[Bug fortran/66528] [6 Regression] unbalanced IF/ENDIF with -fmax-errors=1 causes invalid free

manu at gcc dot gnu.org gcc-bugzilla@gcc.gnu.org
Sun Jun 14 16:25:00 GMT 2015 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66528

--- Comment #4 from Manuel López-Ibáñez <manu at gcc dot gnu.org> ---
(In reply to Thomas Koenig from comment #3)
> (In reply to Dominique d'Humieres from comment #2)
> 
> > Usual suspect r223677 (pr66082).
> 
> I don't believe that a change to trans-array.c can cause
> a parsing failure.  I would rather suspect r223614 .

Yes, this is my fault. diagnostic_finish tries to free the output_buffer, but
the error_buffer is statically allocated. I think this should be enough:

--- error.c     (revision 223651)
+++ error.c     (working copy)
@@ -1379,12 +1379,12 @@ gfc_error_check (void)
       output_buffer *tmp_buffer = pp->buffer;
       pp->buffer = pp_error_buffer;
       pp_really_flush (pp);
       ++errorcount;
       gcc_assert (gfc_output_buffer_empty_p (pp_error_buffer));
-      diagnostic_action_after_output (global_dc, DK_ERROR);
       pp->buffer = tmp_buffer;
+      diagnostic_action_after_output (global_dc, DK_ERROR);
       return true;
     }

   return false;
 }

However, a better fix may be to make the error_buffer also dynamically
allocated like the warning_buffer. Not sure why I did the change.

(It would be nice to have a testcase testing this in the regression testsuite.)


> Here is the first error reported by valgrind:
> 
> ==1154== Invalid free() / delete / delete[] / realloc()
> ==1154==    at 0x4C28ADC: free (in
> /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==1154==    by 0x126B11B: diagnostic_finish(diagnostic_context*)
> (diagnostic.c:230)
> ==1154==    by 0x126BF11:
> diagnostic_action_after_output(diagnostic_context*, diagnostic_t)
> (diagnostic.c:566)
> ==1154==    by 0x63FB0B: gfc_error_check() (error.c:1384)
> ==1154==    by 0x687E47: decode_statement() (parse.c:554)
> ==1154==    by 0x689740: next_statement() (parse.c:1048)
> ==1154==    by 0x68BA0C: parse_executable(gfc_statement) (parse.c:4593)
> ==1154==    by 0x68C430: parse_executable(gfc_statement) (parse.c:3519)
> ==1154==    by 0x68CA06: parse_progunit(gfc_statement) (parse.c:4976)
> ==1154==    by 0x68E167: gfc_parse_file() (parse.c:5424)
> ==1154==    by 0x6CE642: gfc_be_parse_file() (f95-lang.c:215)
> ==1154==    by 0xBCA44E: compile_file() (toplev.c:560)
> ==1154==  Address 0x1cfefa8 is 8 bytes inside data symbol "_ZL12error_buffer"

More information about the Gcc-bugs mailing list