[Bug c/87953] New: asan: stack-buffer-overflow in vectorizable_reduction

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug c/87953] New: asan: stack-buffer-overflow in vectorizable_reduction

asolokha at gmx dot com
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87953

            Bug ID: 87953
           Summary: asan: stack-buffer-overflow in vectorizable_reduction
           Product: gcc
           Version: 8.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: dcb314 at hotmail dot com
  Target Milestone: ---

For this C code:

int a[];
int b;
void d() {
  char c;
  b = 0;
  for (; b < 6; b++) {
    c = 1;
    for (; c; c <<= 1) {
      a[b] <<= 8;
      if (b & c)
        a[b] = 1;
    }
  }
}

compiled with -O3 on recent gcc trunk with asan, does this:

==18849==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffd0eb77e48 at pc 0x000002cfffdd bp 0x7ffd0eb76740 sp 0x7ffd0eb76738
READ of size 8 at 0x7ffcfa4901f8 thread T0
    #0 0x2cfffdc in vectorizable_reduction(_stmt_vec_info*,
gimple_stmt_iterator
*, _stmt_vec_info**, _slp_tree*, _slp_instance*, vec<stmt_info_for_cost,
va_heap
, vl_ptr>*) ../../trunk/gcc/tree-vect-loop.c:6485

...

    [5472, 5496) 'ops' (line 6004) <== Memory access at offset 5464 underflows
t
his variable

Line 6485 is

      if (!vec_stmt && !vectorizable_condition (stmt_info, gsi, NULL,
                                                ops[reduc_index], 0, NULL,
                                                cost_vec))

I am not sure if overflow or underflow is occurring, but since ops is
a local array, I am guessing someone needs to sanity check array indexes
before use.

Problem didn't occur in gcc revision 265683 and does by revision 265907.
Reply | Threaded
Open this post in threaded view
|

[Bug c/87953] asan: stack-buffer-overflow in vectorizable_reduction

asolokha at gmx dot com
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87953

David Binderman <dcb314 at hotmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rguenth at gcc dot gnu.org

--- Comment #1 from David Binderman <dcb314 at hotmail dot com> ---
svn blame says

263143   rsandifo       if (!vec_stmt && !vectorizable_condition (stmt_info,
gsi, NULL,
260289    rguenth                                              
ops[reduc_index], 0, NULL,
260289    rguenth                                               cost_vec))
Reply | Threaded
Open this post in threaded view
|

[Bug c/87953] asan: stack-buffer-overflow in vectorizable_reduction

asolokha at gmx dot com
In reply to this post by asolokha at gmx dot com
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87953

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |ASSIGNED
   Last reconfirmed|                            |2018-11-09
           Assignee|unassigned at gcc dot gnu.org      |rguenth at gcc dot gnu.org
     Ever confirmed|0                           |1

--- Comment #2 from Richard Biener <rguenth at gcc dot gnu.org> ---
valgrind reports

==21312== Conditional jump or move depends on uninitialised value(s)
==21312==    at 0x14BB78D: vectorizable_condition(_stmt_vec_info*,
gimple_stmt_iterator*, _stmt_vec_info**, tree_node*, int, _slp_tree*,
vec<stmt_info_for_cost, va_heap, vl_ptr>*) (tree-vect-stmts.c:8718)
==21312==    by 0x14DCDC0: vectorizable_reduction(_stmt_vec_info*,
gimple_stmt_iterator*, _stmt_vec_info**, _slp_tree*, _slp_instance*,
vec<stmt_info_for_cost, va_heap, vl_ptr>*) (tree-vect-loop.c:6531)

so that's probably the very same thing.  reduc_index is -1 here.

I have a fix.
Reply | Threaded
Open this post in threaded view
|

[Bug c/87953] asan: stack-buffer-overflow in vectorizable_reduction

asolokha at gmx dot com
In reply to this post by asolokha at gmx dot com
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87953

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Richard Biener <rguenth at gcc dot gnu.org> ---
Fixed.
Reply | Threaded
Open this post in threaded view
|

[Bug c/87953] asan: stack-buffer-overflow in vectorizable_reduction

asolokha at gmx dot com
In reply to this post by asolokha at gmx dot com
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87953

--- Comment #4 from Richard Biener <rguenth at gcc dot gnu.org> ---
Author: rguenth
Date: Fri Nov  9 12:29:51 2018
New Revision: 265964

URL: https://gcc.gnu.org/viewcvs?rev=265964&root=gcc&view=rev
Log:
2018-11-09  Richard Biener  <[hidden email]>

        PR tree-optimization/87953
        * tree-vect-loop.c (vectorizable_reduction): For analysis
        always pass ops[0] to vectorizable_condition.

Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/tree-vect-loop.c