[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253 --- Comment #8 from Vittorio Zecca --- Compiling and running under both 8.0.1 and 8.1.0 with MALLOC_CHECK_=1 (see man mallopt) I get the following (notice "free(): invalid pointer" from mallopt) /usr/bin/gfortran -g -O0 gfbug144.f [vitti f95]$./a.out free(): invalid pointer Program received signal SIGABRT: Process abort signal. Backtrace for this error: #0 0x1461bb3fffcf in ??? at /usr/src/debug/glibc-2.27-37-g39071a5539/signal/../sysdeps/unix/sysv/linux/x86_64/sigaction.c:0 #1 0x1461bb3fff4b in __GI_raise at ../sysdeps/unix/sysv/linux/raise.c:51 #2 0x1461bb3ea590 in __GI_abort at /usr/src/debug/glibc-2.27-37-g39071a5539/stdlib/abort.c:79 #3 0x1461bb442b0a in __libc_message at ../sysdeps/posix/libc_fatal.c:181 #4 0x1461bb44903b in malloc_printerr at /usr/src/debug/glibc-2.27-37-g39071a5539/malloc/malloc.c:5350 #5 0x1461bb44cdfd in free_check at /usr/src/debug/glibc-2.27-37-g39071a5539/malloc/hooks.c:274 #6 0x400920 in MAIN__ at /home/vitti/f95/gfbug144.f:11 #7 0x4009c4 in main at /home/vitti/f95/gfbug144.f:12 Aborted (core dumped) with valgrind: valgrind ./a.out ==30798== Memcheck, a memory error detector ==30798== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==30798== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==30798== Command: ./a.out ==30798== ==30798== Invalid write of size 4 ==30798==at 0x4F0E903: matmul_i4_vanilla (matmul_i4.c:2035) ==30798==by 0x400920: MAIN__ (gfbug144.f:11) ==30798==by 0x4009C4: main (gfbug144.f:12) ==30798== Address 0x6079ec4 is 0 bytes after a block of size 1,028 alloc'd ==30798==at 0x4C2DBAB: malloc (vg_replace_malloc.c:299) ==30798==by 0x4F0D24A: matmul_i4_vanilla (matmul_i4.c:1995) ==30798==by 0x400920: MAIN__ (gfbug144.f:11) ==30798==by 0x4009C4: main (gfbug144.f:12) ==30798== ==30798== Invalid read of size 4 ==30798==at 0x4F10EE6: matmul_i4_vanilla (matmul_i4.c:2197) ==30798==by 0x400920: MAIN__ (gfbug144.f:11) ==30798==by 0x4009C4: main (gfbug144.f:12) ==30798== Address 0x6079ec4 is 0 bytes after a block of size 1,028 alloc'd ==30798==at 0x4C2DBAB: malloc (vg_replace_malloc.c:299) ==30798==by 0x4F0D24A: matmul_i4_vanilla (matmul_i4.c:1995) ==30798==by 0x400920: MAIN__ (gfbug144.f:11) ==30798==by 0x4009C4: main (gfbug144.f:12) ==30798== ==30798== Conditional jump or move depends on uninitialised value(s) ==30798==at 0x506872E: write_decimal.constprop.10 (write.c:808) ==30798==by 0x5068B13: write_integer (write.c:1351) ==30798==by 0x5069AED: list_formatted_write_scalar (write.c:1865) ==30798==by 0x506A834: _gfortrani_list_formatted_write (write.c:1943) ==30798==by 0x400966: MAIN__ (gfbug144.f:11) ==30798==by 0x4009C4: main (gfbug144.f:12) ==30798== 7 10 ==30798== ==30798== HEAP SUMMARY: ==30798== in use at exit: 0 bytes in 0 blocks ==30798== total heap usage: 22 allocs, 22 frees, 14,548 bytes allocated ==30798== ==30798== All heap blocks were freed -- no leaks are possible ==30798== ==30798== For counts of detected and suppressed errors, rerun with: -v ==30798== Use --track-origins=yes to see where uninitialised values come from ==30798== ERROR SUMMARY: 4 errors from 3 contexts (suppressed: 0 from 0)
[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253 --- Comment #7 from Vittorio Zecca --- You are welcome, very fast fix, keep up the good work!
[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253 Thomas Koenig changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #6 from Thomas Koenig --- Fixed, closing. Thanks for the bug report!
[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253 --- Comment #5 from Thomas Koenig --- Author: tkoenig Date: Fri Apr 6 18:49:21 2018 New Revision: 259188 URL: https://gcc.gnu.org/viewcvs?rev=259188&root=gcc&view=rev Log: 2018-04-06 Thomas Koenig PR libfortran/85253 * m4/matmul_internal.m4: If ycount == 1, add one more row to the internal buffer. * generated/matmul_c10.c: Regenerated. * generated/matmul_c16.c: Regenerated. * generated/matmul_c4.c: Regenerated. * generated/matmul_c8.c: Regenerated. * generated/matmul_i1.c: Regenerated. * generated/matmul_i16.c: Regenerated. * generated/matmul_i2.c: Regenerated. * generated/matmul_i4.c: Regenerated. * generated/matmul_i8.c: Regenerated. * generated/matmul_r10.c: Regenerated. * generated/matmul_r16.c: Regenerated. * generated/matmul_r4.c: Regenerated. * generated/matmul_r8.c: Regenerated. * generated/matmulavx128_c10.c: Regenerated. * generated/matmulavx128_c16.c: Regenerated. * generated/matmulavx128_c4.c: Regenerated. * generated/matmulavx128_c8.c: Regenerated. * generated/matmulavx128_i1.c: Regenerated. * generated/matmulavx128_i16.c: Regenerated. * generated/matmulavx128_i2.c: Regenerated. * generated/matmulavx128_i4.c: Regenerated. * generated/matmulavx128_i8.c: Regenerated. * generated/matmulavx128_r10.c: Regenerated. * generated/matmulavx128_r16.c: Regenerated. * generated/matmulavx128_r4.c: Regenerated. * generated/matmulavx128_r8.c: Regenerated. Modified: trunk/libgfortran/ChangeLog trunk/libgfortran/generated/matmul_c10.c trunk/libgfortran/generated/matmul_c16.c trunk/libgfortran/generated/matmul_c4.c trunk/libgfortran/generated/matmul_c8.c trunk/libgfortran/generated/matmul_i1.c trunk/libgfortran/generated/matmul_i16.c trunk/libgfortran/generated/matmul_i2.c trunk/libgfortran/generated/matmul_i4.c trunk/libgfortran/generated/matmul_i8.c trunk/libgfortran/generated/matmul_r10.c trunk/libgfortran/generated/matmul_r16.c trunk/libgfortran/generated/matmul_r4.c trunk/libgfortran/generated/matmul_r8.c trunk/libgfortran/generated/matmulavx128_c10.c trunk/libgfortran/generated/matmulavx128_c16.c trunk/libgfortran/generated/matmulavx128_c4.c trunk/libgfortran/generated/matmulavx128_c8.c trunk/libgfortran/generated/matmulavx128_i1.c trunk/libgfortran/generated/matmulavx128_i16.c trunk/libgfortran/generated/matmulavx128_i2.c trunk/libgfortran/generated/matmulavx128_i4.c trunk/libgfortran/generated/matmulavx128_i8.c trunk/libgfortran/generated/matmulavx128_r10.c trunk/libgfortran/generated/matmulavx128_r16.c trunk/libgfortran/generated/matmulavx128_r4.c trunk/libgfortran/generated/matmulavx128_r8.c trunk/libgfortran/m4/matmul_internal.m4
[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253 --- Comment #4 from Vittorio Zecca --- After applying the fix in comment #3 the asan message disappeared.
[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253 --- Comment #3 from Thomas Koenig --- Yep, looking at the code, it seems that in this special case, we need one more row in the temporary buffer. This seems to cure it. Index: m4/matmul_internal.m4 === --- m4/matmul_internal.m4 (Revision 259152) +++ m4/matmul_internal.m4 (Arbeitskopie) @@ -234,7 +234,7 @@ sinclude(`matmul_asm_'rtype_code`.m4')dnl /* Adjust size of t1 to what is needed. */ index_type t1_dim; - t1_dim = (a_dim1-1) * 256 + b_dim1; + t1_dim = (a_dim1- (ycount > 1)) * 256 + b_dim1; if (t1_dim > 65536) t1_dim = 65536;
[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253 Thomas Koenig changed: What|Removed |Added Status|NEW |ASSIGNED Assignee|unassigned at gcc dot gnu.org |tkoenig at gcc dot gnu.org --- Comment #2 from Thomas Koenig --- Probably my memory saving patch. I'll investigate.
[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253 Dominique d'Humieres changed: What|Removed |Added Priority|P3 |P4 Status|UNCONFIRMED |NEW Last reconfirmed||2018-04-06 CC||jvdelisle at gcc dot gnu.org, ||tkoenig at gcc dot gnu.org Known to work||7.0.1 Target Milestone|--- |8.0 Summary|asan detects|[8 Regression] asan detects |heap-buffer-overflow in |heap-buffer-overflow in |matmul_r4.c |matmul_r4.c Ever confirmed|0 |1 Known to fail||8.0.1 --- Comment #1 from Dominique d'Humieres --- It looks to be a gcc8 regression that occurred between revision r245276 (7.0.1) and r254086 (8.0). I see ==28006==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900984 at pc 0x000105e887a3 bp 0x7ffeea337be0 sp 0x7ffeea337bd8 WRITE of size 4 at 0x61900984 thread T0 #0 0x105e887a2 in matmul_r4_avx matmul_r4.c:365 ...
