This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug fortran/83866] [8 Regression] ICE in gfc_release_symbol, at fortran/symbol.c:3087

From: "dominiq at lps dot ens.fr" <gcc-bugzilla at gcc dot gnu dot org>
To: gcc-bugs at gcc dot gnu dot org
Date: Thu, 18 Jan 2018 11:06:19 +0000
Subject: [Bug fortran/83866] [8 Regression] ICE in gfc_release_symbol, at fortran/symbol.c:3087
Auto-submitted: auto-generated
References: <bug-83866-4@http.gcc.gnu.org/bugzilla/>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83866

Dominique d'Humieres <dominiq at lps dot ens.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2018-01-18
     Ever confirmed|0                           |1

--- Comment #1 from Dominique d'Humieres <dominiq at lps dot ens.fr> ---
Likely revision r251925. My instrumented compiler gives

==95172==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000004780
at pc 0x0001004c0a3f bp 0x7ffeefbfe5d0 sp 0x7ffeefbfe5c8
READ of size 8 at 0x613000004780 thread T0
    #0 0x1004c0a3e in gfc_restore_last_undo_checkpoint() symbol.c:3647
    #1 0x1004c1a6f in gfc_undo_symbols() symbol.c:3727
    #2 0x10032047c in reject_statement() parse.c:2547
    #3 0x1003205c4 in match_word(char const*, match (*)(), locus*) parse.c:70
    #4 0x10032e2a0 in decode_statement() parse.c:565
    #5 0x10032f54e in next_free() parse.c:1226
    #6 0x10032ff13 in next_statement() parse.c:1458
    #7 0x100336433 in parse_spec(gfc_statement) parse.c:3836
    #8 0x10033cea2 in parse_progunit(gfc_statement) parse.c:5649
    #9 0x10033f1ea in gfc_parse_file() parse.c:6189
    #10 0x1004faacc in gfc_be_parse_file() f95-lang.c:204
    #11 0x10587f0d0 in compile_file() toplev.c:455
    #12 0x105889962 in do_compile() toplev.c:2076
    #13 0x107bd1f47 in toplev::main(int, char**) toplev.c:2211
    #14 0x107bd73cc in main main.c:39
    #15 0x7fff5c0dd114 in start (libdyld.dylib:x86_64+0x1114)

0x613000004780 is located 320 bytes inside of 336-byte region
[0x613000004640,0x613000004790)
freed by thread T0 here:
    #0 0x156081020 in wrap_free.part.0 sanitizer_malloc_mac.inc:142
    #1 0x1004b0aff in gfc_free_symbol(gfc_symbol*) symbol.c:3061
    #2 0x1004b0e4b in gfc_release_symbol(gfc_symbol*) symbol.c:3088
    #3 0x1004b12ca in free_sym_tree(gfc_symtree*) symbol.c:3890
    #4 0x1004b007f in gfc_free_namespace(gfc_namespace*) symbol.c:4045
    #5 0x1004b0a90 in gfc_free_symbol(gfc_symbol*) symbol.c:3054
    #6 0x1004b0e4b in gfc_release_symbol(gfc_symbol*) symbol.c:3088
    #7 0x1004c162f in gfc_restore_last_undo_checkpoint() symbol.c:3696
    #8 0x1004c1a6f in gfc_undo_symbols() symbol.c:3727
    #9 0x10032047c in reject_statement() parse.c:2547
    #10 0x1003205c4 in match_word(char const*, match (*)(), locus*) parse.c:70
    #11 0x10032e2a0 in decode_statement() parse.c:565
    #12 0x10032f54e in next_free() parse.c:1226
    #13 0x10032ff13 in next_statement() parse.c:1458
    #14 0x100336433 in parse_spec(gfc_statement) parse.c:3836
    #15 0x10033cea2 in parse_progunit(gfc_statement) parse.c:5649
    #16 0x10033f1ea in gfc_parse_file() parse.c:6189
    #17 0x1004faacc in gfc_be_parse_file() f95-lang.c:204
    #18 0x10587f0d0 in compile_file() toplev.c:455
    #19 0x105889962 in do_compile() toplev.c:2076
    #20 0x107bd1f47 in toplev::main(int, char**) toplev.c:2211
    #21 0x107bd73cc in main main.c:39
    #22 0x7fff5c0dd114 in start (libdyld.dylib:x86_64+0x1114)

previously allocated by thread T0 here:
    #0 0x156080690 in wrap_calloc sanitizer_malloc_mac.inc:153
    #1 0x107b7ee6e in xcalloc xmalloc.c:162
    #2 0x1004a7f55 in gfc_new_symbol(char const*, gfc_namespace*) symbol.c:3097
    #3 0x1004aa45a in gfc_get_sym_tree(char const*, gfc_namespace*,
gfc_symtree**, bool) symbol.c:3348
    #4 0x1004aba88 in gfc_get_symbol(char const*, gfc_namespace*, gfc_symbol**)
symbol.c:3398
    #5 0x1000cfe68 in gfc_match_formal_arglist(gfc_symbol*, int, int, bool)
decl.c:5978
    #6 0x1000eb9ad in gfc_match_derived_decl() decl.c:9848
    #7 0x100320542 in match_word(char const*, match (*)(), locus*) parse.c:65
    #8 0x10032e2a0 in decode_statement() parse.c:565
    #9 0x10032f54e in next_free() parse.c:1226
    #10 0x10032ff13 in next_statement() parse.c:1458
    #11 0x100336433 in parse_spec(gfc_statement) parse.c:3836
    #12 0x10033cea2 in parse_progunit(gfc_statement) parse.c:5649
    #13 0x10033f1ea in gfc_parse_file() parse.c:6189
    #14 0x1004faacc in gfc_be_parse_file() f95-lang.c:204
    #15 0x10587f0d0 in compile_file() toplev.c:455
    #16 0x105889962 in do_compile() toplev.c:2076
    #17 0x107bd1f47 in toplev::main(int, char**) toplev.c:2211
    #18 0x107bd73cc in main main.c:39
    #19 0x7fff5c0dd114 in start (libdyld.dylib:x86_64+0x1114)

SUMMARY: AddressSanitizer: heap-use-after-free symbol.c:3647 in
gfc_restore_last_undo_checkpoint()
Shadow bytes around the buggy address:
  0x1c26000008a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c26000008b0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x1c26000008c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c26000008d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c26000008e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c26000008f0:[fd]fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2600000900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2600000910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2600000920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2600000930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2600000940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==95172==ABORTING

References:
- [Bug fortran/83866] New: [8 Regression] ICE in gfc_release_symbol, at fortran/symbol.c:3087
  - From: gscfq at t-online dot de

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]