[Bug fortran/82721] [7/8 Regression] Error message with corrupted text, sometimes ICE

Wed, 25 Oct 2017 10:00:09 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82721

Dominique d'Humieres <dominiq at lps dot ens.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P3                          |P4
             Status|UNCONFIRMED                 |NEW
      Known to work|                            |6.4.0
           Keywords|                            |error-recovery,
                   |                            |ice-on-invalid-code
   Last reconfirmed|                            |2017-10-25
     Ever confirmed|0                           |1
            Summary|Error message with          |[7/8 Regression] Error
                   |corrupted text, sometimes   |message with corrupted
                   |ICE                         |text, sometimes ICE
      Known to fail|                            |7.2.0, 8.0

--- Comment #2 from Dominique d'Humieres <dominiq at lps dot ens.fr> ---
Confirmed for 7.2.0 and trunk. I get an ICE if the compiler is configured with
--enable-checking=yes

    character(len(c)) :: b
                         1
Error: Symbol 'b' at (1) already has basic type of REAL
f951: internal compiler error: Illegal instruction: 4

and

    character(len(c)) :: b
                         1
Error: Symbol 'b' at (1) already has basic type of REAL
(null):0: confused by earlier errors, bailing out

if the compiler is configured with --enable-checking=release.

The change occurred between revisions r243430 (2016-12-08, OK) and r243621
(2016-12-13, bailing out).

My instrumented compiler reports

==79420==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000001138
at pc 0x00010040f256 bp 0x7fff5fbfe7b0 sp 0x7fff5fbfe7a8
READ of size 8 at 0x604000001138 thread T0
    #0 0x10040f255 in check_host_association(gfc_expr*)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x10040f255)
    #1 0x10040a172 in gfc_resolve_expr(gfc_expr*)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x10040a172)
    #2 0x100424de3 in resolve_index_expr(gfc_expr*)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100424de3)
    #3 0x10042b316 in resolve_charlen(gfc_charlen*)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x10042b316)
    #4 0x1004611dd in resolve_types(gfc_namespace*)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1004611dd)
    #5 0x1003e7626 in gfc_resolve(gfc_namespace*)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1003e7626)
    #6 0x100342827 in resolve_all_program_units(gfc_namespace*)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100342827)
    #7 0x100363ced in gfc_parse_file()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100363ced)
    #8 0x100547a22 in gfc_be_parse_file()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100547a22)
    #9 0x105b4df34 in compile_file()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x105b4df34)
    #10 0x105b5a2c7 in do_compile()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x105b5a2c7)
    #11 0x1082c47cb in toplev::main(int, char**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1082c47cb)
    #12 0x1082ccd02 in main
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1082ccd02)
    #13 0x7fffbcb65234 in start (/usr/lib/system/libdyld.dylib+0x5234)

0x604000001138 is located 40 bytes inside of 48-byte region
[0x604000001110,0x604000001140)
freed by thread T0 here:
    #0 0x15a658160 in wrap_free.part.0
(/opt/gcc/gcc8w/lib/libasan.4.dylib+0x67160)
    #1 0x1004eb9ef in gfc_delete_symtree(gfc_symtree**, char const*)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1004eb9ef)
    #2 0x100507dc2 in gfc_restore_last_undo_checkpoint()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100507dc2)
    #3 0x100508042 in gfc_undo_symbols()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100508042)
    #4 0x100342d3e in reject_statement()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100342d3e)
    #5 0x100342eae in match_word(char const*, match (*)(), locus*)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100342eae)
    #6 0x100350df7 in decode_statement()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100350df7)
    #7 0x100353557 in next_free()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100353557)
    #8 0x100353fe6 in next_statement()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100353fe6)
    #9 0x10035a7d7 in parse_spec(gfc_statement)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x10035a7d7)
    #10 0x1003618e6 in parse_progunit(gfc_statement)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1003618e6)
    #11 0x100363caf in gfc_parse_file()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100363caf)
    #12 0x100547a22 in gfc_be_parse_file()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100547a22)
    #13 0x105b4df34 in compile_file()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x105b4df34)
    #14 0x105b5a2c7 in do_compile()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x105b5a2c7)
    #15 0x1082c47cb in toplev::main(int, char**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1082c47cb)
    #16 0x1082ccd02 in main
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1082ccd02)
    #17 0x7fffbcb65234 in start (/usr/lib/system/libdyld.dylib+0x5234)

previously allocated by thread T0 here:
    #0 0x15a6577ac in wrap_calloc (/opt/gcc/gcc8w/lib/libasan.4.dylib+0x667ac)
    #1 0x1081075c5 in xcalloc
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1081075c5)
    #2 0x1004eb65d in gfc_new_symtree(gfc_symtree**, char const*)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1004eb65d)
    #3 0x1004ef980 in gfc_get_sym_tree(char const*, gfc_namespace*,
gfc_symtree**, bool)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1004ef980)
    #4 0x1004fc93e in gfc_get_ha_sym_tree(char const*, gfc_symtree**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1004fc93e)
    #5 0x10038ad3d in gfc_match_rvalue(gfc_expr**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x10038ad3d)
    #6 0x100250d0b in match_primary(gfc_expr**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100250d0b)
    #7 0x100250fa0 in match_level_1(gfc_expr**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100250fa0)
    #8 0x100251315 in match_mult_operand(gfc_expr**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100251315)
    #9 0x100251b35 in match_add_operand(gfc_expr**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100251b35)
    #10 0x100252552 in match_level_2(gfc_expr**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100252552)
    #11 0x100252a79 in match_level_3(gfc_expr**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100252a79)
    #12 0x100252f00 in match_level_4(gfc_expr**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100252f00)
    #13 0x100253d52 in match_and_operand(gfc_expr**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100253d52)
    #14 0x100254026 in match_or_operand(gfc_expr**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100254026)
    #15 0x100254499 in match_equiv_operand(gfc_expr**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100254499)
    #16 0x100254916 in match_level_5(gfc_expr**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100254916)
    #17 0x100250828 in gfc_match_expr(gfc_expr**)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100250828)
    #18 0x10009efca in char_len_param_value(gfc_expr**, bool*)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x10009efca)
    #19 0x1000b2813 in gfc_match_char_spec(gfc_typespec*)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1000b2813)
    #20 0x1000cf7a1 in gfc_match_decl_type_spec(gfc_typespec*, int)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1000cf7a1)
    #21 0x1000e1351 in gfc_match_data_decl()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1000e1351)
    #22 0x100342e2c in match_word(char const*, match (*)(), locus*)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100342e2c)
    #23 0x100350df7 in decode_statement()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100350df7)
    #24 0x100353557 in next_free()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100353557)
    #25 0x100353fe6 in next_statement()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100353fe6)
    #26 0x10035a7d7 in parse_spec(gfc_statement)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x10035a7d7)
    #27 0x1003618e6 in parse_progunit(gfc_statement)
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x1003618e6)
    #28 0x100363caf in gfc_parse_file()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100363caf)
    #29 0x100547a22 in gfc_be_parse_file()
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x100547a22)

SUMMARY: AddressSanitizer: heap-use-after-free
(/opt/gcc/gcc8g/libexec/gcc/x86_64-apple-darwin16.7.0/8.0.0/f951+0x10040f255)
in check_host_association(gfc_expr*)
Shadow bytes around the buggy address:
  0x1c08000001d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x1c08000001e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x1c08000001f0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x1c0800000200: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x1c0800000210: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
=>0x1c0800000220: fa fa fd fd fd fd fd[fd]fa fa 00 00 00 00 00 fa
  0x1c0800000230: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
  0x1c0800000240: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x1c0800000250: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x1c0800000260: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x1c0800000270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==79420==ABORTING
f951: internal compiler error: Abort trap: 6

Reply via email to