[Bug fortran/77327] New: AddressSanitizer: heap-use-after-free gcc-trunk-239276/gcc/fortran/interface.c:403 in compare_components
zeccav at gmail dot com
gcc-bugzilla@gcc.gnu.org
Mon Aug 22 20:57:00 GMT 2016
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77327
Bug ID: 77327
Summary: AddressSanitizer: heap-use-after-free
gcc-trunk-239276/gcc/fortran/interface.c:403 in
compare_components
Product: gcc
Version: 7.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: fortran
Assignee: unassigned at gcc dot gnu.org
Reporter: zeccav at gmail dot com
Target Milestone: ---
Compiling the following:
subroutine foo(a)
type myT
sequence
character :: c
end type myT
type(myT) :: a
end subroutine
module modtest
type myT
sequence
character :: c
end type myT
interface
subroutine foo(c)
import :: myT
type(myT) :: c
end subroutine foo
end interface
contains
subroutine test2()
type(myT) :: z
call foo(z)
end subroutine test2
end module modtest
with an address sanitized version of gfortran I get the following:
$gcc-7-address/bin/gfortran ~/f95/gfbug126.f
=================================================================
==15602==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400000c462
at pc 0x00000067217d bp 0x7ffd1903f720 sp 0x7ffd1903f718
READ of size 1 at 0x60400000c462 thread T0
#0 0x67217c in compare_components
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/interface.c:403
#1 0x672839 in gfc_compare_derived_types(gfc_symbol*, gfc_symbol*)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/interface.c:570
#2 0x798343 in gfc_type_compatible(gfc_typespec*, gfc_typespec*)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/symbol.c:4869
#3 0x671da3 in gfc_compare_types(gfc_typespec*, gfc_typespec*)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/interface.c:630
#4 0x672b3f in compare_type
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/interface.c:646
#5 0x675600 in gfc_check_dummy_characteristics(gfc_symbol*, gfc_symbol*,
bool, char*, int)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/interface.c:1187
#6 0x674ebd in gfc_compare_interfaces(gfc_symbol*, gfc_symbol*, char
const*, int, int, char*, int, char const*, char const*)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/interface.c:1644
#7 0x73cb61 in resolve_global_procedure
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/resolve.c:2463
#8 0x74d055 in resolve_call
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/resolve.c:3455
#9 0x764d17 in gfc_resolve_code(gfc_code*, gfc_namespace*)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/resolve.c:10659
#10 0x767b59 in resolve_codes
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/resolve.c:15667
#11 0x7679dd in resolve_codes
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/resolve.c:15652
#12 0x73c2b1 in gfc_resolve(gfc_namespace*)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/resolve.c:15701
#13 0x711dd7 in gfc_parse_file()
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:6061
#14 0x7b4d6d in gfc_be_parse_file
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/f95-lang.c:198
#15 0x165aada in compile_file
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/toplev.c:465
#16 0x165ff74 in do_compile
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/toplev.c:1998
#17 0x16604aa in toplev::main(int, char**)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/toplev.c:2132
#18 0x2e2a5ca in main
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/main.c:39
#19 0x390da1ffdf in __libc_start_main (/lib64/libc.so.6+0x390da1ffdf)
#20 0x5eafd8
(/home/vitti/1tb/vitti/local/gcc-7-address/libexec/gcc/x86_64-pc-linux-gnu/7.0.0/f951+0x5eafd8)
0x60400000c462 is located 18 bytes inside of 40-byte region
[0x60400000c450,0x60400000c478)
freed by thread T0 here:
#0 0x2b862c1d8330 in __interceptor_free
../../.././libsanitizer/asan/asan_malloc_linux.cc:45
#1 0x2e61f00 in release<(anonymous namespace)::line_span>
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:307
#2 0x2e66774 in release
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:1492
#3 0x2e66774 in ~auto_vec
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:1286
#4 0x2e66774 in calculate_line_spans
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic-show-locus.c:894
#5 0x2e67b02 in layout
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic-show-locus.c:785
#6 0x2e6802e in diagnostic_show_locus(diagnostic_context*, diagnostic_info
const*)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic-show-locus.c:1302
#7 0x6572e4 in gfc_diagnostic_starter
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/error.c:1096
#8 0x2e5c244 in diagnostic_report_diagnostic(diagnostic_context*,
diagnostic_info*)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic.c:935
#9 0x656009 in gfc_error
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/error.c:1277
#10 0x658644 in gfc_error(char const*, ...)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/error.c:1296
#11 0x720a04 in gfc_match_rvalue(gfc_expr**)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/primary.c:3021
#12 0x6c97ed in match_primary
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:157
#13 0x6c99c6 in match_level_1
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:211
#14 0x6c9ba5 in match_mult_operand
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:267
#15 0x6ca031 in match_add_operand
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:356
#16 0x6ca5ae in match_level_2
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:480
#17 0x6ca8bb in match_level_3
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:551
#18 0x6cab2e in match_level_4
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:599
#19 0x6caf06 in match_and_operand
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:693
#20 0x6cb0b7 in match_or_operand
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:722
#21 0x6cb326 in match_equiv_operand
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:765
#22 0x6cb595 in match_level_5
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:811
#23 0x6c9502 in gfc_match_expr(gfc_expr**)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:870
#24 0x6b9a0d in gfc_match(char const*, ...)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/match.c:1143
#25 0x6c737b in gfc_match_ptr_fcn_assign()
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/match.c:5301
#26 0x705064 in match_word
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:65
#27 0x70a660 in decode_statement
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:370
#28 0x70be5b in next_fixed
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:1332
#29 0x70c673 in next_statement
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:1382
#30 0x70d9b4 in parse_derived
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:3130
#31 0x70edee in parse_spec
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:3669
previously allocated by thread T0 here:
#0 0x2b862c1d8648 in __interceptor_malloc
../../.././libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x2f5b515 in xrealloc
/home/vitti/1tb/vitti/test/gcc-trunk-239276/libiberty/xmalloc.c:178
#2 0x2e64a30 in reserve<(anonymous namespace)::line_span>
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:288
#3 0x2e64a30 in reserve
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:1438
#4 0x2e64a30 in reserve_exact
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:1458
#5 0x2e64a30 in create
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:1473
#6 0x2e64a30 in auto_vec
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/vec.h:1285
#7 0x2e64a30 in calculate_line_spans
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic-show-locus.c:894
#8 0x2e67b02 in layout
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic-show-locus.c:785
#9 0x2e6802e in diagnostic_show_locus(diagnostic_context*, diagnostic_info
const*)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic-show-locus.c:1302
#10 0x6572e4 in gfc_diagnostic_starter
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/error.c:1096
#11 0x2e5c244 in diagnostic_report_diagnostic(diagnostic_context*,
diagnostic_info*)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/diagnostic.c:935
#12 0x656009 in gfc_error
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/error.c:1277
#13 0x658644 in gfc_error(char const*, ...)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/error.c:1296
#14 0x720a04 in gfc_match_rvalue(gfc_expr**)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/primary.c:3021
#15 0x6c97ed in match_primary
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:157
#16 0x6c99c6 in match_level_1
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:211
#17 0x6c9ba5 in match_mult_operand
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:267
#18 0x6ca031 in match_add_operand
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:356
#19 0x6ca5ae in match_level_2
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:480
#20 0x6ca8bb in match_level_3
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:551
#21 0x6cab2e in match_level_4
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:599
#22 0x6caf06 in match_and_operand
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:693
#23 0x6cb0b7 in match_or_operand
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:722
#24 0x6cb326 in match_equiv_operand
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:765
#25 0x6cb595 in match_level_5
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:811
#26 0x6c9502 in gfc_match_expr(gfc_expr**)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/matchexp.c:870
#27 0x6b9a0d in gfc_match(char const*, ...)
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/match.c:1143
#28 0x6c737b in gfc_match_ptr_fcn_assign()
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/match.c:5301
#29 0x705064 in match_word
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:65
#30 0x70a660 in decode_statement
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:370
#31 0x70be5b in next_fixed
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:1332
#32 0x70c673 in next_statement
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:1382
#33 0x70d9b4 in parse_derived
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:3130
#34 0x70edee in parse_spec
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/parse.c:3669
SUMMARY: AddressSanitizer: heap-use-after-free
/home/vitti/1tb/vitti/test/gcc-trunk-239276/gcc/fortran/interface.c:403 in
compare_components
Shadow bytes around the buggy address:
0x0c087fff9830: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9840: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9850: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff9860: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9870: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
=>0x0c087fff9880: fa fa 00 00 00 00 00 00 fa fa fd fd[fd]fd fd fa
0x0c087fff9890: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
0x0c087fff98a0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff98b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff98c0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff98d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15602==ABORTING
interface.c:403 is
if ( (d1 && (d1->attr.flavor == FL_STRUCT || d1->attr.flavor == FL_UNION)
and I believe d->attr.flavor is the item used after freed.
More information about the Gcc-bugs
mailing list