resolve.c:14004

dominiq at lps dot ens.fr Mon, 06 Nov 2017 11:01:00 -0800

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82866


Dominique d'Humieres <dominiq at lps dot ens.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2017-11-06
     Ever confirmed|0                           |1

--- Comment #3 from Dominique d'Humieres <dominiq at lps dot ens.fr> ---
Compiling the tests in comment 0 and 1 with an instrumented gfortran gives

../../work/gcc/fortran/resolve.c:14063:27: runtime error: member access within
null pointer of type 'struct gfc_symbol'

Using the same compiler for the tests in comment 2 gives

==46165==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000002800
at pc 0x0001004995e8 bp 0x7fff5fbfe610 sp 0x7fff5fbfe608
READ of size 8 at 0x613000002800 thread T0
    #0 0x1004995e7 in gfc_restore_last_undo_checkpoint() symbol.c:3647
    #1 0x10049aa2c in gfc_undo_symbols() symbol.c:3727
    #2 0x1002fefd5 in reject_statement() parse.c:2546
    #3 0x1002ff11d in match_word(char const*, match (*)(), locus*) parse.c:70
    #4 0x10030cdd0 in decode_statement() parse.c:565
    #5 0x10030e091 in next_free() parse.c:1225
    #6 0x10030ea5e in next_statement() parse.c:1457
    #7 0x100314a37 in parse_spec(gfc_statement) parse.c:3651
    #8 0x10031d2f0 in parse_module() parse.c:5900
    #9 0x10031e24d in gfc_parse_file() parse.c:6205
    #10 0x1004d36b3 in gfc_be_parse_file() f95-lang.c:204
    #11 0x1052de1b0 in compile_file() toplev.c:454
    #12 0x1052e857d in do_compile() toplev.c:2059
    #13 0x1075dd23b in toplev::main(int, char**) toplev.c:2194
    #14 0x1075e2a87 in main main.c:39
    #15 0x7fffcb057234 in start (libdyld.dylib:x86_64+0x5234)

0x613000002800 is located 320 bytes inside of 336-byte region
[0x6130000026c0,0x613000002810)
freed by thread T0 here:
    #0 0x155317e10 in wrap_free.part.0 sanitizer_malloc_mac.inc:142
    #1 0x100489adb in gfc_free_symbol(gfc_symbol*) symbol.c:3061
    #2 0x100489e27 in gfc_release_symbol(gfc_symbol*) symbol.c:3088
    #3 0x10048a2a6 in free_sym_tree(gfc_symtree*) symbol.c:3890
    #4 0x10048905b in gfc_free_namespace(gfc_namespace*) symbol.c:4045
    #5 0x100489a6c in gfc_free_symbol(gfc_symbol*) symbol.c:3054
    #6 0x100489e27 in gfc_release_symbol(gfc_symbol*) symbol.c:3088
    #7 0x10049a1c7 in gfc_restore_last_undo_checkpoint() symbol.c:3696
    #8 0x10049aa2c in gfc_undo_symbols() symbol.c:3727
    #9 0x1002fefd5 in reject_statement() parse.c:2546
    #10 0x1002ff11d in match_word(char const*, match (*)(), locus*) parse.c:70
    #11 0x10030cdd0 in decode_statement() parse.c:565
    #12 0x10030e091 in next_free() parse.c:1225
    #13 0x10030ea5e in next_statement() parse.c:1457
    #14 0x100314a37 in parse_spec(gfc_statement) parse.c:3651
    #15 0x10031d2f0 in parse_module() parse.c:5900
    #16 0x10031e24d in gfc_parse_file() parse.c:6205
    #17 0x1004d36b3 in gfc_be_parse_file() f95-lang.c:204
    #18 0x1052de1b0 in compile_file() toplev.c:454
    #19 0x1052e857d in do_compile() toplev.c:2059
    #20 0x1075dd23b in toplev::main(int, char**) toplev.c:2194
    #21 0x1075e2a87 in main main.c:39
    #22 0x7fffcb057234 in start (libdyld.dylib:x86_64+0x5234)

previously allocated by thread T0 here:
    #0 0x15531746c in wrap_calloc sanitizer_malloc_mac.inc:153
    #1 0x10746b354 in xcalloc xmalloc.c:162
    #2 0x100480eb1 in gfc_new_symbol(char const*, gfc_namespace*) symbol.c:3099
    #3 0x1004833c0 in gfc_get_sym_tree(char const*, gfc_namespace*,
gfc_symtree**, bool) symbol.c:3348
    #4 0x100484a01 in gfc_get_symbol(char const*, gfc_namespace*, gfc_symbol**)
symbol.c:3401
    #5 0x1000b162d in gfc_match_formal_arglist(gfc_symbol*, int, int, bool)
decl.c:5959
    #6 0x1000cd42e in gfc_match_derived_decl() decl.c:9829
    #7 0x1002ff09b in match_word(char const*, match (*)(), locus*) parse.c:65
    #8 0x10030cdd0 in decode_statement() parse.c:565
    #9 0x10030e091 in next_free() parse.c:1225
    #10 0x10030ea5e in next_statement() parse.c:1457
    #11 0x100314a37 in parse_spec(gfc_statement) parse.c:3651
    #12 0x10031d2f0 in parse_module() parse.c:5900
    #13 0x10031e24d in gfc_parse_file() parse.c:6205
    #14 0x1004d36b3 in gfc_be_parse_file() f95-lang.c:204
    #15 0x1052de1b0 in compile_file() toplev.c:454
    #16 0x1052e857d in do_compile() toplev.c:2059
    #17 0x1075dd23b in toplev::main(int, char**) toplev.c:2194
    #18 0x1075e2a87 in main main.c:39
    #19 0x7fffcb057234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free symbol.c:3647 in
gfc_restore_last_undo_checkpoint()
Shadow bytes around the buggy address:
  0x1c26000004b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c26000004c0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x1c26000004d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c26000004e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c26000004f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c2600000500:[fd]fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2600000510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2600000520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2600000530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2600000540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2600000550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==46165==ABORTING

[Bug fortran/82866] [PDT] ICE in resolve_fl_derived0, at fortran/resolve.c:14004

Reply via email to