check.c:3670

dominiq at lps dot ens.fr Sat, 03 Dec 2016 14:41:08 -0800

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78618


--- Comment #14 from Dominique d'Humieres <dominiq at lps dot ens.fr> ---
Using a gfortran configured with: ../work/configure --prefix=/opt/gcc/gcc7g
--enable-languages=c,c++,fortran --with-gmp=/opt/mp-new --with-system-zlib
--with-isl=/opt/mp-new --disable-bootstrap --disable-multilib
--disable-libstdcxx CFLAGS='-L/opt/gcc/gcc7a/lib -lasan -lubsan
-fsanitize=address,undefined,leak -Og -g -fno-omit-frame-pointer'
CXXFLAGS='-fsanitize=address,undefined,leak -Og -g -fno-omit-frame-pointer'
LDFLAGS='-L/opt/gcc/gcc7a/lib -lasan -lubsan -ldl -lpthread'

I get

/opt/gcc/_clean/gcc/testsuite/gfortran.dg/char_conversion.f90:8:30:

    character, parameter :: c = char(256,4) ! { dg-error "cannot be converted"
}
                              1
Error: Character '\u0100' in string at (1) cannot be converted into character
kind 1
=================================================================
==91770==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000000f10
at pc 0x000106a8ba7a bp 0x7fff5fbfe790 sp 0x7fff5fbfe788
READ of size 8 at 0x604000000f10 thread T0
    #0 0x106a8ba79 in resolve_fl_procedure(gfc_symbol*, int)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x106a8ba79)
    #1 0x10030fca5 in resolve_symbol(gfc_symbol*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x10030fca5)
    #2 0x1003ad42a in do_traverse_symtree(gfc_symtree*, void (*)(gfc_symtree*),
void (*)(gfc_symbol*))
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1003ad42a)
    #3 0x1003c5ff4 in gfc_traverse_ns(gfc_namespace*, void (*)(gfc_symbol*))
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1003c5ff4)
    #4 0x1003562e3 in resolve_types(gfc_namespace*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1003562e3)
    #5 0x1003050b4 in gfc_resolve(gfc_namespace*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1003050b4)
    #6 0x10028b192 in resolve_all_program_units(gfc_namespace*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x10028b192)
    #7 0x1002a78c7 in gfc_parse_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1002a78c7)
    #8 0x1004059e7 in gfc_be_parse_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1004059e7)
    #9 0x104b213a0 in compile_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x104b213a0)
    #10 0x104b29e39 in do_compile()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x104b29e39)
    #11 0x106c1094e in toplev::main(int, char**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x106c1094e)
    #12 0x106c15c67 in main
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x106c15c67)
    #13 0x7fffe8d83254 in start (/usr/lib/system/libdyld.dylib+0x5254)

0x604000000f10 is located 0 bytes inside of 48-byte region
[0x604000000f10,0x604000000f40)
freed by thread T0 here:
    #0 0x152b7d8b0 in wrap_free.part.0
(/opt/gcc/gcc7a/lib/libasan.4.dylib+0x638b0)
    #1 0x1003c4e30 in gfc_free_charlen(gfc_charlen*, gfc_charlen*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1003c4e30)
    #2 0x10028c005 in reject_statement()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x10028c005)
    #3 0x10028c3a9 in match_word(char const*, match (*)(), locus*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x10028c3a9)
    #4 0x100296fe6 in decode_statement()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x100296fe6)
    #5 0x1002995b9 in next_free()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1002995b9)
    #6 0x10029a0ec in next_statement()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x10029a0ec)
    #7 0x10029f4c6 in parse_spec(gfc_statement)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x10029f4c6)
    #8 0x1002a5827 in parse_progunit(gfc_statement)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1002a5827)
    #9 0x1002a7820 in gfc_parse_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1002a7820)
    #10 0x1004059e7 in gfc_be_parse_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1004059e7)
    #11 0x104b213a0 in compile_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x104b213a0)
    #12 0x104b29e39 in do_compile()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x104b29e39)
    #13 0x106c1094e in toplev::main(int, char**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x106c1094e)
    #14 0x106c15c67 in main
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x106c15c67)
    #15 0x7fffe8d83254 in start (/usr/lib/system/libdyld.dylib+0x5254)

previously allocated by thread T0 here:
    #0 0x152b7cf30 in wrap_calloc (/opt/gcc/gcc7a/lib/libasan.4.dylib+0x62f30)
    #1 0x1069d26eb in xcalloc
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1069d26eb)
    #2 0x1003c30bf in gfc_new_charlen(gfc_namespace*, gfc_charlen*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1003c30bf)
    #3 0x100086948 in gfc_match_char_spec(gfc_typespec*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x100086948)
    #4 0x100099d1c in gfc_match_decl_type_spec(gfc_typespec*, int)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x100099d1c)
    #5 0x1000a7d50 in gfc_match_data_decl()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1000a7d50)
    #6 0x10028c33c in match_word(char const*, match (*)(), locus*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x10028c33c)
    #7 0x100296fe6 in decode_statement()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x100296fe6)
    #8 0x1002995b9 in next_free()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1002995b9)
    #9 0x10029a0ec in next_statement()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x10029a0ec)
    #10 0x10029f4c6 in parse_spec(gfc_statement)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x10029f4c6)
    #11 0x1002a5827 in parse_progunit(gfc_statement)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1002a5827)
    #12 0x1002a7820 in gfc_parse_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1002a7820)
    #13 0x1004059e7 in gfc_be_parse_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1004059e7)
    #14 0x104b213a0 in compile_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x104b213a0)
    #15 0x104b29e39 in do_compile()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x104b29e39)
    #16 0x106c1094e in toplev::main(int, char**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x106c1094e)
    #17 0x106c15c67 in main
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x106c15c67)
    #18 0x7fffe8d83254 in start (/usr/lib/system/libdyld.dylib+0x5254)

SUMMARY: AddressSanitizer: heap-use-after-free
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x106a8ba79)
in resolve_fl_procedure(gfc_symbol*, int)
Shadow bytes around the buggy address:
  0x1c08000001c0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x1c08000001d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
=>0x1c08000001e0: fa fa[fd]fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x1c08000001f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x1c0800000200: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x1c0800000210: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x1c0800000220: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x1c0800000230: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==91770==ABORTING
f951: internal compiler error: Abort trap: 6
gfcg: internal compiler error: Abort trap: 6 (program f951)

This is quite similar to what I get for pr65173 comment 7. This is also a
non-deterministic failure:

[Book15] f90/bug% gfc
/opt/gcc/_clean/gcc/testsuite/gfortran.dg/char_conversion.f90
/opt/gcc/_clean/gcc/testsuite/gfortran.dg/char_conversion.f90:8:30:

    character, parameter :: c = char(256,4) ! { dg-error "cannot be converted"
}
                              1
Error: Character '\u0100' in string at (1) cannot be converted into character
kind 1
[Book15] f90/bug% gfc
/opt/gcc/_clean/gcc/testsuite/gfortran.dg/char_conversion.f90
/opt/gcc/_clean/gcc/testsuite/gfortran.dg/char_conversion.f90:8:30:

    character, parameter :: c = char(256,4) ! { dg-error "cannot be converted"
}
                              1
Error: Character '\u0100' in string at (1) cannot be converted into character
kind 1
f951: internal compiler error: Segmentation fault: 11

...

[Bug fortran/78618] ICE in gfc_check_rank, at fortran/check.c:3670

Reply via email to