symbol.c:1762 in gfc_add_flavor

marxin at gcc dot gnu.org Tue, 24 Jul 2018 04:50:50 -0700

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86657


            Bug ID: 86657
           Summary: ASAN error: heap-use-after-free
                    gcc/fortran/symbol.c:1762 in gfc_add_flavor
           Product: gcc
           Version: 9.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: fortran
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marxin at gcc dot gnu.org
            Blocks: 86656
  Target Milestone: ---

Following test-case trigger that:

$ ./xgcc -B.
/home/marxin/Programming/gcc/gcc/testsuite/gfortran.dg/dec_type_print_2.f03 -c
-fdec
=================================================================
==20454==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000004918
at pc 0x000000b59be3 bp 0x7fffffffcb70 sp 0x7fffffffcb68
READ of size 1 at 0x613000004918 thread T0
    #0 0xb59be2 in gfc_add_flavor(symbol_attribute*, sym_flavor, char const*,
locus*) /home/marxin/Programming/gcc2/gcc/fortran/symbol.c:1762
    #1 0xb59672 in gfc_add_generic(symbol_attribute*, char const*, locus*)
/home/marxin/Programming/gcc2/gcc/fortran/symbol.c:1697
    #2 0x9025e2 in gfc_match_derived_decl()
/home/marxin/Programming/gcc2/gcc/fortran/decl.c:10009
    #3 0x901d17 in gfc_match_type(gfc_statement*)
/home/marxin/Programming/gcc2/gcc/fortran/decl.c:9900
    #4 0xa5bcdb in decode_statement
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:418
    #5 0xa6242f in next_free
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:1234
    #6 0xa63365 in next_statement
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:1466
    #7 0xa6b82b in parse_spec
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:3858
    #8 0xa73eeb in parse_progunit
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:5671
    #9 0xa770f0 in gfc_parse_file()
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:6211
    #10 0xb86eb6 in gfc_be_parse_file
/home/marxin/Programming/gcc2/gcc/fortran/f95-lang.c:204
    #11 0x2255717 in compile_file
/home/marxin/Programming/gcc2/gcc/toplev.c:455
    #12 0x225d323 in do_compile /home/marxin/Programming/gcc2/gcc/toplev.c:2161
    #13 0x225dba2 in toplev::main(int, char**)
/home/marxin/Programming/gcc2/gcc/toplev.c:2296
    #14 0x49a800e in main /home/marxin/Programming/gcc2/gcc/main.c:39
    #15 0x7ffff59fcfea in __libc_start_main ../csu/libc-start.c:308
    #16 0x866759 in _start
(/home/marxin/Programming/gcc2/objdir/gcc/f951+0x866759)

0x613000004918 is located 280 bytes inside of 344-byte region
[0x613000004800,0x613000004958)
freed by thread T0 here:
    #0 0x7ffff6efc2f0 in __interceptor_free (/usr/lib64/libasan.so.5+0xeb2f0)
    #1 0xb6148f in gfc_free_symbol(gfc_symbol*)
/home/marxin/Programming/gcc2/gcc/fortran/symbol.c:3081
    #2 0xb61718 in gfc_release_symbol(gfc_symbol*)
/home/marxin/Programming/gcc2/gcc/fortran/symbol.c:3108
    #3 0xb65882 in gfc_restore_last_undo_checkpoint()
/home/marxin/Programming/gcc2/gcc/fortran/symbol.c:3701
    #4 0xb659fd in gfc_undo_symbols()
/home/marxin/Programming/gcc2/gcc/fortran/symbol.c:3732
    #5 0xa5bc74 in decode_statement
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:414
    #6 0xa6242f in next_free
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:1234
    #7 0xa63365 in next_statement
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:1466
    #8 0xa6b82b in parse_spec
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:3858
    #9 0xa73eeb in parse_progunit
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:5671
    #10 0xa770f0 in gfc_parse_file()
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:6211
    #11 0xb86eb6 in gfc_be_parse_file
/home/marxin/Programming/gcc2/gcc/fortran/f95-lang.c:204
    #12 0x2255717 in compile_file
/home/marxin/Programming/gcc2/gcc/toplev.c:455
    #13 0x225d323 in do_compile /home/marxin/Programming/gcc2/gcc/toplev.c:2161
    #14 0x225dba2 in toplev::main(int, char**)
/home/marxin/Programming/gcc2/gcc/toplev.c:2296
    #15 0x49a800e in main /home/marxin/Programming/gcc2/gcc/main.c:39
    #16 0x7ffff59fcfea in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7ffff6efc858 in calloc (/usr/lib64/libasan.so.5+0xeb858)
    #1 0x4bda37e in xcalloc
/home/marxin/Programming/gcc2/libiberty/xmalloc.c:162
    #2 0xb6173f in gfc_new_symbol(char const*, gfc_namespace*)
/home/marxin/Programming/gcc2/gcc/fortran/symbol.c:3119
    #3 0xb62e24 in gfc_get_sym_tree(char const*, gfc_namespace*, gfc_symtree**,
bool) /home/marxin/Programming/gcc2/gcc/fortran/symbol.c:3369
    #4 0xb63582 in gfc_get_symbol(char const*, gfc_namespace*, gfc_symbol**)
/home/marxin/Programming/gcc2/gcc/fortran/symbol.c:3422
    #5 0x9c7782 in gfc_match_label()
/home/marxin/Programming/gcc2/gcc/fortran/match.c:617
    #6 0x9d0a6c in gfc_match_forall(gfc_statement*)
/home/marxin/Programming/gcc2/gcc/fortran/match.c:2489
    #7 0xa5bc2e in decode_statement
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:412
    #8 0xa6242f in next_free
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:1234
    #9 0xa63365 in next_statement
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:1466
    #10 0xa6b82b in parse_spec
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:3858
    #11 0xa73eeb in parse_progunit
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:5671
    #12 0xa770f0 in gfc_parse_file()
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:6211
    #13 0xb86eb6 in gfc_be_parse_file
/home/marxin/Programming/gcc2/gcc/fortran/f95-lang.c:204
    #14 0x2255717 in compile_file
/home/marxin/Programming/gcc2/gcc/toplev.c:455
    #15 0x225d323 in do_compile /home/marxin/Programming/gcc2/gcc/toplev.c:2161
    #16 0x225dba2 in toplev::main(int, char**)
/home/marxin/Programming/gcc2/gcc/toplev.c:2296
    #17 0x49a800e in main /home/marxin/Programming/gcc2/gcc/main.c:39
    #18 0x7ffff59fcfea in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free
/home/marxin/Programming/gcc2/gcc/fortran/symbol.c:1762 in
gfc_add_flavor(symbol_attribute*, sym_flavor, char const*, locus*)
Shadow bytes around the buggy address:
  0x0c267fff88d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff88e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff88f0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff8900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c267fff8920: fd fd fd[fd]fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c267fff8930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c267fff8940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff8950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff8960: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20454==ABORTING


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86656
[Bug 86656] Issues found with -fsanitize=address

[Bug fortran/86657] New: ASAN error: heap-use-after-free gcc/fortran/symbol.c:1762 in gfc_add_flavor

Reply via email to