This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug fortran/83866] [8 Regression] ICE in gfc_release_symbol, at fortran/symbol.c:3087
- From: "dominiq at lps dot ens.fr" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Thu, 18 Jan 2018 11:06:19 +0000
- Subject: [Bug fortran/83866] [8 Regression] ICE in gfc_release_symbol, at fortran/symbol.c:3087
- Auto-submitted: auto-generated
- References: <bug-83866-4@http.gcc.gnu.org/bugzilla/>
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83866
Dominique d'Humieres <dominiq at lps dot ens.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Last reconfirmed| |2018-01-18
Ever confirmed|0 |1
--- Comment #1 from Dominique d'Humieres <dominiq at lps dot ens.fr> ---
Likely revision r251925. My instrumented compiler gives
==95172==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000004780
at pc 0x0001004c0a3f bp 0x7ffeefbfe5d0 sp 0x7ffeefbfe5c8
READ of size 8 at 0x613000004780 thread T0
#0 0x1004c0a3e in gfc_restore_last_undo_checkpoint() symbol.c:3647
#1 0x1004c1a6f in gfc_undo_symbols() symbol.c:3727
#2 0x10032047c in reject_statement() parse.c:2547
#3 0x1003205c4 in match_word(char const*, match (*)(), locus*) parse.c:70
#4 0x10032e2a0 in decode_statement() parse.c:565
#5 0x10032f54e in next_free() parse.c:1226
#6 0x10032ff13 in next_statement() parse.c:1458
#7 0x100336433 in parse_spec(gfc_statement) parse.c:3836
#8 0x10033cea2 in parse_progunit(gfc_statement) parse.c:5649
#9 0x10033f1ea in gfc_parse_file() parse.c:6189
#10 0x1004faacc in gfc_be_parse_file() f95-lang.c:204
#11 0x10587f0d0 in compile_file() toplev.c:455
#12 0x105889962 in do_compile() toplev.c:2076
#13 0x107bd1f47 in toplev::main(int, char**) toplev.c:2211
#14 0x107bd73cc in main main.c:39
#15 0x7fff5c0dd114 in start (libdyld.dylib:x86_64+0x1114)
0x613000004780 is located 320 bytes inside of 336-byte region
[0x613000004640,0x613000004790)
freed by thread T0 here:
#0 0x156081020 in wrap_free.part.0 sanitizer_malloc_mac.inc:142
#1 0x1004b0aff in gfc_free_symbol(gfc_symbol*) symbol.c:3061
#2 0x1004b0e4b in gfc_release_symbol(gfc_symbol*) symbol.c:3088
#3 0x1004b12ca in free_sym_tree(gfc_symtree*) symbol.c:3890
#4 0x1004b007f in gfc_free_namespace(gfc_namespace*) symbol.c:4045
#5 0x1004b0a90 in gfc_free_symbol(gfc_symbol*) symbol.c:3054
#6 0x1004b0e4b in gfc_release_symbol(gfc_symbol*) symbol.c:3088
#7 0x1004c162f in gfc_restore_last_undo_checkpoint() symbol.c:3696
#8 0x1004c1a6f in gfc_undo_symbols() symbol.c:3727
#9 0x10032047c in reject_statement() parse.c:2547
#10 0x1003205c4 in match_word(char const*, match (*)(), locus*) parse.c:70
#11 0x10032e2a0 in decode_statement() parse.c:565
#12 0x10032f54e in next_free() parse.c:1226
#13 0x10032ff13 in next_statement() parse.c:1458
#14 0x100336433 in parse_spec(gfc_statement) parse.c:3836
#15 0x10033cea2 in parse_progunit(gfc_statement) parse.c:5649
#16 0x10033f1ea in gfc_parse_file() parse.c:6189
#17 0x1004faacc in gfc_be_parse_file() f95-lang.c:204
#18 0x10587f0d0 in compile_file() toplev.c:455
#19 0x105889962 in do_compile() toplev.c:2076
#20 0x107bd1f47 in toplev::main(int, char**) toplev.c:2211
#21 0x107bd73cc in main main.c:39
#22 0x7fff5c0dd114 in start (libdyld.dylib:x86_64+0x1114)
previously allocated by thread T0 here:
#0 0x156080690 in wrap_calloc sanitizer_malloc_mac.inc:153
#1 0x107b7ee6e in xcalloc xmalloc.c:162
#2 0x1004a7f55 in gfc_new_symbol(char const*, gfc_namespace*) symbol.c:3097
#3 0x1004aa45a in gfc_get_sym_tree(char const*, gfc_namespace*,
gfc_symtree**, bool) symbol.c:3348
#4 0x1004aba88 in gfc_get_symbol(char const*, gfc_namespace*, gfc_symbol**)
symbol.c:3398
#5 0x1000cfe68 in gfc_match_formal_arglist(gfc_symbol*, int, int, bool)
decl.c:5978
#6 0x1000eb9ad in gfc_match_derived_decl() decl.c:9848
#7 0x100320542 in match_word(char const*, match (*)(), locus*) parse.c:65
#8 0x10032e2a0 in decode_statement() parse.c:565
#9 0x10032f54e in next_free() parse.c:1226
#10 0x10032ff13 in next_statement() parse.c:1458
#11 0x100336433 in parse_spec(gfc_statement) parse.c:3836
#12 0x10033cea2 in parse_progunit(gfc_statement) parse.c:5649
#13 0x10033f1ea in gfc_parse_file() parse.c:6189
#14 0x1004faacc in gfc_be_parse_file() f95-lang.c:204
#15 0x10587f0d0 in compile_file() toplev.c:455
#16 0x105889962 in do_compile() toplev.c:2076
#17 0x107bd1f47 in toplev::main(int, char**) toplev.c:2211
#18 0x107bd73cc in main main.c:39
#19 0x7fff5c0dd114 in start (libdyld.dylib:x86_64+0x1114)
SUMMARY: AddressSanitizer: heap-use-after-free symbol.c:3647 in
gfc_restore_last_undo_checkpoint()
Shadow bytes around the buggy address:
0x1c26000008a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c26000008b0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x1c26000008c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c26000008d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c26000008e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c26000008f0:[fd]fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c2600000900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c2600000910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c2600000920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c2600000930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c2600000940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==95172==ABORTING