https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77327
Bug ID: 77327 Summary: AddressSanitizer: heap-use-after-free gcc-trunk-239276/gcc/fortran/interface.c:403 in compare_components Product: gcc Version: 7.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: fortran Assignee: unassigned at gcc dot gnu.org Reporter: zeccav at gmail dot com Target Milestone: --- Compiling the following: subroutine foo(a) type myT sequence character :: c end type myT type(myT) :: a end subroutine module modtest type myT sequence character :: c end type myT interface subroutine foo(c) import :: myT type(myT) :: c end subroutine foo end interface contains subroutine test2() type(myT) :: z call foo(z) end subroutine test2 end module modtest with an address sanitized version of gfortran I get the following: $gcc-7-address/bin/gfortran ~/f95/gfbug126.f ================================================================= ==15602==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400000c462 at pc 0x00000067217d bp 0x7ffd1903f720 sp 0x7ffd1903f718 READ of size 1 at 0x60400000c462 thread T0 #0 0x67217c in compare_components /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/interface.c:403 #1 0x672839 in gfc_compare_derived_types(gfc_symbol*, gfc_symbol*) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/interface.c:570 #2 0x798343 in gfc_type_compatible(gfc_typespec*, gfc_typespec*) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/symbol.c:4869 #3 0x671da3 in gfc_compare_types(gfc_typespec*, gfc_typespec*) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/interface.c:630 #4 0x672b3f in compare_type /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/interface.c:646 #5 0x675600 in gfc_check_dummy_characteristics(gfc_symbol*, gfc_symbol*, bool, char*, int) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/interface.c:1187 #6 0x674ebd in gfc_compare_interfaces(gfc_symbol*, gfc_symbol*, char const*, int, int, char*, int, char const*, char const*) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/interface.c:1644 #7 0x73cb61 in resolve_global_procedure /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/resolve.c:2463 #8 0x74d055 in resolve_call /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/resolve.c:3455 #9 0x764d17 in gfc_resolve_code(gfc_code*, gfc_namespace*) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/resolve.c:10659 #10 0x767b59 in resolve_codes /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/resolve.c:15667 #11 0x7679dd in resolve_codes /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/resolve.c:15652 #12 0x73c2b1 in gfc_resolve(gfc_namespace*) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/resolve.c:15701 #13 0x711dd7 in gfc_parse_file() /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:6061 #14 0x7b4d6d in gfc_be_parse_file /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/f95-lang.c:198 #15 0x165aada in compile_file /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/toplev.c:465 #16 0x165ff74 in do_compile /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/toplev.c:1998 #17 0x16604aa in toplev::main(int, char**) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/toplev.c:2132 #18 0x2e2a5ca in main /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/main.c:39 #19 0x390da1ffdf in __libc_start_main (/lib64/libc.so.6+0x390da1ffdf) #20 0x5eafd8 (/home/vitti/1tb/vitti/local/gcc-7-address/libexec/gcc/x86_64-pc-linux-gnu/7.0.0/f951+0x5eafd8) 0x60400000c462 is located 18 bytes inside of 40-byte region [0x60400000c450,0x60400000c478) freed by thread T0 here: #0 0x2b862c1d8330 in __interceptor_free ../../.././libsanitizer/asan/asan_malloc_linux.cc:45 #1 0x2e61f00 in release<(anonymous namespace)::line_span> /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:307 #2 0x2e66774 in release /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:1492 #3 0x2e66774 in ~auto_vec /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:1286 #4 0x2e66774 in calculate_line_spans /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic-show-locus.c:894 #5 0x2e67b02 in layout /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic-show-locus.c:785 #6 0x2e6802e in diagnostic_show_locus(diagnostic_context*, diagnostic_info const*) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic-show-locus.c:1302 #7 0x6572e4 in gfc_diagnostic_starter /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/error.c:1096 #8 0x2e5c244 in diagnostic_report_diagnostic(diagnostic_context*, diagnostic_info*) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic.c:935 #9 0x656009 in gfc_error /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/error.c:1277 #10 0x658644 in gfc_error(char const*, ...) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/error.c:1296 #11 0x720a04 in gfc_match_rvalue(gfc_expr**) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/primary.c:3021 #12 0x6c97ed in match_primary /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:157 #13 0x6c99c6 in match_level_1 /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:211 #14 0x6c9ba5 in match_mult_operand /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:267 #15 0x6ca031 in match_add_operand /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:356 #16 0x6ca5ae in match_level_2 /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:480 #17 0x6ca8bb in match_level_3 /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:551 #18 0x6cab2e in match_level_4 /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:599 #19 0x6caf06 in match_and_operand /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:693 #20 0x6cb0b7 in match_or_operand /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:722 #21 0x6cb326 in match_equiv_operand /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:765 #22 0x6cb595 in match_level_5 /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:811 #23 0x6c9502 in gfc_match_expr(gfc_expr**) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:870 #24 0x6b9a0d in gfc_match(char const*, ...) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/match.c:1143 #25 0x6c737b in gfc_match_ptr_fcn_assign() /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/match.c:5301 #26 0x705064 in match_word /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:65 #27 0x70a660 in decode_statement /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:370 #28 0x70be5b in next_fixed /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:1332 #29 0x70c673 in next_statement /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:1382 #30 0x70d9b4 in parse_derived /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:3130 #31 0x70edee in parse_spec /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:3669 previously allocated by thread T0 here: #0 0x2b862c1d8648 in __interceptor_malloc ../../.././libsanitizer/asan/asan_malloc_linux.cc:62 #1 0x2f5b515 in xrealloc /home/vitti/1tb/vitti/test/gcc-trunk-239276/libiberty/xmalloc.c:178 #2 0x2e64a30 in reserve<(anonymous namespace)::line_span> /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:288 #3 0x2e64a30 in reserve /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:1438 #4 0x2e64a30 in reserve_exact /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:1458 #5 0x2e64a30 in create /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:1473 #6 0x2e64a30 in auto_vec /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:1285 #7 0x2e64a30 in calculate_line_spans /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic-show-locus.c:894 #8 0x2e67b02 in layout /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic-show-locus.c:785 #9 0x2e6802e in diagnostic_show_locus(diagnostic_context*, diagnostic_info const*) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic-show-locus.c:1302 #10 0x6572e4 in gfc_diagnostic_starter /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/error.c:1096 #11 0x2e5c244 in diagnostic_report_diagnostic(diagnostic_context*, diagnostic_info*) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic.c:935 #12 0x656009 in gfc_error /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/error.c:1277 #13 0x658644 in gfc_error(char const*, ...) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/error.c:1296 #14 0x720a04 in gfc_match_rvalue(gfc_expr**) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/primary.c:3021 #15 0x6c97ed in match_primary /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:157 #16 0x6c99c6 in match_level_1 /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:211 #17 0x6c9ba5 in match_mult_operand /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:267 #18 0x6ca031 in match_add_operand /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:356 #19 0x6ca5ae in match_level_2 /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:480 #20 0x6ca8bb in match_level_3 /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:551 #21 0x6cab2e in match_level_4 /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:599 #22 0x6caf06 in match_and_operand /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:693 #23 0x6cb0b7 in match_or_operand /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:722 #24 0x6cb326 in match_equiv_operand /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:765 #25 0x6cb595 in match_level_5 /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:811 #26 0x6c9502 in gfc_match_expr(gfc_expr**) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:870 #27 0x6b9a0d in gfc_match(char const*, ...) /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/match.c:1143 #28 0x6c737b in gfc_match_ptr_fcn_assign() /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/match.c:5301 #29 0x705064 in match_word /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:65 #30 0x70a660 in decode_statement /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:370 #31 0x70be5b in next_fixed /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:1332 #32 0x70c673 in next_statement /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:1382 #33 0x70d9b4 in parse_derived /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:3130 #34 0x70edee in parse_spec /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:3669 SUMMARY: AddressSanitizer: heap-use-after-free /home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/interface.c:403 in compare_components Shadow bytes around the buggy address: 0x0c087fff9830: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9840: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9850: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fff9860: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9870: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd =>0x0c087fff9880: fa fa 00 00 00 00 00 00 fa fa fd fd[fd]fd fd fa 0x0c087fff9890: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd 0x0c087fff98a0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff98b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff98c0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fff98d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==15602==ABORTING interface.c:403 is if ( (d1 && (d1->attr.flavor == FL_STRUCT || d1->attr.flavor == FL_UNION) and I believe d->attr.flavor is the item used after freed.