https://gcc.gnu.org/bugzilla/show_bug.cgi?id=123922
Bug ID: 123922
Summary: asan error: heap-use-after-free in
update_hard_regno_preference, lra-assigns.cc
Product: gcc
Version: 16.0
Status: UNCONFIRMED
Keywords: needs-bisection, ra
Severity: normal
Priority: P3
Component: rtl-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: pheeck at gcc dot gnu.org
Blocks: 86656
Target Milestone: ---
Host: x86_64-pc-linux-gnu
Target: x86_64-pc-linux-gnu
With an asan-instrumented GCC, compiling the testsuite testcase
gcc.target/i386/asm-hard-reg-2.c:
ASAN_OPTIONS="print_summary=1:print_stacktrace=1" gcc
src/gcc/testsuite/gcc.target/i386/asm-hard-reg-2.c -O2
results in:
=================================================================
==3597000==ERROR: AddressSanitizer: heap-use-after-free on address
0x7cebd3c02784 at pc 0x000001b420eb bp 0x7ffd9c45c170 sp 0x7ffd9c45c168
READ of size 4 at 0x7cebd3c02784 thread T0
#0 0x000001b420ea in update_hard_regno_preference
/home/worker/buildworker/tiber-gcc-asan/build/gcc/lra-assigns.cc:770
#1 0x000001b537c1 in lra_split_hard_reg_for(bool)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/lra-assigns.cc:1868
#2 0x000001b3f773 in lra(_IO_FILE*, int)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/lra.cc:2535
#3 0x000001a2a48d in do_reload
/home/worker/buildworker/tiber-gcc-asan/build/gcc/ira.cc:6076
#4 0x000001a2a48d in execute
/home/worker/buildworker/tiber-gcc-asan/build/gcc/ira.cc:6264
#5 0x000001df8922 in execute_one_pass(opt_pass*)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/passes.cc:2656
#6 0x000001dfa73e in execute_pass_list_1
/home/worker/buildworker/tiber-gcc-asan/build/gcc/passes.cc:2769
#7 0x000001dfa764 in execute_pass_list_1
/home/worker/buildworker/tiber-gcc-asan/build/gcc/passes.cc:2770
#8 0x000001dfa824 in execute_pass_list(function*, opt_pass*)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/passes.cc:2780
#9 0x000000f962ae in cgraph_node::expand()
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cgraphunit.cc:1871
#10 0x000000f962ae in cgraph_node::expand()
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cgraphunit.cc:1824
#11 0x000000f9b8ff in expand_all_functions
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cgraphunit.cc:2054
#12 0x000000f9b8ff in symbol_table::compile()
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cgraphunit.cc:2432
#13 0x000000f9b8ff in symbol_table::compile()
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cgraphunit.cc:2340
#14 0x000000fa338c in symbol_table::finalize_compilation_unit()
/home/worker/buildworker/tiber-gcc-asan/build/gcc/cgraphunit.cc:2623
#15 0x00000227e7e2 in compile_file
/home/worker/buildworker/tiber-gcc-asan/build/gcc/toplev.cc:482
#16 0x000000842fe4 in do_compile
/home/worker/buildworker/tiber-gcc-asan/build/gcc/toplev.cc:2225
#17 0x000000842fe4 in toplev::main(int, char**)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/toplev.cc:2390
#18 0x00000084e6fd in main
/home/worker/buildworker/tiber-gcc-asan/build/gcc/main.cc:39
#19 0x7f6bd4a2b2fa in __libc_start_call_main (/lib64/libc.so.6+0x2b2fa)
(BuildId: 8523b213e7586a93ab00f6dd476418b1e521e62c)
#20 0x7f6bd4a2b3ca in __libc_start_main_impl (/lib64/libc.so.6+0x2b3ca)
(BuildId: 8523b213e7586a93ab00f6dd476418b1e521e62c)
#21 0x000000851554 in _start ../sysdeps/x86_64/start.S:115
0x7cebd3c02784 is located 772 bytes inside of 804-byte region
[0x7cebd3c02480,0x7cebd3c027a4)
freed by thread T0 here:
#0 0x000000939eaf in free
/home/worker/buildworker/tiber-gcc-asan/build/libsanitizer/asan/asan_malloc_linux.cpp:51
#1 0x000001b4e7ad in assign_by_spills
/home/worker/buildworker/tiber-gcc-asan/build/gcc/lra-assigns.cc:1606
#2 0x000001b4e7ad in lra_assign(bool&)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/lra-assigns.cc:1672
previously allocated by thread T0 here:
#0 0x00000093ac2f in calloc
/home/worker/buildworker/tiber-gcc-asan/build/libsanitizer/asan/asan_malloc_linux.cpp:74
#1 0x0000066d43a4 in xcalloc
/home/worker/buildworker/tiber-gcc-asan/build/libiberty/xmalloc.c:164
SUMMARY: AddressSanitizer: heap-use-after-free
/home/worker/buildworker/tiber-gcc-asan/build/gcc/lra-assigns.cc:770 in
update_hard_regno_preference
Shadow bytes around the buggy address:
0x7cebd3c02500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7cebd3c02580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7cebd3c02600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7cebd3c02680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7cebd3c02700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x7cebd3c02780:[fd]fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
0x7cebd3c02800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7cebd3c02880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7cebd3c02900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7cebd3c02980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7cebd3c02a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3597000==ABORTING
Configured with: /home/worker/buildworker/tiber-gcc-asan/build/configure
--enable-languages=default,jit,lto,go,d --enable-host-shared
--enable-checking=release --disable-multilib --with-build-config=bootstrap-asan
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86656
[Bug 86656] [meta-bug] Issues found with -fsanitize=address
