https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94975
Bug ID: 94975 Summary: Address sanitizations show heap-buffer-overflow with class(*) allocated to character on assignment Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: fortran Assignee: unassigned at gcc dot gnu.org Reporter: vladimir.fuka at gmail dot com Target Milestone: --- With GCC 7-10 (bit libasan from 10) class(*), allocatable :: p p = "abc" select type(p) type is (character(*)) print *, p end select end causes > gfortran-10 star_character.f90 -fsanitize=address > ./a.out ================================================================= ==12833==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000071 at pc 0x7fa43e30e9b9 bp 0x7fffe526aa50 sp 0x7fffe526a200 WRITE of size 3 at 0x602000000071 thread T0 #0 0x7fa43e30e9b8 in __interceptor_memmove (/usr/lib64/libasan.so.6+0x3b9b8) #1 0x400ddc in __copy_character_1.0 (/home/lada/f/testy/bugs/a.out+0x400ddc) #2 0x401078 in MAIN__ (/home/lada/f/testy/bugs/a.out+0x401078) #3 0x401305 in main (/home/lada/f/testy/bugs/a.out+0x401305) #4 0x7fa43d2f0349 in __libc_start_main (/lib64/libc.so.6+0x24349) #5 0x400c99 in _start (/home/lada/f/testy/bugs/a.out+0x400c99) 0x602000000071 is located 0 bytes to the right of 1-byte region [0x602000000070,0x602000000071) allocated by thread T0 here: #0 0x7fa43e37f3df in malloc (/usr/lib64/libasan.so.6+0xac3df) #1 0x400fca in MAIN__ (/home/lada/f/testy/bugs/a.out+0x400fca) #2 0x401305 in main (/home/lada/f/testy/bugs/a.out+0x401305) #3 0x7fa43d2f0349 in __libc_start_main (/lib64/libc.so.6+0x24349) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib64/libasan.so.6+0x3b9b8) in __interceptor_memmove Shadow bytes around the buggy address: 0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c047fff8000: fa fa 06 fa fa fa 07 fa fa fa 07 fa fa fa[01]fa 0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==12833==ABORTING while class(*), allocatable :: p allocate(p, source = "abc") select type(p) type is (character(*)) print *, p end select end is clean and prints "abc". That is also written with the former without address sanitizations. Tested on OpenSuSE Leap 15.1.