inquiry_type_ref_(1.f08|3.f90) fail on darwin

dominiq at lps dot ens.fr Tue, 06 Nov 2018 02:32:21 -0800

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87881


Dominique d'Humieres <dominiq at lps dot ens.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2018-11-06
     Ever confirmed|0                           |1

--- Comment #2 from Dominique d'Humieres <dominiq at lps dot ens.fr> ---
First, I have tested the patch at
https://gcc.gnu.org/bugzilla/attachment.cgi?id=44892
with the test in pr40196 comment 9 without seeing any problem.
So it seems that the problem has been introduced/uncovered by the subsequent
changes.

Second, I see the ICE for two quite different reduced tests:

module m
  character (:), allocatable :: str
  type :: mytype
    character(6) :: str
  end type
end module

  use m

  type(mytype) :: der

  str = "abcd"

!  if (str%kind .ne. kind (str)) stop 6
  if (der%str%len .ne. len (der%str)) stop 7
end

for which the ICE is also seen for the commented line, and

  complex, parameter :: zc = ( 99.0, 199.0 )
  REAL, parameter :: rc = zc%re
  REAL, parameter :: ic = zc%im

end

for which the two lines 'REAL, parameter' are needed to trigger the ICE.

Compiling these tests with an instrumented compiler gives:

=================================================================
==75699==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170000045d8
at pc 0x00010015620e bp 0x7ffeefbfccf0 sp 0x7ffeefbfcce8
READ of size 8 at 0x6170000045d8 thread T0
    #0 0x10015620d in simplify_ref_chain(gfc_ref*, int, gfc_expr**) expr.c:1943
    #1 0x1001528fb in gfc_simplify_expr(gfc_expr*, int) expr.c:2064
    #2 0x100369fe7 in gfc_match_varspec(gfc_expr*, int, bool, bool)
primary.c:2287
    #3 0x1003765a8 in gfc_match_rvalue(gfc_expr**) primary.c:3429
    #4 0x10025a96b in match_primary(gfc_expr**) matchexp.c:157
    #5 0x10025abfa in match_level_1(gfc_expr**) matchexp.c:211
    #6 0x10025af6b in match_mult_operand(gfc_expr**) matchexp.c:264
    #7 0x10025b7ac in match_add_operand(gfc_expr**) matchexp.c:351
    #8 0x10025c1ba in match_level_2(gfc_expr**) matchexp.c:480
    #9 0x10025c726 in match_level_3(gfc_expr**) matchexp.c:547
    #10 0x10025cb9f in match_level_4(gfc_expr**) matchexp.c:593
    #11 0x10025d9d5 in match_and_operand(gfc_expr**) matchexp.c:693
    #12 0x10025dca8 in match_or_operand(gfc_expr**) matchexp.c:718
    #13 0x10025e10d in match_equiv_operand(gfc_expr**) matchexp.c:761
    #14 0x10025e57b in match_level_5(gfc_expr**) matchexp.c:806
    #15 0x10025a48f in gfc_match_expr(gfc_expr**) matchexp.c:865
    #16 0x10015adb1 in gfc_match_init_expr(gfc_expr**) expr.c:2987
    #17 0x1000f6516 in variable_decl(int) decl.c:2715
    #18 0x1000f77f3 in gfc_match_data_decl() decl.c:5926
    #19 0x100330018 in match_word(char const*, match (*)(), locus*) parse.c:65
    #20 0x10033c950 in decode_statement() parse.c:376
    #21 0x10033eef6 in next_free() parse.c:1234
    #22 0x10033f8cb in next_statement() parse.c:1466
    #23 0x100345fab in parse_spec(gfc_statement) parse.c:3858
    #24 0x10034cbfa in parse_progunit(gfc_statement) parse.c:5671
    #25 0x10034f8de in gfc_parse_file() parse.c:6259
    #26 0x100522fbf in gfc_be_parse_file() f95-lang.c:204
    #27 0x10611cde8 in compile_file() toplev.c:455
    #28 0x1061284a3 in do_compile() toplev.c:2172
    #29 0x10915f5d7 in toplev::main(int, char**) toplev.c:2307
    #30 0x1095b359c in main main.c:39
    #31 0x7fff703f908c in start (libdyld.dylib:x86_64+0x1708c)

0x6170000045d8 is located 728 bytes inside of 736-byte region
[0x617000004300,0x6170000045e0)
freed by thread T0 here:
    #0 0x158cb18e0 in wrap_free.part.0 sanitizer_malloc_mac.inc:121
    #1 0x10012e5f7 in gfc_free_ref_list(gfc_ref*) expr.c:599
    #2 0x10012ecef in free_expr0(gfc_expr*) expr.c:505
    #3 0x10012f0d0 in gfc_replace_expr(gfc_expr*, gfc_expr*) expr.c:616
    #4 0x10015601c in simplify_ref_chain(gfc_ref*, int, gfc_expr**) expr.c:1970
    #5 0x1001528fb in gfc_simplify_expr(gfc_expr*, int) expr.c:2064
    #6 0x100369fe7 in gfc_match_varspec(gfc_expr*, int, bool, bool)
primary.c:2287
    #7 0x1003765a8 in gfc_match_rvalue(gfc_expr**) primary.c:3429
    #8 0x10025a96b in match_primary(gfc_expr**) matchexp.c:157
    #9 0x10025abfa in match_level_1(gfc_expr**) matchexp.c:211
    #10 0x10025af6b in match_mult_operand(gfc_expr**) matchexp.c:264
    #11 0x10025b7ac in match_add_operand(gfc_expr**) matchexp.c:351
    #12 0x10025c1ba in match_level_2(gfc_expr**) matchexp.c:480
    #13 0x10025c726 in match_level_3(gfc_expr**) matchexp.c:547
    #14 0x10025cb9f in match_level_4(gfc_expr**) matchexp.c:593
    #15 0x10025d9d5 in match_and_operand(gfc_expr**) matchexp.c:693
    #16 0x10025dca8 in match_or_operand(gfc_expr**) matchexp.c:718
    #17 0x10025e10d in match_equiv_operand(gfc_expr**) matchexp.c:761
    #18 0x10025e57b in match_level_5(gfc_expr**) matchexp.c:806
    #19 0x10025a48f in gfc_match_expr(gfc_expr**) matchexp.c:865
    #20 0x10015adb1 in gfc_match_init_expr(gfc_expr**) expr.c:2987
    #21 0x1000f6516 in variable_decl(int) decl.c:2715
    #22 0x1000f77f3 in gfc_match_data_decl() decl.c:5926
    #23 0x100330018 in match_word(char const*, match (*)(), locus*) parse.c:65
    #24 0x10033c950 in decode_statement() parse.c:376
    #25 0x10033eef6 in next_free() parse.c:1234
    #26 0x10033f8cb in next_statement() parse.c:1466
    #27 0x100345fab in parse_spec(gfc_statement) parse.c:3858
    #28 0x10034cbfa in parse_progunit(gfc_statement) parse.c:5671
    #29 0x10034f8de in gfc_parse_file() parse.c:6259

previously allocated by thread T0 here:
    #0 0x158cb0db3 in wrap_calloc sanitizer_malloc_mac.inc:132
    #1 0x10869f9ea in xcalloc xmalloc.c:162
    #2 0x10035b6aa in is_inquiry_ref(char const*, gfc_ref**) primary.c:1964
    #3 0x10036883c in gfc_match_varspec(gfc_expr*, int, bool, bool)
primary.c:2199
    #4 0x1003765a8 in gfc_match_rvalue(gfc_expr**) primary.c:3429
    #5 0x10025a96b in match_primary(gfc_expr**) matchexp.c:157
    #6 0x10025abfa in match_level_1(gfc_expr**) matchexp.c:211
    #7 0x10025af6b in match_mult_operand(gfc_expr**) matchexp.c:264
    #8 0x10025b7ac in match_add_operand(gfc_expr**) matchexp.c:351
    #9 0x10025c1ba in match_level_2(gfc_expr**) matchexp.c:480
    #10 0x10025c726 in match_level_3(gfc_expr**) matchexp.c:547
    #11 0x10025cb9f in match_level_4(gfc_expr**) matchexp.c:593
    #12 0x10025d9d5 in match_and_operand(gfc_expr**) matchexp.c:693
    #13 0x10025dca8 in match_or_operand(gfc_expr**) matchexp.c:718
    #14 0x10025e10d in match_equiv_operand(gfc_expr**) matchexp.c:761
    #15 0x10025e57b in match_level_5(gfc_expr**) matchexp.c:806
    #16 0x10025a48f in gfc_match_expr(gfc_expr**) matchexp.c:865
    #17 0x10015adb1 in gfc_match_init_expr(gfc_expr**) expr.c:2987
    #18 0x1000f6516 in variable_decl(int) decl.c:2715
    #19 0x1000f77f3 in gfc_match_data_decl() decl.c:5926
    #20 0x100330018 in match_word(char const*, match (*)(), locus*) parse.c:65
    #21 0x10033c950 in decode_statement() parse.c:376
    #22 0x10033eef6 in next_free() parse.c:1234
    #23 0x10033f8cb in next_statement() parse.c:1466
    #24 0x100345fab in parse_spec(gfc_statement) parse.c:3858
    #25 0x10034cbfa in parse_progunit(gfc_statement) parse.c:5671
    #26 0x10034f8de in gfc_parse_file() parse.c:6259
    #27 0x100522fbf in gfc_be_parse_file() f95-lang.c:204
    #28 0x10611cde8 in compile_file() toplev.c:455
    #29 0x1061284a3 in do_compile() toplev.c:2172

SUMMARY: AddressSanitizer: heap-use-after-free expr.c:1943 in
simplify_ref_chain(gfc_ref*, int, gfc_expr**)
Shadow bytes around the buggy address:
  0x1c2e00000860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2e00000870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2e00000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2e00000890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2e000008a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c2e000008b0: fd fd fd fd fd fd fd fd fd fd fd[fd]fa fa fa fa
  0x1c2e000008c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2e000008d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2e000008e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2e000008f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2e00000900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==75699==ABORTING
f951: internal compiler error: Abort trap: 6

[Bug fortran/87881] gfortran.dg/inquiry_type_ref_(1.f08|3.f90) fail on darwin

Reply via email to