This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug fortran/87994] ICE in match_data_constant, at fortran/decl.c:399
- From: "dominiq at lps dot ens.fr" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Sun, 18 Nov 2018 19:01:42 +0000
- Subject: [Bug fortran/87994] ICE in match_data_constant, at fortran/decl.c:399
- Auto-submitted: auto-generated
- References: <bug-87994-4@http.gcc.gnu.org/bugzilla/>
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87994
--- Comment #8 from Dominique d'Humieres <dominiq at lps dot ens.fr> ---
I have instrumented gfortran with the patch in comment 5 and all the tests fail
as with pr87881:
=================================================================
==67715==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170000045d8
at pc 0x0001001565a9 bp 0x7ffeefbfdd30 sp 0x7ffeefbfdd28
READ of size 8 at 0x6170000045d8 thread T0
#0 0x1001565a8 in simplify_ref_chain(gfc_ref*, int, gfc_expr**) expr.c:1943
#1 0x10015438e in gfc_simplify_expr(gfc_expr*, int) expr.c:2164
#2 0x100369eaf in gfc_match_varspec(gfc_expr*, int, bool, bool)
primary.c:2287
#3 0x1003798ba in gfc_match_rvalue(gfc_expr**) primary.c:3670
#4 0x1000c2f63 in match_data_constant(gfc_expr**) decl.c:379
#5 0x1000c4291 in top_val_list(gfc_data*) decl.c:478
#6 0x1000c4905 in gfc_match_data() decl.c:624
#7 0x10032fbc7 in match_word(char const*, match (*)(), locus*) parse.c:65
#8 0x10033d154 in decode_statement() parse.c:468
#9 0x10033ee0d in next_free() parse.c:1234
#10 0x10033f7d2 in next_statement() parse.c:1466
#11 0x100345d67 in parse_spec(gfc_statement) parse.c:3858
#12 0x10034c892 in parse_progunit(gfc_statement) parse.c:5671
#13 0x10034ec10 in gfc_parse_file() parse.c:6211
#14 0x100525304 in gfc_be_parse_file() f95-lang.c:204
#15 0x1062941c8 in compile_file() toplev.c:455
#16 0x10629f87c in do_compile() toplev.c:2172
#17 0x109388807 in toplev::main(int, char**) toplev.c:2307
#18 0x1097eaf4c in main main.c:39
#19 0x7fff703f908c in start (libdyld.dylib:x86_64+0x1708c)
0x6170000045d8 is located 728 bytes inside of 736-byte region
[0x617000004300,0x6170000045e0)
freed by thread T0 here:
#0 0x15948a8e0 in wrap_free.part.0 sanitizer_malloc_mac.inc:121
#1 0x10012e8e5 in gfc_free_ref_list(gfc_ref*) expr.c:599
#2 0x10012efdd in free_expr0(gfc_expr*) expr.c:505
#3 0x10012f3be in gfc_replace_expr(gfc_expr*, gfc_expr*) expr.c:616
#4 0x1001563b7 in simplify_ref_chain(gfc_ref*, int, gfc_expr**) expr.c:1970
#5 0x10015438e in gfc_simplify_expr(gfc_expr*, int) expr.c:2164
#6 0x100369eaf in gfc_match_varspec(gfc_expr*, int, bool, bool)
primary.c:2287
#7 0x1003798ba in gfc_match_rvalue(gfc_expr**) primary.c:3670
#8 0x1000c2f63 in match_data_constant(gfc_expr**) decl.c:379
#9 0x1000c4291 in top_val_list(gfc_data*) decl.c:478
#10 0x1000c4905 in gfc_match_data() decl.c:624
#11 0x10032fbc7 in match_word(char const*, match (*)(), locus*) parse.c:65
#12 0x10033d154 in decode_statement() parse.c:468
#13 0x10033ee0d in next_free() parse.c:1234
#14 0x10033f7d2 in next_statement() parse.c:1466
#15 0x100345d67 in parse_spec(gfc_statement) parse.c:3858
#16 0x10034c892 in parse_progunit(gfc_statement) parse.c:5671
#17 0x10034ec10 in gfc_parse_file() parse.c:6211
#18 0x100525304 in gfc_be_parse_file() f95-lang.c:204
#19 0x1062941c8 in compile_file() toplev.c:455
#20 0x10629f87c in do_compile() toplev.c:2172
#21 0x109388807 in toplev::main(int, char**) toplev.c:2307
#22 0x1097eaf4c in main main.c:39
#23 0x7fff703f908c in start (libdyld.dylib:x86_64+0x1708c)
previously allocated by thread T0 here:
#0 0x159489db3 in wrap_calloc sanitizer_malloc_mac.inc:132
#1 0x1088a10de in xcalloc xmalloc.c:162
#2 0x10035b5ae in is_inquiry_ref(char const*, gfc_ref**) primary.c:1964
#3 0x100368721 in gfc_match_varspec(gfc_expr*, int, bool, bool)
primary.c:2199
#4 0x1003798ba in gfc_match_rvalue(gfc_expr**) primary.c:3670
#5 0x1000c2f63 in match_data_constant(gfc_expr**) decl.c:379
#6 0x1000c4291 in top_val_list(gfc_data*) decl.c:478
#7 0x1000c4905 in gfc_match_data() decl.c:624
#8 0x10032fbc7 in match_word(char const*, match (*)(), locus*) parse.c:65
#9 0x10033d154 in decode_statement() parse.c:468
#10 0x10033ee0d in next_free() parse.c:1234
#11 0x10033f7d2 in next_statement() parse.c:1466
#12 0x100345d67 in parse_spec(gfc_statement) parse.c:3858
#13 0x10034c892 in parse_progunit(gfc_statement) parse.c:5671
#14 0x10034ec10 in gfc_parse_file() parse.c:6211
#15 0x100525304 in gfc_be_parse_file() f95-lang.c:204
#16 0x1062941c8 in compile_file() toplev.c:455
#17 0x10629f87c in do_compile() toplev.c:2172
#18 0x109388807 in toplev::main(int, char**) toplev.c:2307
#19 0x1097eaf4c in main main.c:39
#20 0x7fff703f908c in start (libdyld.dylib:x86_64+0x1708c)
SUMMARY: AddressSanitizer: heap-use-after-free expr.c:1943 in
simplify_ref_chain(gfc_ref*, int, gfc_expr**)
Shadow bytes around the buggy address:
0x1c2e00000860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2e00000870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2e00000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2e00000890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2e000008a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c2e000008b0: fd fd fd fd fd fd fd fd fd fd fd[fd]fa fa fa fa
0x1c2e000008c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c2e000008d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c2e000008e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c2e000008f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c2e00000900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==67715==ABORTING
f951: internal compiler error: Abort trap: 6