:2474 #17 0x178cec5 in symbol_table::finalize_compilation_unit() ../../gcc/gcc/cgraphunit.c:2633 #18 0x2dbbe22 in compile_file ../../gcc/gcc/toplev.c:493 #19 0x2dc3f8a in do_compile ../../gcc/gcc/toplev.c:2021 #20 0x2dc49aa in toplev::main(int, char**) ../../gcc/gcc/toplev.c:2155 #21 0x56b3cbe in main ../../gcc/gcc/main.c:39 #22 0x2b6fed475400 in __libc_start_main (/usr/lib64/libc.so.6+0x20400) SUMMARY: AddressSanitizer: heap-use-after-free ../../../../gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:543 in printf_common Shadow bytes around the buggy address: 0x0c0480006430: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd 0x0c0480006440: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa 0x0c0480006450: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c0480006460: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c0480006470: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd =>0x0c0480006480: fa fa 00 04 fa fa fd fd fa fa fd fd fa fa[fd]fa 0x0c0480006490: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c04800064a0: fa fa 07 fa fa fa 00 03 fa fa fd fd fa fa fd fd 0x0c04800064b0: fa fa 00 06 fa fa 07 fa fa fa fa fa fa fa fa fa 0x0c04800064c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c04800064d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==10147==ABORTING