104999 – [12 Regression] runtime error: pointer index expression with base 0x00000cf67720 overflowed to 0xffffffffea627728

Bug 104999 - [12 Regression] runtime error: pointer index expression with base 0x00000cf67720 overflowed to 0xffffffffea627728

Summary: [12 Regression] runtime error: pointer index expression with base 0x00000cf67...

Status:	RESOLVED FIXED

Alias:	None

Product:	gcc
Classification:	Unclassified
Component:	fortran (show other bugs)
Version:	12.0

Importance:	P4 normal
Target Milestone:	12.0
Assignee:	Not yet assigned to anyone

URL:
Keywords:	needs-bisection

Depends on:
Blocks:	ubsan
	Show dependency tree / graph

Reported:	2022-03-21 14:14 UTC by Martin Liška
Modified:	2022-03-23 18:13 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:	2022-03-22 00:00:00

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Liška 2022-03-21 14:14:22 UTC

Happens for gfortran.dg/simplify_cshift_1.f90 test-case:

Reduced to:

$  cat c.f90
program foo
   type t
   end type t
   integer, parameter :: a(5) = [1, 2, 3, 4, 5]
   integer i, b(5), c(5), v(5)
   if (any(b /= v)) STOP 1
   b = cshift(a, 2)
end program foo

$ ./xgcc -B. c.f90 -c
/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/fortran/simplify.cc:2239:12: runtime error: pointer index expression with base 0x00000cf01270 overflowed to 0xffffffffea5c1278
    #0 0xd4c8cd in gfc_simplify_cshift(gfc_expr*, gfc_expr*, gfc_expr*) /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/fortran/simplify.cc:2239
    #1 0xb41c2d in do_simplify /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/fortran/intrinsic.cc:4676
    #2 0xb5513e in gfc_intrinsic_func_interface(gfc_expr*, int) /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/fortran/intrinsic.cc:5055
    #3 0xcd35fa in resolve_unknown_f /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/fortran/resolve.cc:2978
    #4 0xcd35fa in resolve_function /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/fortran/resolve.cc:3335
    #5 0xcd35fa in gfc_resolve_expr(gfc_expr*) /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/fortran/resolve.cc:7175
    #6 0xcd35fa in gfc_resolve_expr(gfc_expr*) /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/fortran/resolve.cc:7137
    #7 0xd05c2d in gfc_resolve_code(gfc_code*, gfc_namespace*) /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/fortran/resolve.cc:11937
    #8 0xd1d868 in resolve_codes /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/fortran/resolve.cc:17551
    #9 0xca8648 in gfc_resolve(gfc_namespace*) /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/fortran/resolve.cc:17586
    #10 0xca8648 in gfc_resolve(gfc_namespace*) /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/fortran/resolve.cc:17565
    #11 0xc60014 in resolve_all_program_units /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/fortran/parse.cc:6586
    #12 0xc60014 in gfc_parse_file() /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/fortran/parse.cc:6842
    #13 0xe0406e in gfc_be_parse_file /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/fortran/f95-lang.cc:216
    #14 0x2b5d560 in compile_file /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/toplev.cc:452
    #15 0x9d8419 in do_compile /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/toplev.cc:2168
    #16 0x9d8419 in toplev::main(int, char**) /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/toplev.cc:2320
    #17 0x9dda41 in main /home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/build/gcc/main.cc:39
    #18 0x7ffff78a362f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #19 0x7ffff78a36ef in __libc_start_main_impl ../csu/libc-start.c:392
    #20 0x9ddca4 in _start (/home/marxin/BIG/buildbot/buildworker/marxinbox-gcc-ubsan/objdir/gcc/f951+0x9ddca4)

Comment 1 anlauf 2022-03-21 19:36:04 UTC

sstride[0] is likely used uninitialized in gfc_simplify_cshift.

The corresponding runtime version in libgfortran/intrinsics/cshift0.c
initializes this to 0, so the following patch might help here:

diff --git a/gcc/fortran/simplify.cc b/gcc/fortran/simplify.cc
index 0c15bcb2b0a..233cc42137f 100644
--- a/gcc/fortran/simplify.cc
+++ b/gcc/fortran/simplify.cc
@@ -2134,6 +2134,7 @@ gfc_simplify_cshift (gfc_expr *array, gfc_expr *shift, gfc_expr *dim)
 
   resultvec = XCNEWVEC (gfc_expr *, arraysize);
 
+  sstride[0] = 0;
   extent[0] = 1;
   count[0] = 0;

Comment 2 Martin Liška 2022-03-22 08:09:34 UTC

I can confirm the patch candidate fixes the problem. Can you please install it?

Comment 3 GCC Commits 2022-03-22 19:54:44 UTC

The master branch has been updated by Harald Anlauf <anlauf@gcc.gnu.org>:

https://gcc.gnu.org/g:774ab2edcb5f3a24ed3a5cffd1143bd49a69f1ee

commit r12-7771-g774ab2edcb5f3a24ed3a5cffd1143bd49a69f1ee
Author: Harald Anlauf <anlauf@gmx.de>
Date:   Tue Mar 22 20:54:18 2022 +0100

    Fortran: ensure intialization of stride array
    
    gcc/fortran/ChangeLog:
    
            PR fortran/104999
            * simplify.cc (gfc_simplify_cshift): Ensure temporary holding
            source array stride is initialized.

Comment 4 anlauf 2022-03-23 18:13:07 UTC

Should be FIXED.