Bug 94048 - ICE and other problems using rank intrinsic to set array size
Summary: ICE and other problems using rank intrinsic to set array size
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: fortran (show other bugs)
Version: 10.0
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-05 12:56 UTC by José Rui Faustino de Sousa
Modified: 2021-06-16 12:42 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed: 2020-07-23 00:00:00

Attachments
Code demonstrating problems. (269 bytes, text/x-matlab)
2020-03-05 12:56 UTC, José Rui Faustino de Sousa 		Details
The cleaned-up version with pointer and bind(c) tests (593 bytes, text/x-matlab)
2020-04-14 19:41 UTC, José Rui Faustino de Sousa 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description José Rui Faustino de Sousa 2020-03-05 12:56:09 UTC 
Created attachment 47978 [details]
Code demonstrating problems.

Hi all!

ICE using rank to set the size of an array.

Both in:

GNU Fortran (GCC) 9.2.1 20200303

and

GNU Fortran (GCC) 10.0.1 20200303 (experimental)

The ICE is easy to fix:

diff --git a/gcc/fortran/expr.c b/gcc/fortran/expr.c
index 79e00b4..a5993ea 100644
--- a/gcc/fortran/expr.c
+++ b/gcc/fortran/expr.c
@@ -3253,7 +3253,7 @@ check_references (gfc_ref* ref, bool (*checker) (gfc_expr*))
   switch (ref->type)
     {
     case REF_ARRAY:
-      for (dim = 0; dim != ref->u.ar.dimen; ++dim)
+      for (dim = 0; dim < ref->u.ar.dimen; ++dim)
        {
          if (!checker (ref->u.ar.start[dim]))
            return false;

On x86_64-pc-linux-gnu it tests OK.

The real problems start after that... :-)

Using the module generates:

f951: Fatal Error: Reading module ‘ice2_m.mod’ at line 23 column 6: Bad name
compilation terminated.

Using the function by itself returns a malformed array, compiling with -fbounds-check generates the error:

At line 11 of file ./ice2.f90
Fortran runtime error: Dimension 1 of array 'bar' has extent 1 instead of -1

I belive that the error is at the interface and the ifm.n artificial variable is not properly generated.

Thank you very much.

Best regards,
José Rui
Comment 1 José Rui Faustino de Sousa 2020-04-14 19:41:14 UTC 
Created attachment 48273 [details]
The cleaned-up version with pointer and bind(c) tests
Comment 2 José Rui Faustino de Sousa 2020-04-14 19:45:03 UTC 
Please ignore the last attachment I mixed up the bug report...
Comment 3 Dominique d'Humieres 2020-07-23 16:33:46 UTC 
Confirmed since at least GCC7. My instrumented compiler gives

../../work/gcc/fortran/expr.c:3278:37: runtime error: index 15 out of bounds for type 'gfc_expr *[15]'
../../work/gcc/fortran/expr.c:3280:35: runtime error: index 15 out of bounds for type 'gfc_expr *[15]'
../../work/gcc/fortran/expr.c:3282:38: runtime error: index 15 out of bounds for type 'gfc_expr *[15]'
=================================================================
==16543==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x617000004260 at pc 0x000100140461 bp 0x7ffeefbfe570 sp 0x7ffeefbfe568
READ of size 8 at 0x617000004260 thread T0
    #0 0x100140460 in check_references(gfc_ref*, bool (*)(gfc_expr*)) expr.c:3282
    #1 0x100160c06 in check_restricted(gfc_expr*) expr.c:3394
    #2 0x10016fc77 in restricted_args(gfc_actual_arglist*) expr.c:3157
    #3 0x10016fd1c in restricted_intrinsic(gfc_expr*) expr.c:3245
    #4 0x100160923 in check_restricted(gfc_expr*) expr.c:3356
    #5 0x100160067 in gfc_specification_expr(gfc_expr*) expr.c:3497
    #6 0x100017254 in resolve_array_bound(gfc_expr*, int) array.c:379
    #7 0x10001e426 in gfc_resolve_array_spec(gfc_array_spec*, int) array.c:422
    #8 0x10040013c in resolve_symbol(gfc_symbol*) resolve.c:15922
    #9 0x1003f8ccd in resolve_symbol(gfc_symbol*) resolve.c:15334
    #10 0x1004f2aa6 in do_traverse_symtree(gfc_symtree*, void (*)(gfc_symtree*), void (*)(gfc_symbol*)) symbol.c:4170
    #11 0x100511004 in gfc_traverse_ns(gfc_namespace*, void (*)(gfc_symbol*)) symbol.c:4195
    #12 0x100454636 in resolve_types(gfc_namespace*) resolve.c:17211
    #13 0x1003f3e32 in gfc_resolve(gfc_namespace*) resolve.c:17326
    #14 0x100375344 in gfc_parse_file() parse.c:6448
    #15 0x10055baf3 in gfc_be_parse_file() f95-lang.c:212
    #16 0x106bdcb9c in compile_file() toplev.c:458
    #17 0x106bebc34 in do_compile() toplev.c:2307
    #18 0x10a663058 in toplev::main(int, char**) toplev.c:2446
    #19 0x10ac0eea4 in main main.c:39
    #20 0x7fff6e3decc8 in start+0x0 (libdyld.dylib:x86_64+0x1acc8)

0x617000004260 is located 0 bytes to the right of 736-byte region [0x617000003f80,0x617000004260)
allocated by thread T0 here:
    #0 0x15bc6200f in wrap_calloc sanitizer_flags.h:38
    #1 0x1098e04ca in xcalloc xmalloc.c:162
    #2 0x100436be1 in resolve_actual_arglist(gfc_actual_arglist*, procedure_type, bool) resolve.c:2069
    #3 0x100413232 in resolve_function(gfc_expr*) resolve.c:3208
    #4 0x100416423 in gfc_resolve_expr(gfc_expr*) resolve.c:7056
    #5 0x100017234 in resolve_array_bound(gfc_expr*, int) array.c:378
    #6 0x10001e426 in gfc_resolve_array_spec(gfc_array_spec*, int) array.c:422
    #7 0x10040013c in resolve_symbol(gfc_symbol*) resolve.c:15922
    #8 0x1003f8ccd in resolve_symbol(gfc_symbol*) resolve.c:15334
    #9 0x1004f2aa6 in do_traverse_symtree(gfc_symtree*, void (*)(gfc_symtree*), void (*)(gfc_symbol*)) symbol.c:4170
    #10 0x100511004 in gfc_traverse_ns(gfc_namespace*, void (*)(gfc_symbol*)) symbol.c:4195
    #11 0x100454636 in resolve_types(gfc_namespace*) resolve.c:17211
    #12 0x1003f3e32 in gfc_resolve(gfc_namespace*) resolve.c:17326
    #13 0x100375344 in gfc_parse_file() parse.c:6448
    #14 0x10055baf3 in gfc_be_parse_file() f95-lang.c:212
    #15 0x106bdcb9c in compile_file() toplev.c:458
    #16 0x106bebc34 in do_compile() toplev.c:2307
    #17 0x10a663058 in toplev::main(int, char**) toplev.c:2446
    #18 0x10ac0eea4 in main main.c:39
    #19 0x7fff6e3decc8 in start+0x0 (libdyld.dylib:x86_64+0x1acc8)

SUMMARY: AddressSanitizer: heap-buffer-overflow expr.c:3282 in check_references(gfc_ref*, bool (*)(gfc_expr*))
Shadow bytes around the buggy address:
  0x1c2e000007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2e00000800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2e00000810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2e00000820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2e00000830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c2e00000840: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x1c2e00000850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2e00000860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2e00000870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2e00000880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2e00000890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==16543==ABORTING
f951: internal compiler error: Abort trap: 6
Comment 4 José Rui Faustino de Sousa 2021-06-16 12:42:05 UTC 
Fixed by PR96726