https://gcc.gnu.org/bugzilla/show_bug.cgi?id=121697
Bug ID: 121697
Summary: ASAN reports heap-use-after-free at
fortran/simplify.cc:133 when compiling
testsuite/gfortran.dg/pdt_39.f03
Product: gcc
Version: 16.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: fortran
Assignee: unassigned at gcc dot gnu.org
Reporter: jamborm at gcc dot gnu.org
CC: pault at gcc dot gnu.org
Blocks: 86656
Target Milestone: ---
Host: x86_64-linux-gnu
Target: x86_64-linux-gnu
With an ASAN-instrumented GCC (commit d914cb6743d):
configure --enable-languages=c,c++,fortran --enable-host-shared
--enable-checking=release --disable-multilib --with-build-config=bootstrap-asan
running
ASAN_OPTIONS=detect_leaks=0 make -k check-gfortran
RUNTESTFLAGS="dg.exp=pdt_39.f03"
produces
==2452541==ERROR: AddressSanitizer: heap-use-after-free on address
0x7c90895ea0d8 at pc 0x000000ce4ab1 bp 0x7ffc5c3457f0 sp 0x7ffc5c3457e8
READ of size 8 at 0x7c90895ea0d8 thread T0
#0 0x000000ce4ab0 in get_kind
/home/mjambor/gcc/mine/src/gcc/fortran/simplify.cc:133
#1 0x000000d10f7c in gfc_simplify_real(gfc_expr*, gfc_expr*)
/home/mjambor/gcc/mine/src/gcc/fortran/simplify.cc:7547
#2 0x000000ab83b1 in do_simplify
/home/mjambor/gcc/mine/src/gcc/fortran/intrinsic.cc:4895
#3 0x000000ae91e1 in gfc_intrinsic_func_interface(gfc_expr*, int)
/home/mjambor/gcc/mine/src/gcc/fortran/intrinsic.cc:5298
#4 0x000000ca839e in resolve_unknown_f
/home/mjambor/gcc/mine/src/gcc/fortran/resolve.cc:3079
#5 0x000000ca839e in resolve_function
/home/mjambor/gcc/mine/src/gcc/fortran/resolve.cc:3506
#6 0x000000ca9e7f in gfc_resolve_expr(gfc_expr*)
/home/mjambor/gcc/mine/src/gcc/fortran/resolve.cc:7987
#7 0x0000009b91c1 in resolve_array_list
/home/mjambor/gcc/mine/src/gcc/fortran/array.cc:2210
#8 0x0000009b91c1 in gfc_resolve_array_constructor(gfc_expr*)
/home/mjambor/gcc/mine/src/gcc/fortran/array.cc:2388
#9 0x000000cabd27 in gfc_resolve_expr(gfc_expr*)
/home/mjambor/gcc/mine/src/gcc/fortran/resolve.cc:8019
#10 0x0000009b91c1 in resolve_array_list
/home/mjambor/gcc/mine/src/gcc/fortran/array.cc:2210
#11 0x0000009b91c1 in gfc_resolve_array_constructor(gfc_expr*)
/home/mjambor/gcc/mine/src/gcc/fortran/array.cc:2388
#12 0x000000cabd27 in gfc_resolve_expr(gfc_expr*)
/home/mjambor/gcc/mine/src/gcc/fortran/resolve.cc:8019
#13 0x000000cbee72 in resolve_actual_arglist
/home/mjambor/gcc/mine/src/gcc/fortran/resolve.cc:2074
#14 0x000000ca5d08 in resolve_function
/home/mjambor/gcc/mine/src/gcc/fortran/resolve.cc:3425
#15 0x000000ca9e7f in gfc_resolve_expr(gfc_expr*)
/home/mjambor/gcc/mine/src/gcc/fortran/resolve.cc:7987
#16 0x000000c838a0 in gfc_resolve_code(gfc_code*, gfc_namespace*)
/home/mjambor/gcc/mine/src/gcc/fortran/resolve.cc:13684
#17 0x000000c8f114 in resolve_codes
/home/mjambor/gcc/mine/src/gcc/fortran/resolve.cc:19626
#18 0x000000c8f481 in gfc_resolve(gfc_namespace*)
/home/mjambor/gcc/mine/src/gcc/fortran/resolve.cc:19661
#19 0x000000c4a906 in resolve_all_program_units
/home/mjambor/gcc/mine/src/gcc/fortran/parse.cc:7463
#20 0x000000c4a906 in gfc_parse_file()
/home/mjambor/gcc/mine/src/gcc/fortran/parse.cc:7723
#21 0x000000d6a630 in gfc_be_parse_file
/home/mjambor/gcc/mine/src/gcc/fortran/f95-lang.cc:247
#22 0x000002469088 in compile_file
/home/mjambor/gcc/mine/src/gcc/toplev.cc:453
#23 0x00000084dca1 in do_compile
/home/mjambor/gcc/mine/src/gcc/toplev.cc:2222
#24 0x00000084dca1 in toplev::main(int, char**)
/home/mjambor/gcc/mine/src/gcc/toplev.cc:2385
#25 0x000000859a49 in main /home/mjambor/gcc/mine/src/gcc/main.cc:39
#26 0x7f208a22b37a in __libc_start_call_main (/lib64/libc.so.6+0x2b37a)
(BuildId: 5f5a89c70625d4fc059c9e954c047f21fa5104d7)
#27 0x7f208a22b44a in __libc_start_main_impl (/lib64/libc.so.6+0x2b44a)
(BuildId: 5f5a89c70625d4fc059c9e954c047f21fa5104d7)
#28 0x00000085bd34 in _start ../sysdeps/x86_64/start.S:115
0x7c90895ea0d8 is located 728 bytes inside of 736-byte region
[0x7c90895e9e00,0x7c90895ea0e0)
freed by thread T0 here:
#0 0x000000940a3f in free
/home/mjambor/gcc/mine/src/libsanitizer/asan/asan_malloc_linux.cpp:51
#1 0x000000a7533e in gfc_free_ref_list(gfc_ref*)
/home/mjambor/gcc/mine/src/gcc/fortran/expr.cc:646
previously allocated by thread T0 here:
#0 0x0000009416cf in calloc
/home/mjambor/gcc/mine/src/libsanitizer/asan/asan_malloc_linux.cpp:74
#1 0x00000678d974 in xcalloc
/home/mjambor/gcc/mine/src/libiberty/xmalloc.c:164
SUMMARY: AddressSanitizer: heap-use-after-free
/home/mjambor/gcc/mine/src/gcc/fortran/simplify.cc:133 in get_kind
Shadow bytes around the buggy address:
0x7c90895e9e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7c90895e9e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7c90895e9f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7c90895e9f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7c90895ea000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x7c90895ea080: fd fd fd fd fd fd fd fd fd fd fd[fd]fa fa fa fa
0x7c90895ea100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7c90895ea180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7c90895ea200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7c90895ea280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7c90895ea300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2452541==ABORTING
compiler exited with status 1
FAIL: gfortran.dg/pdt_39.f03 -O0 3 blank line(s) in output
...and similar on other optimization levels/compiler switch
combinations.
The failure seems to be introduced along with the testcase itself in
r16-3308-g243b5b23c7e60a (Paul Thomas: Fortran: gfortran PDT component
access [PR84122, PR85942])
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86656
[Bug 86656] [meta-bug] Issues found with -fsanitize=address
