https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78746
Dominique d'Humieres <dominiq at lps dot ens.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target|arm aarch64 |
Status|UNCONFIRMED |NEW
Last reconfirmed| |2016-12-09
Ever confirmed|0 |1
--- Comment #2 from Dominique d'Humieres <dominiq at lps dot ens.fr> ---
Confirmed on x86 as well: see
https://gcc.gnu.org/ml/gcc-testresults/2016-12/msg01049.html. They are all
heap-use-after-free:
[Book15] f90/bug% gfcg /opt/gcc/work/gcc/testsuite/gfortran.dg/charlen_15.f90
=================================================================
==52586==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000001110
at pc 0x0001001ea062 bp 0x7fff5fbfe5b0 sp 0x7fff5fbfe5a8
READ of size 8 at 0x604000001110 thread T0
#0 0x1001ea061 in mio_expr(gfc_expr**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001ea061)
#1 0x1001eb55a in mio_charlen(gfc_charlen**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001eb55a)
#2 0x1001ebb2b in mio_typespec(gfc_typespec*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001ebb2b)
#3 0x1001e9f6e in mio_expr(gfc_expr**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001e9f6e)
#4 0x1001edb45 in mio_component(gfc_component*, int)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001edb45)
#5 0x1001ede9e in mio_component_list(gfc_component**, int)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001ede9e)
#6 0x1001f2045 in mio_symbol(gfc_symbol*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001f2045)
#7 0x1001f2c7c in write_symbol(int, gfc_symbol*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001f2c7c)
#8 0x1001fbc3c in write_symbol0(gfc_symtree*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001fbc3c)
#9 0x1001fb8d4 in write_symbol0(gfc_symtree*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001fb8d4)
#10 0x1001fc21d in write_module()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001fc21d)
#11 0x1001fc697 in dump_module(char const*, int)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001fc697)
#12 0x1001fcdd4 in gfc_dump_module(char const*, int)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001fcdd4)
#13 0x1002a824f in gfc_parse_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1002a824f)
#14 0x100405ab7 in gfc_be_parse_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x100405ab7)
#15 0x104b3dc50 in compile_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x104b3dc50)
#16 0x104b466e9 in do_compile()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x104b466e9)
#17 0x106c28c4e in toplev::main(int, char**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x106c28c4e)
#18 0x106c2df67 in main
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x106c2df67)
#19 0x7fffe8d83254 in start (/usr/lib/system/libdyld.dylib+0x5254)
0x604000001110 is located 0 bytes inside of 48-byte region
[0x604000001110,0x604000001140)
freed by thread T0 here:
#0 0x152bf48b0 in wrap_free.part.0
(/opt/gcc/gcc7a/lib/libasan.4.dylib+0x638b0)
#1 0x10031c473 in resolve_structure_cons(gfc_expr*, int)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x10031c473)
#2 0x10035169b in resolve_values(gfc_symbol*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x10035169b)
#3 0x1003ad64e in do_traverse_symtree(gfc_symtree*, void (*)(gfc_symtree*),
void (*)(gfc_symbol*))
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1003ad64e)
#4 0x1003c60c3 in gfc_traverse_ns(gfc_namespace*, void (*)(gfc_symbol*))
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1003c60c3)
#5 0x1003567a1 in resolve_types(gfc_namespace*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1003567a1)
#6 0x1003052d7 in gfc_resolve(gfc_namespace*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1003052d7)
#7 0x1002a7e8d in gfc_parse_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1002a7e8d)
#8 0x100405ab7 in gfc_be_parse_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x100405ab7)
#9 0x104b3dc50 in compile_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x104b3dc50)
#10 0x104b466e9 in do_compile()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x104b466e9)
#11 0x106c28c4e in toplev::main(int, char**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x106c28c4e)
#12 0x106c2df67 in main
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x106c2df67)
#13 0x7fffe8d83254 in start (/usr/lib/system/libdyld.dylib+0x5254)
previously allocated by thread T0 here:
#0 0x152bf3f30 in wrap_calloc (/opt/gcc/gcc7a/lib/libasan.4.dylib+0x62f30)
#1 0x1069e7b07 in xcalloc
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1069e7b07)
#2 0x1003c32dd in gfc_new_charlen(gfc_namespace*, gfc_charlen*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1003c32dd)
#3 0x100086558 in gfc_match_char_spec(gfc_typespec*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x100086558)
#4 0x1001b3da7 in gfc_match_type_spec(gfc_typespec*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001b3da7)
#5 0x100019611
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x100019611)
#6 0x1001c923a in match_primary(gfc_expr**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001c923a)
#7 0x1001c952b in match_level_1(gfc_expr**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001c952b)
#8 0x1001c9904 in match_mult_operand(gfc_expr**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001c9904)
#9 0x1001ca1e0 in match_add_operand(gfc_expr**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001ca1e0)
#10 0x1001cac48 in match_level_2(gfc_expr**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001cac48)
#11 0x1001cb1bc in match_level_3(gfc_expr**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001cb1bc)
#12 0x1001cb6a4 in match_level_4(gfc_expr**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001cb6a4)
#13 0x1001cc6b9 in match_and_operand(gfc_expr**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001cc6b9)
#14 0x1001cc9b3 in match_or_operand(gfc_expr**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001cc9b3)
#15 0x1001cce6a in match_equiv_operand(gfc_expr**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001cce6a)
#16 0x1001cd327 in match_level_5(gfc_expr**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001cd327)
#17 0x1001c8d10 in gfc_match_expr(gfc_expr**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001c8d10)
#18 0x1000f1600 in gfc_match_init_expr(gfc_expr**)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1000f1600)
#19 0x1000a71a3 in variable_decl(int)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1000a71a3)
#20 0x1000a7bd3 in gfc_match_data_decl()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1000a7bd3)
#21 0x10028bdb8 in match_word(char const*, match (*)(), locus*)
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x10028bdb8)
#22 0x10029728e in decode_statement()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x10029728e)
#23 0x100299861 in next_free()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x100299861)
#27 0x1002a70ba in parse_module()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1002a70ba)
#28 0x1002a806c in gfc_parse_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1002a806c)
#29 0x100405ab7 in gfc_be_parse_file()
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x100405ab7)
SUMMARY: AddressSanitizer: heap-use-after-free
(/opt/gcc/gcc7g/libexec/gcc/x86_64-apple-darwin16.1.0/7.0.0/f951+0x1001ea061)
in mio_expr(gfc_expr**)
Shadow bytes around the buggy address:
0x1c08000001d0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x1c08000001e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x1c08000001f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x1c0800000200: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x1c0800000210: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
=>0x1c0800000220: fa fa[fd]fd fd fd fd fd fa fa 00 00 00 00 00 00
0x1c0800000230: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x1c0800000240: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x1c0800000250: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
0x1c0800000260: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x1c0800000270: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==52586==ABORTING
f951: internal compiler error: Abort trap: 6
gfcg: internal compiler error: Abort trap: 6 (program f951)
Please submit a full bug report,
with preprocessed source if appropriate.
See <http://gcc.gnu.org/bugs.html> for instructions.
