← Back to index | Original Bugzilla link

Bug 23895 – OOB write in escape analysis code with --preview=dip1021

Status
NEW
Severity
normal
Priority
P1
Component
dmd
Product
D
Version
D2
Platform
x86_64
OS
Linux
Creation time
2023-05-06T02:58:51Z
Last change time
2024-12-13T19:28:37Z
Keywords
ice
Assigned to
No Owner
Creator
TheGag96
Moved to GitHub: dmd#20271 →

Attachments

IDFilenameSummaryContent-TypeSize
1873repro.zipDustmite-reduced reproduction caseapplication/zip3576

Comments

Comment #0 by kipthemudkip — 2023-05-06T02:58:51Z
Created attachment 1873 Dustmite-reduced reproduction case I was tracking down compiler weirdness in my codebase while using LDC 1.32.1. Using LDC from my package manager, I'd get a consistent crash, and if I built LDC myself, I'd get an odd error where the compiler said it didn't think a local manifest constant was defined when it certainly was a few lines prior. (Reduced test case for this behavior included.) Valgrind tells me there was at least one out of bounds write in the escape analysis code. Something is pushed onto an array that was never expanded past its default size of 1. The crash goes away if I don't compile with --preview=dip1021. ==10074== Invalid write of size 8 ==10074== at 0x60EC8B: Array<VarDeclaration*>::push(VarDeclaration*) (array.d:120) ==10074== by 0x70DA7B: _D3dmd6escape13escapeByValueFCQBc10expression10ExpressionPSQCfQCe15EscapeByResultsbbZ8visitVarMFCQDrQCp6VarExpZv (escape.d:1543) ==10074== by 0x649F32: _D3dmd6escape13escapeByValueFCQBc10expression10ExpressionPSQCfQCe15EscapeByResultsbbZv (escape.d:1868) ==10074== by 0x6C12BB: _D3dmd6escape21checkMutableArgumentsFPSQBl6dscope5ScopeCQCc4func15FuncDeclarationCQDc5mtype12TypeFunctionCQEa10expression10ExpressionPSQFd4root5array__T5ArrayTQCcZQlbZb (escape.d:171) ==10074== by 0x6BD1A8: _D3dmd13expressionsem18functionParametersFKxSQBr8location3LocPSQCj6dscope5ScopeCQDa5mtype12TypeFunctionCQDy10expression10ExpressionCQFaQCa4TypePSQFn4root5array__T5ArrayTQCoZQlCQGs4func15FuncDeclarationPQCtPQDzZb (expressionsem.d:2455) ==10074== by 0x6D0B3A: ExpressionSemanticVisitor::visit(CallExp*) (expressionsem.d:5184) ==10074== by 0x704717: CallExp::accept(Visitor*) (expression.d:5212) ==10074== by 0x57171B: expressionSemantic(Expression*, Scope*) (expressionsem.d:12534) ==10074== by 0x68E1AD: _D3dmd7initsem9inferTypeFCQy4init11InitializerPSQBu6dscope5ScopeZ8visitExpMFCQCxQCa14ExpInitializerZQCx (initsem.d:1158) ==10074== by 0x68DAF4: _D3dmd7initsem9inferTypeFCQy4init11InitializerPSQBu6dscope5ScopeZQBo (initsem.d:1221) ==10074== by 0x53ED0C: DsymbolSemanticVisitor::visit(VarDeclaration*) (dsymbolsem.d:494) ==10074== by 0x53E930: SemanticTimeTraceVisitor<DsymbolSemanticVisitor*>::visit(VarDeclaration*) (timetrace_sema.d:108) ==10074== Address 0x11a8cd58 is 56 bytes inside a block of size 624 free'd ==10074== at 0x4846CC3: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10074== by 0x56024F: Mem::xrealloc(void*, unsigned long) (rmem.d:85) ==10074== by 0x6C0DCB: _D3dmd6escape21checkMutableArgumentsFPSQBl6dscope5ScopeCQCc4func15FuncDeclarationCQDc5mtype12TypeFunctionCQEa10expression10ExpressionPSQFd4root5array__T5ArrayTQCcZQlbZb (escape.d:103) ==10074== by 0x6BD1A8: _D3dmd13expressionsem18functionParametersFKxSQBr8location3LocPSQCj6dscope5ScopeCQDa5mtype12TypeFunctionCQDy10expression10ExpressionCQFaQCa4TypePSQFn4root5array__T5ArrayTQCoZQlCQGs4func15FuncDeclarationPQCtPQDzZb (expressionsem.d:2455) ==10074== by 0x6D0B3A: ExpressionSemanticVisitor::visit(CallExp*) (expressionsem.d:5184) ==10074== by 0x704717: CallExp::accept(Visitor*) (expression.d:5212) ==10074== by 0x57171B: expressionSemantic(Expression*, Scope*) (expressionsem.d:12534) ==10074== by 0x6CD6B4: ExpressionSemanticVisitor::visit(CallExp*) (expressionsem.d:4608) ==10074== by 0x704717: CallExp::accept(Visitor*) (expression.d:5212) ==10074== by 0x57171B: expressionSemantic(Expression*, Scope*) (expressionsem.d:12534) ==10074== by 0x68A2DE: _D3dmd7initsem19initializerSemanticRCQBj4init11InitializerPSQCg6dscope5ScopeKCQCy5mtype4TypeEQDnQCe13NeedInterpretZ8visitExpMFCQEvQDm14ExpInitializerZQEk (initsem.d:418) ==10074== by 0x5841D8: initializerSemantic(Initializer*, Scope*, Type*&, NeedInterpret) (initsem.d:1059) ==10074== Block was alloc'd at ==10074== at 0x4841798: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10074== by 0x56024F: Mem::xrealloc(void*, unsigned long) (rmem.d:85) ==10074== by 0x6C0DCB: _D3dmd6escape21checkMutableArgumentsFPSQBl6dscope5ScopeCQCc4func15FuncDeclarationCQDc5mtype12TypeFunctionCQEa10expression10ExpressionPSQFd4root5array__T5ArrayTQCcZQlbZb (escape.d:103) ==10074== by 0x6BD1A8: _D3dmd13expressionsem18functionParametersFKxSQBr8location3LocPSQCj6dscope5ScopeCQDa5mtype12TypeFunctionCQDy10expression10ExpressionCQFaQCa4TypePSQFn4root5array__T5ArrayTQCoZQlCQGs4func15FuncDeclarationPQCtPQDzZb (expressionsem.d:2455) ==10074== by 0x6D0B3A: ExpressionSemanticVisitor::visit(CallExp*) (expressionsem.d:5184) ==10074== by 0x704717: CallExp::accept(Visitor*) (expression.d:5212) ==10074== by 0x57171B: expressionSemantic(Expression*, Scope*) (expressionsem.d:12534) ==10074== by 0x5E3E9D: StatementSemanticVisitor::visit(ExpStatement*) (statementsem.d:206) ==10074== by 0x608C37: ExpStatement::accept(Visitor*) (statement.d:498) ==10074== by 0x5E3D3B: statementSemantic(Statement*, Scope*) (statementsem.d:148) ==10074== by 0x5E5686: StatementSemanticVisitor::visit(CompoundStatement*) (statementsem.d:269) ==10074== by 0x609107: CompoundStatement::accept(Visitor*) (statement.d:641)
Comment #1 by dlang-bugzilla — 2023-05-08T09:43:10Z
Is this reproducible with DMD? If not, it may be better to file this in the LDC issue tracker, even if the problem lies in the frontend code shared by the compilers.
Comment #2 by robert.schadek — 2024-12-13T19:28:37Z
THIS ISSUE HAS BEEN MOVED TO GITHUB https://github.com/dlang/dmd/issues/20271 DO NOT COMMENT HERE ANYMORE, NOBODY WILL SEE IT, THIS ISSUE HAS BEEN MOVED TO GITHUB