[Bug fortran/111291] New: ASAN error: heap-use-after-free gcc/fortran/parse.cc:359 in decode_statement

fkastl at suse dot cz gcc-bugzilla@gcc.gnu.org
Tue Sep 5 12:58:23 GMT 2023 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111291

            Bug ID: 111291
           Summary: ASAN error: heap-use-after-free
                    gcc/fortran/parse.cc:359 in decode_statement
           Product: gcc
           Version: 14.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: fortran
          Assignee: unassigned at gcc dot gnu.org
          Reporter: fkastl at suse dot cz
                CC: mjambor at suse dot cz
  Target Milestone: ---
              Host: x86_64-linux
            Target: x86_64-linux

With an ASAN-instrumented GCC

configure --enable-languages=default,jit,lto,go,d --enable-host-shared
--enable-checking=release --disable-multilib --with-build-config=bootstrap-asan

running

make check-fortran RUNTESTFLAGS="dg.exp=unexpected_interface.f90 -v"

produces

==6474==ERROR: AddressSanitizer: heap-use-after-free on address 0x513000002ab8
at pc 0x000000ad968d bp 0x7ffd08212000 sp 0x7ffd08211ff8
READ of size 8 at 0x513000002ab8 thread T0
    #0 0xad968c in decode_statement
/home/worker/buildworker/tiber-gcc-asan/build/gcc/fortran/parse.cc:359
    #1 0xae3df4 in next_free
/home/worker/buildworker/tiber-gcc-asan/build/gcc/fortran/parse.cc:1592
    #2 0xae3df4 in next_statement
/home/worker/buildworker/tiber-gcc-asan/build/gcc/fortran/parse.cc:1824
    #3 0xae832f in parse_interface
/home/worker/buildworker/tiber-gcc-asan/build/gcc/fortran/parse.cc:3991
    #4 0xae832f in parse_spec
/home/worker/buildworker/tiber-gcc-asan/build/gcc/fortran/parse.cc:4350
    #5 0xaef85c in parse_progunit
/home/worker/buildworker/tiber-gcc-asan/build/gcc/fortran/parse.cc:6576
    #6 0xaf12cc in gfc_parse_file()
/home/worker/buildworker/tiber-gcc-asan/build/gcc/fortran/parse.cc:7162
    #7 0xbec011 in gfc_be_parse_file
/home/worker/buildworker/tiber-gcc-asan/build/gcc/fortran/f95-lang.cc:229
    #8 0x1fd637f in compile_file
/home/worker/buildworker/tiber-gcc-asan/build/gcc/toplev.cc:444
    #9 0x7a7df3 in do_compile
/home/worker/buildworker/tiber-gcc-asan/build/gcc/toplev.cc:2126
    #10 0x7a7df3 in toplev::main(int, char**)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/toplev.cc:2282
    #11 0x7b2e23 in main
/home/worker/buildworker/tiber-gcc-asan/build/gcc/main.cc:39
    #12 0x7fd42da281ef in __libc_start_call_main (/lib64/libc.so.6+0x281ef)
(BuildId: 80328d345e2dd1be1b7a59ab1f54d94f4b916dac)
    #13 0x7fd42da282b8 in __libc_start_main@GLIBC_2.2.5
(/lib64/libc.so.6+0x282b8) (BuildId: 80328d345e2dd1be1b7a59ab1f54d94f4b916dac)
    #14 0x7b45e4 in _start ../sysdeps/x86_64/start.S:115

0x513000002ab8 is located 120 bytes inside of 336-byte region
[0x513000002a40,0x513000002b90)
freed by thread T0 here:
    #0 0x865ec8 in __interceptor_free
/home/worker/buildworker/tiber-gcc-asan/build/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0xbb6103 in gfc_free_symbol(gfc_symbol*&)
/home/worker/buildworker/tiber-gcc-asan/build/gcc/fortran/symbol.cc:3105

previously allocated by thread T0 here:
    #0 0x866bd7 in __interceptor_calloc
/home/worker/buildworker/tiber-gcc-asan/build/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x57ef974 in xcalloc
/home/worker/buildworker/tiber-gcc-asan/build/libiberty/xmalloc.c:164

SUMMARY: AddressSanitizer: heap-use-after-free
/home/worker/buildworker/tiber-gcc-asan/build/gcc/fortran/parse.cc:359 in
decode_statement
Shadow bytes around the buggy address:
  0x513000002800: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x513000002880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x513000002900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x513000002980: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x513000002a00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x513000002a80: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x513000002b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x513000002b80: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x513000002c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x513000002c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x513000002d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6474==ABORTING

More information about the Gcc-bugs mailing list