This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug fortran/77327] AddressSanitizer: heap-use-after-free gcc-trunk-239276/gcc/fortran/interface.c:403 in compare_components
- From: "fritzoreese at gmail dot com" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Wed, 24 Aug 2016 21:23:29 +0000
- Subject: [Bug fortran/77327] AddressSanitizer: heap-use-after-free gcc-trunk-239276/gcc/fortran/interface.c:403 in compare_components
- Auto-submitted: auto-generated
- References: <bug-77327-4@http.gcc.gnu.org/bugzilla/>
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77327
--- Comment #3 from Fritz Reese <fritzoreese at gmail dot com> ---
> interface.c:403 is
> if ( (d1 && (d1->attr.flavor == FL_STRUCT || d1->attr.flavor == FL_UNION)
>
> and I believe d->attr.flavor is the item used after freed.
This is correct, and the reason is clear when you look up a few lines and
realize I did not check the type of cmp1 or cmp2 before jumping straight to
checking properties about their derived type declarations (in
cmp->ts.u.derived). Unless cmp->ts.type == BT_DERIVED or cmp->ts.type ==
BT_UNION, the cmp->ts.u.derived pointer is garbage.
I have a patch which implements that part of code in a different way - also
correctly and more reliably. It fixes this PR and I hope to commit it over the
weekend:
https://gcc.gnu.org/ml/fortran/2016-08/msg00144.html
However I am not sure how one would observe that no invalid memory references
occur for your code via a DejaGNU testcase. I would appreciate ideas for a
testcase I can commit with the aforementioned patch to ensure this PR isn't
regressed.