https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79524
--- Comment #33 from GCC Commits <cvs-commit at gcc dot gnu.org> --- The releases/gcc-14 branch has been updated by Paul Thomas <[email protected]>: https://gcc.gnu.org/g:c7422971e08cb1ec015ee63df89338dce5f3dabf commit r14-12573-gc7422971e08cb1ec015ee63df89338dce5f3dabf Author: Christopher Albert <[email protected]> Date: Fri Apr 3 12:45:57 2026 +0200 fortran: Clean up charlens after rejected parameter arrays [PR79524] When a parameter array declaration such as character(*), parameter :: z(2) = [character(n) :: 'x', 'y'] is rejected, declaration-local charlen nodes from that statement can remain on cl_list and later be resolved again. The charlen's length expression still references the symbol 'n' whose symtree was already freed by gfc_undo_symbols, causing a heap-use-after-free in resolve_charlen. Clean up those statement-local charlens at the rejection point in decl.cc, after clearing the surviving owners in that path. PR fortran/79524 gcc/fortran/ChangeLog: PR fortran/79524 * decl.cc (discard_pending_charlens): New helper. (add_init_expr_to_sym): Drop statement-local charlens when rejecting variable-length parameter arrays. (variable_decl, do_parm, enumerator_decl): Save the current namespace charlen list before parsing declarations with initializers. (match_procedure_decl): Adjust call to add_init_expr_to_sym. gcc/testsuite/ChangeLog: PR fortran/79524 * gfortran.dg/pr79524.f90: New test. Signed-off-by: Christopher Albert <[email protected]> (cherry picked from commit 7660e3067481159acc3ad76cfae22f71606670c7)
