[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Tinycc-devel] libtcc crash - full test case enclosed
|
From: |
Eric Raible |
|
Subject: |
[Tinycc-devel] libtcc crash - full test case enclosed |
|
Date: |
Fri, 14 Apr 2023 22:01:49 -0700 |
I am a very satisfied user of libtcc but just found this crash.
I am not on the mailing list so feel free to CC me or email directly.
tcc version 0.9.27 mob:b006b98 2023-04-09T06:06:10+08:00 (AArch64 Linux)
no modifications
This test case crashes with a segmentation fault whether compiled with
tcc or gcc.
I realize that the code I'm trying to compile has an error.
But obviously that error is not being properly handled.
The fact that the _second_ (correct) call to use_libtcc() crash is the
interesting part.
#include <stdio.h>
#include "libtcc.h"
#define ERROR(what) { printf("couldn't %s()", what); goto end; }
static void use_libtcc(char *code) {
TCCState *s = tcc_new();
if (!s) ERROR("tcc_new")
if (tcc_set_output_type(s, TCC_OUTPUT_MEMORY) == -1)
ERROR("tcc_set_output_type")
if (tcc_compile_string(s, code) == -1) ERROR("tcc_compile_string")
if (tcc_relocate(s, TCC_RELOCATE_AUTO) == -1) ERROR("tcc_relocate")
end:
tcc_delete(s);
}
int main() {
use_libtcc("void foo() { a: int x;}"); // removing the label fixes the problem
use_libtcc("void foo() { }"); // the crash occurs when compiling THIS line!
}
Valgrind reports the following:
==1341== Memcheck, a memory error detector
==1341== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1341== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==1341== Command: ./a.out
==1341==
<string>:1: error: identifier expected
==1341== Invalid read of size 8
==1341== at 0x11A098: label_pop (tccgen.c:786)
==1341== by 0x12C247: gen_function (tccgen.c:8290)
==1341== by 0x12CA93: decl (tccgen.c:8543)
==1341== by 0x1192FF: tccgen_compile (tccgen.c:393)
==1341== by 0x10BC2F: tcc_compile (libtcc.c:746)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A967: main (in /home/raible/qroq/bug/a.out)
==1341== Address 0x4bc1ab8 is 1,160 bytes inside a block of size 8,176 free'd
==1341== at 0x484AFE0: free (vg_replace_malloc.c:538)
==1341== by 0x10AD37: tcc_free (libtcc.c:257)
==1341== by 0x10AF57: dynarray_reset (libtcc.c:481)
==1341== by 0x11938B: tccgen_finish (tccgen.c:411)
==1341== by 0x10BC3F: tcc_compile (libtcc.c:751)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A95B: main (in /home/raible/qroq/bug/a.out)
==1341== Block was alloc'd at
==1341== at 0x4849E4C: malloc (vg_replace_malloc.c:307)
==1341== by 0x10AD57: tcc_malloc (libtcc.c:263)
==1341== by 0x1198C3: __sym_malloc (tccgen.c:578)
==1341== by 0x11997B: sym_malloc (tccgen.c:598)
==1341== by 0x1199F3: sym_push2 (tccgen.c:622)
==1341== by 0x117147: macro_subst_tok (tccpp.c:3366)
==1341== by 0x1172FF: macro_subst (tccpp.c:3421)
==1341== by 0x116203: macro_arg_subst (tccpp.c:3014)
==1341== by 0x1170AB: macro_subst_tok (tccpp.c:3350)
==1341== by 0x117683: next (tccpp.c:3508)
==1341== by 0x10E76F: skip (tccpp.c:105)
==1341== by 0x12CF2F: decl (tccgen.c:8637)
==1341==
==1341== Invalid read of size 2
==1341== at 0x11A0A4: label_pop (tccgen.c:787)
==1341== by 0x12C247: gen_function (tccgen.c:8290)
==1341== by 0x12CA93: decl (tccgen.c:8543)
==1341== by 0x1192FF: tccgen_compile (tccgen.c:393)
==1341== by 0x10BC2F: tcc_compile (libtcc.c:746)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A967: main (in /home/raible/qroq/bug/a.out)
==1341== Address 0x4bc1a94 is 1,124 bytes inside a block of size 8,176 free'd
==1341== at 0x484AFE0: free (vg_replace_malloc.c:538)
==1341== by 0x10AD37: tcc_free (libtcc.c:257)
==1341== by 0x10AF57: dynarray_reset (libtcc.c:481)
==1341== by 0x11938B: tccgen_finish (tccgen.c:411)
==1341== by 0x10BC3F: tcc_compile (libtcc.c:751)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A95B: main (in /home/raible/qroq/bug/a.out)
==1341== Block was alloc'd at
==1341== at 0x4849E4C: malloc (vg_replace_malloc.c:307)
==1341== by 0x10AD57: tcc_malloc (libtcc.c:263)
==1341== by 0x1198C3: __sym_malloc (tccgen.c:578)
==1341== by 0x11997B: sym_malloc (tccgen.c:598)
==1341== by 0x1199F3: sym_push2 (tccgen.c:622)
==1341== by 0x117147: macro_subst_tok (tccpp.c:3366)
==1341== by 0x1172FF: macro_subst (tccpp.c:3421)
==1341== by 0x116203: macro_arg_subst (tccpp.c:3014)
==1341== by 0x1170AB: macro_subst_tok (tccpp.c:3350)
==1341== by 0x117683: next (tccpp.c:3508)
==1341== by 0x10E76F: skip (tccpp.c:105)
==1341== by 0x12CF2F: decl (tccgen.c:8637)
==1341==
==1341== Invalid read of size 2
==1341== at 0x11A0EC: label_pop (tccgen.c:789)
==1341== by 0x12C247: gen_function (tccgen.c:8290)
==1341== by 0x12CA93: decl (tccgen.c:8543)
==1341== by 0x1192FF: tccgen_compile (tccgen.c:393)
==1341== by 0x10BC2F: tcc_compile (libtcc.c:746)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A967: main (in /home/raible/qroq/bug/a.out)
==1341== Address 0x4bc1a94 is 1,124 bytes inside a block of size 8,176 free'd
==1341== at 0x484AFE0: free (vg_replace_malloc.c:538)
==1341== by 0x10AD37: tcc_free (libtcc.c:257)
==1341== by 0x10AF57: dynarray_reset (libtcc.c:481)
==1341== by 0x11938B: tccgen_finish (tccgen.c:411)
==1341== by 0x10BC3F: tcc_compile (libtcc.c:751)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A95B: main (in /home/raible/qroq/bug/a.out)
==1341== Block was alloc'd at
==1341== at 0x4849E4C: malloc (vg_replace_malloc.c:307)
==1341== by 0x10AD57: tcc_malloc (libtcc.c:263)
==1341== by 0x1198C3: __sym_malloc (tccgen.c:578)
==1341== by 0x11997B: sym_malloc (tccgen.c:598)
==1341== by 0x1199F3: sym_push2 (tccgen.c:622)
==1341== by 0x117147: macro_subst_tok (tccpp.c:3366)
==1341== by 0x1172FF: macro_subst (tccpp.c:3421)
==1341== by 0x116203: macro_arg_subst (tccpp.c:3014)
==1341== by 0x1170AB: macro_subst_tok (tccpp.c:3350)
==1341== by 0x117683: next (tccpp.c:3508)
==1341== by 0x10E76F: skip (tccpp.c:105)
==1341== by 0x12CF2F: decl (tccgen.c:8637)
==1341==
==1341== Invalid read of size 4
==1341== at 0x11A11C: label_pop (tccgen.c:793)
==1341== by 0x12C247: gen_function (tccgen.c:8290)
==1341== by 0x12CA93: decl (tccgen.c:8543)
==1341== by 0x1192FF: tccgen_compile (tccgen.c:393)
==1341== by 0x10BC2F: tcc_compile (libtcc.c:746)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A967: main (in /home/raible/qroq/bug/a.out)
==1341== Address 0x4bc1a98 is 1,128 bytes inside a block of size 8,176 free'd
==1341== at 0x484AFE0: free (vg_replace_malloc.c:538)
==1341== by 0x10AD37: tcc_free (libtcc.c:257)
==1341== by 0x10AF57: dynarray_reset (libtcc.c:481)
==1341== by 0x11938B: tccgen_finish (tccgen.c:411)
==1341== by 0x10BC3F: tcc_compile (libtcc.c:751)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A95B: main (in /home/raible/qroq/bug/a.out)
==1341== Block was alloc'd at
==1341== at 0x4849E4C: malloc (vg_replace_malloc.c:307)
==1341== by 0x10AD57: tcc_malloc (libtcc.c:263)
==1341== by 0x1198C3: __sym_malloc (tccgen.c:578)
==1341== by 0x11997B: sym_malloc (tccgen.c:598)
==1341== by 0x1199F3: sym_push2 (tccgen.c:622)
==1341== by 0x117147: macro_subst_tok (tccpp.c:3366)
==1341== by 0x1172FF: macro_subst (tccpp.c:3421)
==1341== by 0x116203: macro_arg_subst (tccpp.c:3014)
==1341== by 0x1170AB: macro_subst_tok (tccpp.c:3350)
==1341== by 0x117683: next (tccpp.c:3508)
==1341== by 0x10E76F: skip (tccpp.c:105)
==1341== by 0x12CF2F: decl (tccgen.c:8637)
==1341==
==1341== Invalid read of size 2
==1341== at 0x11A158: label_pop (tccgen.c:800)
==1341== by 0x12C247: gen_function (tccgen.c:8290)
==1341== by 0x12CA93: decl (tccgen.c:8543)
==1341== by 0x1192FF: tccgen_compile (tccgen.c:393)
==1341== by 0x10BC2F: tcc_compile (libtcc.c:746)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A967: main (in /home/raible/qroq/bug/a.out)
==1341== Address 0x4bc1a94 is 1,124 bytes inside a block of size 8,176 free'd
==1341== at 0x484AFE0: free (vg_replace_malloc.c:538)
==1341== by 0x10AD37: tcc_free (libtcc.c:257)
==1341== by 0x10AF57: dynarray_reset (libtcc.c:481)
==1341== by 0x11938B: tccgen_finish (tccgen.c:411)
==1341== by 0x10BC3F: tcc_compile (libtcc.c:751)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A95B: main (in /home/raible/qroq/bug/a.out)
==1341== Block was alloc'd at
==1341== at 0x4849E4C: malloc (vg_replace_malloc.c:307)
==1341== by 0x10AD57: tcc_malloc (libtcc.c:263)
==1341== by 0x1198C3: __sym_malloc (tccgen.c:578)
==1341== by 0x11997B: sym_malloc (tccgen.c:598)
==1341== by 0x1199F3: sym_push2 (tccgen.c:622)
==1341== by 0x117147: macro_subst_tok (tccpp.c:3366)
==1341== by 0x1172FF: macro_subst (tccpp.c:3421)
==1341== by 0x116203: macro_arg_subst (tccpp.c:3014)
==1341== by 0x1170AB: macro_subst_tok (tccpp.c:3350)
==1341== by 0x117683: next (tccpp.c:3508)
==1341== by 0x10E76F: skip (tccpp.c:105)
==1341== by 0x12CF2F: decl (tccgen.c:8637)
==1341==
==1341== Invalid read of size 4
==1341== at 0x11A174: label_pop (tccgen.c:801)
==1341== by 0x12C247: gen_function (tccgen.c:8290)
==1341== by 0x12CA93: decl (tccgen.c:8543)
==1341== by 0x1192FF: tccgen_compile (tccgen.c:393)
==1341== by 0x10BC2F: tcc_compile (libtcc.c:746)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A967: main (in /home/raible/qroq/bug/a.out)
==1341== Address 0x4bc1a90 is 1,120 bytes inside a block of size 8,176 free'd
==1341== at 0x484AFE0: free (vg_replace_malloc.c:538)
==1341== by 0x10AD37: tcc_free (libtcc.c:257)
==1341== by 0x10AF57: dynarray_reset (libtcc.c:481)
==1341== by 0x11938B: tccgen_finish (tccgen.c:411)
==1341== by 0x10BC3F: tcc_compile (libtcc.c:751)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A95B: main (in /home/raible/qroq/bug/a.out)
==1341== Block was alloc'd at
==1341== at 0x4849E4C: malloc (vg_replace_malloc.c:307)
==1341== by 0x10AD57: tcc_malloc (libtcc.c:263)
==1341== by 0x1198C3: __sym_malloc (tccgen.c:578)
==1341== by 0x11997B: sym_malloc (tccgen.c:598)
==1341== by 0x1199F3: sym_push2 (tccgen.c:622)
==1341== by 0x117147: macro_subst_tok (tccpp.c:3366)
==1341== by 0x1172FF: macro_subst (tccpp.c:3421)
==1341== by 0x116203: macro_arg_subst (tccpp.c:3014)
==1341== by 0x1170AB: macro_subst_tok (tccpp.c:3350)
==1341== by 0x117683: next (tccpp.c:3508)
==1341== by 0x10E76F: skip (tccpp.c:105)
==1341== by 0x12CF2F: decl (tccgen.c:8637)
==1341==
==1341== Invalid read of size 8
==1341== at 0x11A190: label_pop (tccgen.c:801)
==1341== by 0x12C247: gen_function (tccgen.c:8290)
==1341== by 0x12CA93: decl (tccgen.c:8543)
==1341== by 0x1192FF: tccgen_compile (tccgen.c:393)
==1341== by 0x10BC2F: tcc_compile (libtcc.c:746)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A967: main (in /home/raible/qroq/bug/a.out)
==1341== Address 0x4bc1ac0 is 1,168 bytes inside a block of size 8,176 free'd
==1341== at 0x484AFE0: free (vg_replace_malloc.c:538)
==1341== by 0x10AD37: tcc_free (libtcc.c:257)
==1341== by 0x10AF57: dynarray_reset (libtcc.c:481)
==1341== by 0x11938B: tccgen_finish (tccgen.c:411)
==1341== by 0x10BC3F: tcc_compile (libtcc.c:751)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A95B: main (in /home/raible/qroq/bug/a.out)
==1341== Block was alloc'd at
==1341== at 0x4849E4C: malloc (vg_replace_malloc.c:307)
==1341== by 0x10AD57: tcc_malloc (libtcc.c:263)
==1341== by 0x1198C3: __sym_malloc (tccgen.c:578)
==1341== by 0x11997B: sym_malloc (tccgen.c:598)
==1341== by 0x1199F3: sym_push2 (tccgen.c:622)
==1341== by 0x117147: macro_subst_tok (tccpp.c:3366)
==1341== by 0x1172FF: macro_subst (tccpp.c:3421)
==1341== by 0x116203: macro_arg_subst (tccpp.c:3014)
==1341== by 0x1170AB: macro_subst_tok (tccpp.c:3350)
==1341== by 0x117683: next (tccpp.c:3508)
==1341== by 0x10E76F: skip (tccpp.c:105)
==1341== by 0x12CF2F: decl (tccgen.c:8637)
==1341==
==1341== Use of uninitialised value of size 8
==1341== at 0x11A194: label_pop (tccgen.c:801)
==1341== by 0x12C247: gen_function (tccgen.c:8290)
==1341== by 0x12CA93: decl (tccgen.c:8543)
==1341== by 0x1192FF: tccgen_compile (tccgen.c:393)
==1341== by 0x10BC2F: tcc_compile (libtcc.c:746)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A967: main (in /home/raible/qroq/bug/a.out)
==1341==
==1341== Invalid write of size 8
==1341== at 0x11A194: label_pop (tccgen.c:801)
==1341== by 0x12C247: gen_function (tccgen.c:8290)
==1341== by 0x12CA93: decl (tccgen.c:8543)
==1341== by 0x1192FF: tccgen_compile (tccgen.c:393)
==1341== by 0x10BC2F: tcc_compile (libtcc.c:746)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A967: main (in /home/raible/qroq/bug/a.out)
==1341== Address 0x10 is not stack'd, malloc'd or (recently) free'd
==1341==
==1341==
==1341== Process terminating with default action of signal 11 (SIGSEGV)
==1341== Access not within mapped region at address 0x10
==1341== at 0x11A194: label_pop (tccgen.c:801)
==1341== by 0x12C247: gen_function (tccgen.c:8290)
==1341== by 0x12CA93: decl (tccgen.c:8543)
==1341== by 0x1192FF: tccgen_compile (tccgen.c:393)
==1341== by 0x10BC2F: tcc_compile (libtcc.c:746)
==1341== by 0x10BCA7: tcc_compile_string (libtcc.c:760)
==1341== by 0x10A8E3: use_libtcc (in /home/raible/qroq/bug/a.out)
==1341== by 0x10A967: main (in /home/raible/qroq/bug/a.out)
==1341== If you believe this happened as a result of a stack
==1341== overflow in your program's main thread (unlikely but
==1341== possible), you can try to increase the size of the
==1341== main thread stack using the --main-stacksize= flag.
==1341== The main thread stack size used in this run was 10022912.
couldn't tcc_compile_string()==1341==
==1341== HEAP SUMMARY:
==1341== in use at exit: 1,621,457 bytes in 52 blocks
==1341== total heap usage: 687 allocs, 635 frees, 3,524,825 bytes allocated
==1341==
==1341== LEAK SUMMARY:
==1341== definitely lost: 0 bytes in 0 blocks
==1341== indirectly lost: 0 bytes in 0 blocks
==1341== possibly lost: 0 bytes in 0 blocks
==1341== still reachable: 1,621,457 bytes in 52 blocks
==1341== suppressed: 0 bytes in 0 blocks
==1341== Rerun with --leak-check=full to see details of leaked memory
==1341==
==1341== Use --track-origins=yes to see where uninitialised values come from
==1341== For lists of detected and suppressed errors, rerun with: -s
==1341== ERROR SUMMARY: 9 errors from 9 contexts (suppressed: 0 from 0)
segmentation fault (core dumped)
- [Tinycc-devel] libtcc crash - full test case enclosed,
Eric Raible <=