This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] Fix up trans_array_constructor UB (PR fortran/67496)

From: Mikael Morin <morin-mikael at orange dot fr>
To: Jakub Jelinek <jakub at redhat dot com>, fortran at gcc dot gnu dot org
Cc: gcc-patches at gcc dot gnu dot org
Date: Wed, 17 Aug 2016 21:03:55 +0200
Subject: Re: [PATCH] Fix up trans_array_constructor UB (PR fortran/67496)
Authentication-results: sourceware.org; auth=none
References: <20160817185648.GK14857@tucnak.redhat.com>

Le 17/08/2016 à 20:56, Jakub Jelinek a écrit :

Hi!

The bug here is that it dereferences expr->ts.u.cl if non-NULL
unconditionally, no matter what expr->ts.type is.
But, ts.u is an union, where ts.u.cl is only valid for BT_CHARACTER,
ts.u.derived for BT_DERIVED etc. ts.u.pad (an int rather than pointer)
for BT_HOLLERITH? and unused in others.
So, as on the testcase, where expr->ts.type == BT_DERIVED,
expr->ts.u.derived points to a gfc_symbol structure and thus dereferencing
ts.u.cl means reading gfc_symbol bytes as if it is gfc_charlen.
length_from_typespec is a bool, which can be only false or true, but
on the testcase happens to point to a byte in gfc_symbol that has some other
value (60 in my case), so the read is undefined behavior.

Fixed by doing it only when ts.u.cl is valid.  Bootstrapped/regtested on
x86_64-linux and i686-linux, ok for trunk?

Sure, it could go in as obvious actually.

Mikael

References:
- [PATCH] Fix up trans_array_constructor UB (PR fortran/67496)
  - From: Jakub Jelinek

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]