[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c

2018-05-04 Thread zeccav at gmail dot com
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253

--- Comment #8 from Vittorio Zecca  ---
Compiling and running under both 8.0.1 and 8.1.0
with MALLOC_CHECK_=1 (see man mallopt)

I get the following (notice "free(): invalid pointer" from mallopt)

/usr/bin/gfortran -g -O0 gfbug144.f 
[vitti f95]$./a.out
free(): invalid pointer

Program received signal SIGABRT: Process abort signal.

Backtrace for this error:
#0  0x1461bb3fffcf in ???
at
/usr/src/debug/glibc-2.27-37-g39071a5539/signal/../sysdeps/unix/sysv/linux/x86_64/sigaction.c:0
#1  0x1461bb3fff4b in __GI_raise
at ../sysdeps/unix/sysv/linux/raise.c:51
#2  0x1461bb3ea590 in __GI_abort
at /usr/src/debug/glibc-2.27-37-g39071a5539/stdlib/abort.c:79
#3  0x1461bb442b0a in __libc_message
at ../sysdeps/posix/libc_fatal.c:181
#4  0x1461bb44903b in malloc_printerr
at /usr/src/debug/glibc-2.27-37-g39071a5539/malloc/malloc.c:5350
#5  0x1461bb44cdfd in free_check
at /usr/src/debug/glibc-2.27-37-g39071a5539/malloc/hooks.c:274
#6  0x400920 in MAIN__
at /home/vitti/f95/gfbug144.f:11
#7  0x4009c4 in main
at /home/vitti/f95/gfbug144.f:12
Aborted (core dumped)

with valgrind:

valgrind ./a.out
==30798== Memcheck, a memory error detector
==30798== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==30798== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==30798== Command: ./a.out
==30798== 
==30798== Invalid write of size 4
==30798==at 0x4F0E903: matmul_i4_vanilla (matmul_i4.c:2035)
==30798==by 0x400920: MAIN__ (gfbug144.f:11)
==30798==by 0x4009C4: main (gfbug144.f:12)
==30798==  Address 0x6079ec4 is 0 bytes after a block of size 1,028 alloc'd
==30798==at 0x4C2DBAB: malloc (vg_replace_malloc.c:299)
==30798==by 0x4F0D24A: matmul_i4_vanilla (matmul_i4.c:1995)
==30798==by 0x400920: MAIN__ (gfbug144.f:11)
==30798==by 0x4009C4: main (gfbug144.f:12)
==30798== 
==30798== Invalid read of size 4
==30798==at 0x4F10EE6: matmul_i4_vanilla (matmul_i4.c:2197)
==30798==by 0x400920: MAIN__ (gfbug144.f:11)
==30798==by 0x4009C4: main (gfbug144.f:12)
==30798==  Address 0x6079ec4 is 0 bytes after a block of size 1,028 alloc'd
==30798==at 0x4C2DBAB: malloc (vg_replace_malloc.c:299)
==30798==by 0x4F0D24A: matmul_i4_vanilla (matmul_i4.c:1995)
==30798==by 0x400920: MAIN__ (gfbug144.f:11)
==30798==by 0x4009C4: main (gfbug144.f:12)
==30798== 
==30798== Conditional jump or move depends on uninitialised value(s)
==30798==at 0x506872E: write_decimal.constprop.10 (write.c:808)
==30798==by 0x5068B13: write_integer (write.c:1351)
==30798==by 0x5069AED: list_formatted_write_scalar (write.c:1865)
==30798==by 0x506A834: _gfortrani_list_formatted_write (write.c:1943)
==30798==by 0x400966: MAIN__ (gfbug144.f:11)
==30798==by 0x4009C4: main (gfbug144.f:12)
==30798== 
   7  10
==30798== 
==30798== HEAP SUMMARY:
==30798== in use at exit: 0 bytes in 0 blocks
==30798==   total heap usage: 22 allocs, 22 frees, 14,548 bytes allocated
==30798== 
==30798== All heap blocks were freed -- no leaks are possible
==30798== 
==30798== For counts of detected and suppressed errors, rerun with: -v
==30798== Use --track-origins=yes to see where uninitialised values come from
==30798== ERROR SUMMARY: 4 errors from 3 contexts (suppressed: 0 from 0)

[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c

2018-04-06 Thread zeccav at gmail dot com
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253

--- Comment #7 from Vittorio Zecca  ---
You are welcome, very fast fix, keep up the good work!

[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c

2018-04-06 Thread tkoenig at gcc dot gnu.org
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253

Thomas Koenig  changed:

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Resolution|--- |FIXED

--- Comment #6 from Thomas Koenig  ---
Fixed, closing.

Thanks for the bug report!

[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c

2018-04-06 Thread tkoenig at gcc dot gnu.org
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253

--- Comment #5 from Thomas Koenig  ---
Author: tkoenig
Date: Fri Apr  6 18:49:21 2018
New Revision: 259188

URL: https://gcc.gnu.org/viewcvs?rev=259188=gcc=rev
Log:
2018-04-06  Thomas Koenig  

PR libfortran/85253
* m4/matmul_internal.m4: If ycount == 1, add one more row to
the internal buffer.
* generated/matmul_c10.c: Regenerated.
* generated/matmul_c16.c: Regenerated.
* generated/matmul_c4.c: Regenerated.
* generated/matmul_c8.c: Regenerated.
* generated/matmul_i1.c: Regenerated.
* generated/matmul_i16.c: Regenerated.
* generated/matmul_i2.c: Regenerated.
* generated/matmul_i4.c: Regenerated.
* generated/matmul_i8.c: Regenerated.
* generated/matmul_r10.c: Regenerated.
* generated/matmul_r16.c: Regenerated.
* generated/matmul_r4.c: Regenerated.
* generated/matmul_r8.c: Regenerated.
* generated/matmulavx128_c10.c: Regenerated.
* generated/matmulavx128_c16.c: Regenerated.
* generated/matmulavx128_c4.c: Regenerated.
* generated/matmulavx128_c8.c: Regenerated.
* generated/matmulavx128_i1.c: Regenerated.
* generated/matmulavx128_i16.c: Regenerated.
* generated/matmulavx128_i2.c: Regenerated.
* generated/matmulavx128_i4.c: Regenerated.
* generated/matmulavx128_i8.c: Regenerated.
* generated/matmulavx128_r10.c: Regenerated.
* generated/matmulavx128_r16.c: Regenerated.
* generated/matmulavx128_r4.c: Regenerated.
* generated/matmulavx128_r8.c: Regenerated.


Modified:
trunk/libgfortran/ChangeLog
trunk/libgfortran/generated/matmul_c10.c
trunk/libgfortran/generated/matmul_c16.c
trunk/libgfortran/generated/matmul_c4.c
trunk/libgfortran/generated/matmul_c8.c
trunk/libgfortran/generated/matmul_i1.c
trunk/libgfortran/generated/matmul_i16.c
trunk/libgfortran/generated/matmul_i2.c
trunk/libgfortran/generated/matmul_i4.c
trunk/libgfortran/generated/matmul_i8.c
trunk/libgfortran/generated/matmul_r10.c
trunk/libgfortran/generated/matmul_r16.c
trunk/libgfortran/generated/matmul_r4.c
trunk/libgfortran/generated/matmul_r8.c
trunk/libgfortran/generated/matmulavx128_c10.c
trunk/libgfortran/generated/matmulavx128_c16.c
trunk/libgfortran/generated/matmulavx128_c4.c
trunk/libgfortran/generated/matmulavx128_c8.c
trunk/libgfortran/generated/matmulavx128_i1.c
trunk/libgfortran/generated/matmulavx128_i16.c
trunk/libgfortran/generated/matmulavx128_i2.c
trunk/libgfortran/generated/matmulavx128_i4.c
trunk/libgfortran/generated/matmulavx128_i8.c
trunk/libgfortran/generated/matmulavx128_r10.c
trunk/libgfortran/generated/matmulavx128_r16.c
trunk/libgfortran/generated/matmulavx128_r4.c
trunk/libgfortran/generated/matmulavx128_r8.c
trunk/libgfortran/m4/matmul_internal.m4

[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c

2018-04-06 Thread zeccav at gmail dot com
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253

--- Comment #4 from Vittorio Zecca  ---
After applying the fix in comment #3 the asan message disappeared.

[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c

2018-04-06 Thread tkoenig at gcc dot gnu.org
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253

--- Comment #3 from Thomas Koenig  ---
Yep, looking at the code, it seems that in this special
case, we need one more row in the temporary buffer.

This seems to cure it.

Index: m4/matmul_internal.m4
===
--- m4/matmul_internal.m4   (Revision 259152)
+++ m4/matmul_internal.m4   (Arbeitskopie)
@@ -234,7 +234,7 @@ sinclude(`matmul_asm_'rtype_code`.m4')dnl

   /* Adjust size of t1 to what is needed.  */
   index_type t1_dim;
-  t1_dim = (a_dim1-1) * 256 + b_dim1;
+  t1_dim = (a_dim1- (ycount > 1)) * 256 + b_dim1;
   if (t1_dim > 65536)
t1_dim = 65536;

[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c

2018-04-06 Thread tkoenig at gcc dot gnu.org
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253

Thomas Koenig  changed:

   What|Removed |Added

 Status|NEW |ASSIGNED
   Assignee|unassigned at gcc dot gnu.org  |tkoenig at gcc dot 
gnu.org

--- Comment #2 from Thomas Koenig  ---
Probably my memory saving patch.

I'll investigate.

[Bug libfortran/85253] [8 Regression] asan detects heap-buffer-overflow in matmul_r4.c

2018-04-06 Thread dominiq at lps dot ens.fr
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85253

Dominique d'Humieres  changed:

   What|Removed |Added

   Priority|P3  |P4
 Status|UNCONFIRMED |NEW
   Last reconfirmed||2018-04-06
 CC||jvdelisle at gcc dot gnu.org,
   ||tkoenig at gcc dot gnu.org
  Known to work||7.0.1
   Target Milestone|--- |8.0
Summary|asan detects|[8 Regression] asan detects
   |heap-buffer-overflow in |heap-buffer-overflow in
   |matmul_r4.c |matmul_r4.c
 Ever confirmed|0   |1
  Known to fail||8.0.1

--- Comment #1 from Dominique d'Humieres  ---
It looks to be a gcc8 regression that occurred between revision r245276 (7.0.1)
and r254086 (8.0).

I see

==28006==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61900984 at pc 0x000105e887a3 bp 0x7ffeea337be0 sp 0x7ffeea337bd8
WRITE of size 4 at 0x61900984 thread T0
#0 0x105e887a2 in matmul_r4_avx matmul_r4.c:365
...