Closed
Description
gccgo built with asan crashes on the following input (quoted form):
"package\rG\n//line \u205f" +
"\u205f\u205f\u205f\u205f\u205f\u205f\xe2\x81" +
"\x9f\u205f\u205f\u205f\u205f\u205f\u205f\xe2" +
"\x81\x9f\u205f\u205f\u205f\u205f\u205f\u205f" +
"\u205f\u205f\u205f\u205f\u205f\u205f\xe2\x81" +
"\x9f\u205f\u205f\u205f\u205f\u205f:1"
==100579==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bab8 at pc 0x000000681676 bp 0x7fff65a42dc0 sp 0x7fff65a42570
READ of size 14 at 0x60c00000bab8 thread T0
#0 0x681675 in __interceptor_memcmp ../../../../libsanitizer/asan/asan_interceptors.cc:332
#1 0x7e489e in Lex::skip_cpp_comment() ../../gcc/go/gofrontend/lex.cc:1731
#2 0x7e6dda in Lex::next_token() ../../gcc/go/gofrontend/lex.cc:593
#3 0x7e80a4 in Parse::advance_token() ../../gcc/go/gofrontend/parse.cc:80
#4 0x8141d2 in Parse::program() ../../gcc/go/gofrontend/parse.cc:5648
#5 0x78966f in go_parse_input_files(char const**, unsigned int, bool, bool) ../../gcc/go/gofrontend/go.cc:73
#6 0x77c961 in go_langhook_parse_file ../../gcc/go/go-lang.c:304
#7 0x14ae7f2 in compile_file ../../gcc/toplev.c:551
#8 0x61fe29 in do_compile ../../gcc/toplev.c:2061
#9 0x61fe29 in toplev::main(int, char**) ../../gcc/toplev.c:2162
#10 0x629457 in main ../../gcc/main.c:39
#11 0x7f00dcfd4ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#12 0x62a292 (/usr/local/google/home/dvyukov/src/gcc/build_asan/gcc/go1+0x62a292)
0x60c00000bab8 is located 0 bytes to the right of 120-byte region [0x60c00000ba40,0x60c00000bab8)
allocated by thread T0 here:
#0 0x6a1eca in operator new[](unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cc:62
#1 0x7df932 in Lex::Lex(char const*, _IO_FILE*, Linemap*) ../../gcc/go/gofrontend/lex.cc:448
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../libsanitizer/asan/asan_interceptors.cc:332 __interceptor_memcmp
Shadow bytes around the buggy address:
0x0c187fff9700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9740: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c187fff9750: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
0x0c187fff9760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c187fff9770: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff9780: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c187fff9790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff97a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
gcc version 6.0.0 2015070 (experimental) (GCC)