https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84245
Dominique d'Humieres <dominiq at lps dot ens.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |ice-on-invalid-code
Priority|P3 |P4
Status|UNCONFIRMED |NEW
Last reconfirmed| |2018-02-07
Known to work| |6.4.0
Ever confirmed|0 |1
Known to fail| |7.3.0, 8.0
--- Comment #1 from Dominique d'Humieres <dominiq at lps dot ens.fr> ---
On darwin the ICE is of the kind
f951(92596,0x7fffa8e43340) malloc: *** error for object 0x1422089d0: pointer
being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
f951: internal compiler error: Abort trap: 6
An instrumented compiler gives
==94172==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000002640
at pc 0x0001004ce8b6 bp 0x7ffeefbfe550 sp 0x7ffeefbfe548
READ of size 8 at 0x613000002640 thread T0
#0 0x1004ce8b5 in gfc_restore_last_undo_checkpoint() symbol.c:3647
#1 0x1004cfcfa in gfc_undo_symbols() symbol.c:3727
#2 0x100326d45 in reject_statement() parse.c:2565
#3 0x100326e8d in match_word(char const*, match (*)(), locus*) parse.c:70
#4 0x100333bea in decode_statement() parse.c:428
#5 0x100335ef0 in next_free() parse.c:1230
#6 0x1003368bd in next_statement() parse.c:1462
#7 0x10033c8e7 in parse_spec(gfc_statement) parse.c:3670
#8 0x100343892 in parse_progunit(gfc_statement) parse.c:5667
#9 0x100345b5f in gfc_parse_file() parse.c:6207
#10 0x1005093fe in gfc_be_parse_file() f95-lang.c:204
#11 0x105bd31dc in compile_file() toplev.c:455
#12 0x105bddb20 in do_compile() toplev.c:2081
#13 0x108127e99 in toplev::main(int, char**) toplev.c:2216
#14 0x10812d37f in main main.c:39
#15 0x7fff7011c114 in start (libdyld.dylib:x86_64+0x1114)
0x613000002640 is located 320 bytes inside of 336-byte region
[0x613000002500,0x613000002650)
freed by thread T0 here:
#0 0x156c50350 in wrap_free.part.0 (libasan.5.dylib:x86_64+0x6d350)
#1 0x1004bedad in gfc_free_symbol(gfc_symbol*) symbol.c:3061
#2 0x1004bf0f9 in gfc_release_symbol(gfc_symbol*) symbol.c:3088
#3 0x1004bf578 in free_sym_tree(gfc_symtree*) symbol.c:3890
#4 0x1004be32d in gfc_free_namespace(gfc_namespace*) symbol.c:4045
#5 0x10024a208 in gfc_match_select_type() match.c:6170
#6 0x100326e0b in match_word(char const*, match (*)(), locus*) parse.c:65
#7 0x100333bea in decode_statement() parse.c:428
#8 0x100335ef0 in next_free() parse.c:1230
#9 0x1003368bd in next_statement() parse.c:1462
#10 0x10033c8e7 in parse_spec(gfc_statement) parse.c:3670
#11 0x100343892 in parse_progunit(gfc_statement) parse.c:5667
#12 0x100345b5f in gfc_parse_file() parse.c:6207
#13 0x1005093fe in gfc_be_parse_file() f95-lang.c:204
#14 0x105bd31dc in compile_file() toplev.c:455
#15 0x105bddb20 in do_compile() toplev.c:2081
#16 0x108127e99 in toplev::main(int, char**) toplev.c:2216
#17 0x10812d37f in main main.c:39
#18 0x7fff7011c114 in start (libdyld.dylib:x86_64+0x1114)
previously allocated by thread T0 here:
#0 0x156c4f9c0 in wrap_calloc (libasan.5.dylib:x86_64+0x6c9c0)
#1 0x107fce284 in xcalloc xmalloc.c:162
#2 0x1004b6183 in gfc_new_symbol(char const*, gfc_namespace*) symbol.c:3099
#3 0x1004b8692 in gfc_get_sym_tree(char const*, gfc_namespace*,
gfc_symtree**, bool) symbol.c:3348
#4 0x1004c53fa in gfc_get_ha_sym_tree(char const*, gfc_symtree**)
symbol.c:3441
#5 0x100369ede in gfc_match_rvalue(gfc_expr**) primary.c:3142
#6 0x10024e365 in match_primary(gfc_expr**) matchexp.c:157
#7 0x10024e5f4 in match_level_1(gfc_expr**) matchexp.c:211
#8 0x10024e969 in match_mult_operand(gfc_expr**) matchexp.c:267
#9 0x10024f173 in match_add_operand(gfc_expr**) matchexp.c:356
#10 0x10024fb60 in match_level_2(gfc_expr**) matchexp.c:480
#11 0x100250070 in match_level_3(gfc_expr**) matchexp.c:551
#12 0x1002504e9 in match_level_4(gfc_expr**) matchexp.c:599
#13 0x10025131d in match_and_operand(gfc_expr**) matchexp.c:693
#14 0x1002515ec in match_or_operand(gfc_expr**) matchexp.c:722
#15 0x100251a51 in match_equiv_operand(gfc_expr**) matchexp.c:765
#16 0x100251ec0 in match_level_5(gfc_expr**) matchexp.c:811
#17 0x10024de89 in gfc_match_expr(gfc_expr**) matchexp.c:870
#18 0x10022c4b2 in gfc_match(char const*, ...) match.c:1153
#19 0x1002498a2 in gfc_match_select_type() match.c:6166
#20 0x100326e0b in match_word(char const*, match (*)(), locus*) parse.c:65
#21 0x100333bea in decode_statement() parse.c:428
#22 0x100335ef0 in next_free() parse.c:1230
#23 0x1003368bd in next_statement() parse.c:1462
#24 0x10033c8e7 in parse_spec(gfc_statement) parse.c:3670
#25 0x100343892 in parse_progunit(gfc_statement) parse.c:5667
#26 0x100345b5f in gfc_parse_file() parse.c:6207
#27 0x1005093fe in gfc_be_parse_file() f95-lang.c:204
#28 0x105bd31dc in compile_file() toplev.c:455
#29 0x105bddb20 in do_compile() toplev.c:2081
SUMMARY: AddressSanitizer: heap-use-after-free symbol.c:3647 in
gfc_restore_last_undo_checkpoint()
Shadow bytes around the buggy address:
0x1c2600000470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2600000480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2600000490: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c26000004a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c26000004b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c26000004c0: fd fd fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa
0x1c26000004d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c26000004e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c26000004f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c2600000500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c2600000510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
