https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83118
Eric Botcazou <ebotcazou at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ebotcazou at gcc dot gnu.org
--- Comment #15 from Eric Botcazou <ebotcazou at gcc dot gnu.org> ---
This seems totally broken on x86-64 too, see valgrind:
eric@polaris:~> valgrind ./unlimited_polymorphic_30
==42237== Memcheck, a memory error detector
==42237== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==42237== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==42237== Command: ./unlimited_polymorphic_30
==42237==
==42237== Conditional jump or move depends on uninitialised value(s)
==42237== at 0x4013C7: MAIN__ (in /home/eric/unlimited_polymorphic_30)
==42237== by 0x4023E6: main (in /home/eric/unlimited_polymorphic_30)
==42237==
==42237== Invalid write of size 8
==42237== at 0x40142B: MAIN__ (in /home/eric/unlimited_polymorphic_30)
==42237== by 0x4023E6: main (in /home/eric/unlimited_polymorphic_30)
==42237== Address 0x5768ac0 is 0 bytes inside a block of size 6 alloc'd
==42237== at 0x4C2A0B0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==42237== by 0x401333: MAIN__ (in /home/eric/unlimited_polymorphic_30)
==42237== by 0x4023E6: main (in /home/eric/unlimited_polymorphic_30)
==42237==
==42237== Conditional jump or move depends on uninitialised value(s)
==42237== at 0x401465: MAIN__ (in /home/eric/unlimited_polymorphic_30)
==42237== by 0x4023E6: main (in /home/eric/unlimited_polymorphic_30)
==42237==
==42237== Invalid read of size 8
==42237== at 0x4013C1: MAIN__ (in /home/eric/unlimited_polymorphic_30)
==42237== by 0x4023E6: main (in /home/eric/unlimited_polymorphic_30)
==42237== Address 0x5768ac3 is 3 bytes inside a block of size 6 alloc'd
==42237== at 0x4C2A0B0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==42237== by 0x401333: MAIN__ (in /home/eric/unlimited_polymorphic_30)
==42237== by 0x4023E6: main (in /home/eric/unlimited_polymorphic_30)
==42237==
==42237== Conditional jump or move depends on uninitialised value(s)
==42237== at 0x401A6D: MAIN__ (in /home/eric/unlimited_polymorphic_30)
==42237== by 0x4023E6: main (in /home/eric/unlimited_polymorphic_30)
==42237==
==42237== Invalid read of size 8
==42237== at 0x401A67: MAIN__ (in /home/eric/unlimited_polymorphic_30)
==42237== by 0x4023E6: main (in /home/eric/unlimited_polymorphic_30)
==42237== Address 0x5768ac4 is 4 bytes inside a block of size 6 alloc'd
==42237== at 0x4C2A0B0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==42237== by 0x401333: MAIN__ (in /home/eric/unlimited_polymorphic_30)
==42237== by 0x4023E6: main (in /home/eric/unlimited_polymorphic_30)
==42237==
==42237== Invalid write of size 4
==42237== at 0x4011DC: __copy_INTEGER_4_.3853 (in
/home/eric/unlimited_polymorphic_30)
==42237== by 0x401B54: MAIN__ (in /home/eric/unlimited_polymorphic_30)
==42237== by 0x4023E6: main (in /home/eric/unlimited_polymorphic_30)
==42237== Address 0x5768ac4 is 4 bytes inside a block of size 6 alloc'd
==42237== at 0x4C2A0B0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==42237== by 0x401333: MAIN__ (in /home/eric/unlimited_polymorphic_30)
==42237== by 0x4023E6: main (in /home/eric/unlimited_polymorphic_30)
==42237==
==42237== Conditional jump or move depends on uninitialised value(s)
==42237== at 0x4022FC: foo.3898 (in /home/eric/unlimited_polymorphic_30)
==42237== by 0x401B73: MAIN__ (in /home/eric/unlimited_polymorphic_30)
==42237== by 0x4023E6: main (in /home/eric/unlimited_polymorphic_30)
==42237==
==42237== Conditional jump or move depends on uninitialised value(s)
==42237== at 0x4022FC: foo.3898 (in /home/eric/unlimited_polymorphic_30)
==42237== by 0x401F42: MAIN__ (in /home/eric/unlimited_polymorphic_30)
==42237== by 0x4023E6: main (in /home/eric/unlimited_polymorphic_30)
In particular:
x.v._data.data = (void * restrict) __builtin_malloc (6);
D.1053 = (void *[0:] * restrict) x.v._data.data;
*((void * *) D.1053 + (sizetype) (((S.8 + D.1059) + D.1054) *
(x.v._vptr->_size * MAX_EXPR <x.v._len, 1>))) = __builtin_malloc (MAX_EXPR
<(unsigned long) x.v._vptr->_size, 1>);
The second call to __builtin_malloc overwrites part of the address returned by
the first call (or yields SIGBUS on the SPARC). There might be some confusion
about pointer arithmetics in the GENERIC code.
