https://gcc.gnu.org/bugzilla/show_bug.cgi?id=123920
Bug ID: 123920
Summary: asan error: dynamic-stack-buffer-overflow in
eval_data_member_spec, reflect.cc since
r16-6808-g4b0e94b394fa38
Product: gcc
Version: 16.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: pheeck at gcc dot gnu.org
CC: mpolacek at gcc dot gnu.org
Blocks: 86656
Target Milestone: ---
Host: x86_64-pc-linux-gnu
Target: x86_64-pc-linux-gnu
With an asan-instrumented GCC, compiling the testsuite test
reflect/range_args.C:
UBSAN_OPTIONS="halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1"
ubsan-gcc src/gcc/testsuite/g++.dg/reflect/range_args.C
results in
==3377211==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address
0x7ffca2923482 at pc 0x0000010fa59b bp 0x7ffca2923450 sp 0x7ffca2923448
WRITE of size 1 at 0x7ffca2923482 thread T0
#0 0x0000010fa59a in eval_data_member_spec
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/reflect.cc:5726
#1 0x00000110b89d in process_metafunction(constexpr_ctx const*, tree_node*,
tree_node*, bool*, bool*, tree_node**)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/reflect.cc:7683
#2 0x000000a9b6d2 in cxx_eval_call_expression
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/constexpr.cc:3871
#3 0x000000aa7469 in cxx_eval_constant_expression(constexpr_ctx const*,
tree_node*, value_cat, bool*, bool*, tree_node**)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/constexpr.cc:9209
#4 0x000000ac95be in cxx_eval_bare_aggregate
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/constexpr.cc:6670
#5 0x000000aab9be in cxx_eval_constant_expression(constexpr_ctx const*,
tree_node*, value_cat, bool*, bool*, tree_node**)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/constexpr.cc:9877
#6 0x000000ad1e8e in cxx_eval_outermost_constant_expr
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/constexpr.cc:10796
#7 0x000000ae273c in maybe_constant_value(tree_node*, tree_node*,
mce_value)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/constexpr.cc:11223
#8 0x000001240f34 in store_init_value(tree_node*, tree_node*,
vec<tree_node*, va_gc, vl_embed>**, int)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/typeck2.cc:969
#9 0x000000c08f31 in check_initializer
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/decl.cc:8610
#10 0x000000c14890 in cp_finish_decl(tree_node*, tree_node*, bool,
tree_node*, int, cp_decomp*)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/decl.cc:9880
#11 0x000000f89012 in cp_parser_init_declarator
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/parser.cc:26299
#12 0x000000f8febd in cp_parser_simple_declaration
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/parser.cc:18038
#13 0x000000f9a5df in cp_parser_block_declaration
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/parser.cc:17860
#14 0x000000fe4e02 in cp_parser_declaration
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/parser.cc:17578
#15 0x000000fe9d00 in cp_parser_toplevel_declaration
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/parser.cc:17682
#16 0x000000fe9d00 in cp_parser_translation_unit
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/parser.cc:5593
#17 0x000000fe9d00 in c_parse_file()
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/parser.cc:57422
#18 0x00000137c6ae in c_common_parse_file()
/home/worker/buildworker/tiber-gcc-asan/build/gcc/c-family/c-opts.cc:1422
#19 0x00000290e9b8 in compile_file
/home/worker/buildworker/tiber-gcc-asan/build/gcc/toplev.cc:455
#20 0x00000087ac64 in do_compile
/home/worker/buildworker/tiber-gcc-asan/build/gcc/toplev.cc:2225
#21 0x00000087ac64 in toplev::main(int, char**)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/toplev.cc:2390
#22 0x00000088631d in main
/home/worker/buildworker/tiber-gcc-asan/build/gcc/main.cc:39
#23 0x7f3a5922b2fa in __libc_start_call_main (/lib64/libc.so.6+0x2b2fa)
(BuildId: 8523b213e7586a93ab00f6dd476418b1e521e62c)
#24 0x7f3a5922b3ca in __libc_start_main_impl (/lib64/libc.so.6+0x2b3ca)
(BuildId: 8523b213e7586a93ab00f6dd476418b1e521e62c)
#25 0x0000008894a4 in _start ../sysdeps/x86_64/start.S:115
Address 0x7ffca2923482 is located in stack of thread T0
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/reflect.cc:5726 in
eval_data_member_spec
Shadow bytes around the buggy address:
0x7ffca2923200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffca2923280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffca2923300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffca2923380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffca2923400: 00 00 00 00 00 00 00 00 00 00 00 00 ca ca ca ca
=>0x7ffca2923480:[02]cb cb cb cb cb cb cb 00 00 00 00 00 00 00 00
0x7ffca2923500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffca2923580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffca2923600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffca2923680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffca2923700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3377211==ABORTING
../build/gcc/testsuite/g++.dg/reflect/range_args.C:82:19: internal compiler
error: Aborted
82 | data_member_spec(^^int, {.name = "a"}),
| ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~
0x6a616e3 internal_error(char const*, ...)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/diagnostic-global-context.cc:787
0x290e117 crash_signal
/home/worker/buildworker/tiber-gcc-asan/build/gcc/toplev.cc:325
0x7e298e __sanitizer::Abort()
/home/worker/buildworker/tiber-gcc-asan/build/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cpp:165
0x9a83ab __sanitizer::Die()
/home/worker/buildworker/tiber-gcc-asan/build/libsanitizer/sanitizer_common/sanitizer_termination.cpp:58
0x97f3fe __asan::ScopedInErrorReport::~ScopedInErrorReport()
/home/worker/buildworker/tiber-gcc-asan/build/libsanitizer/asan/asan_report.cpp:221
0x97e942 __asan::ReportGenericError(unsigned long, unsigned long, unsigned
long, unsigned long, bool, unsigned long, unsigned int, bool)
/home/worker/buildworker/tiber-gcc-asan/build/libsanitizer/asan/asan_report.cpp:536
0x97fdae __asan_report_store1
/home/worker/buildworker/tiber-gcc-asan/build/libsanitizer/asan/asan_rtl.cpp:133
0x10fa59a eval_data_member_spec
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/reflect.cc:5726
0x110b89d process_metafunction(constexpr_ctx const*, tree_node*, tree_node*,
bool*, bool*, tree_node**)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/reflect.cc:7683
0xa9b6d2 cxx_eval_call_expression
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/constexpr.cc:3871
0xaa7469 cxx_eval_constant_expression(constexpr_ctx const*, tree_node*,
value_cat, bool*, bool*, tree_node**)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/constexpr.cc:9209
0xac95be cxx_eval_bare_aggregate
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/constexpr.cc:6670
0xaab9be cxx_eval_constant_expression(constexpr_ctx const*, tree_node*,
value_cat, bool*, bool*, tree_node**)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/constexpr.cc:9877
0xad1e8e cxx_eval_outermost_constant_expr
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/constexpr.cc:10796
0xae273c maybe_constant_value(tree_node*, tree_node*, mce_value)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/constexpr.cc:11223
0x1240f34 store_init_value(tree_node*, tree_node*, vec<tree_node*, va_gc,
vl_embed>**, int)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/typeck2.cc:969
0xc08f31 check_initializer
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/decl.cc:8610
0xc14890 cp_finish_decl(tree_node*, tree_node*, bool, tree_node*, int,
cp_decomp*)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/decl.cc:9880
0xf89012 cp_parser_init_declarator
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/parser.cc:26299
0xf8febd cp_parser_simple_declaration
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cp/parser.cc:18038
/tmp/ahoj/usr/local/bin/../libexec/gcc/x86_64-pc-linux-gnu/16.0.1/cc1plus
-quiet -iprefix /tmp/ahoj/usr/local/bin/../lib/gcc/x86_64-pc-linux-gnu/16.0.1/
-D_GNU_SOURCE ../build/gcc/testsuite/g++.dg/reflect/range_args.C -quiet
-dumpdir a- -dumpbase range_args.C -dumpbase-ext .C -mtune=generic
-march=x86-64 -std=c++26 -freflection -o /tmp/ccLHv7uL.s
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
git blame on reflect.cc:5726 points to r16-6808-g4b0e94b394fa38. Cc-ing Marek.
Configured with: /home/worker/buildworker/tiber-gcc-asan/build/configure
--enable-languages=default,jit,lto,go,d --enable-host-shared
--enable-checking=release --disable-multilib --with-build-config=bootstrap-asan
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86656
[Bug 86656] [meta-bug] Issues found with -fsanitize=address
