https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111837
Bug ID: 111837
Summary: [8,9,10,11,12,13 Regression] Out of bounds access with
optimization inside io-implied-do-control
Product: gcc
Version: 13.1.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: fortran
Assignee: unassigned at gcc dot gnu.org
Reporter: vladimir.fuka at gmail dot com
Target Milestone: ---
The following code causes an out-of bounds access in array ni(1) when optimized
with -O1 or higher with GCC 8 and higher. Based on
https://stackoverflow.com/questions/77300746/how-does-gfortran-with-optimization-flags-interpret-nested-implied-do-loops
program implied_do_bug
implicit none
integer :: i,j,k
real :: arr(1,1,1)
integer, dimension(:) :: ni(1)
ni(1) = 1
arr = 1
write(*,*) (((arr(i,j,k), i=1,ni(k)), j=1,1), k=1,1)
end program
With error checker:
> gfortran-13 -O1 q77300746.f90 -fcheck=all -g
> ./a.out
At line 10 of file q77300746.f90
Fortran runtime error: Index '0' of dimension 1 of array 'ni' below lower bound
of 1
Error termination. Backtrace:
#0 0x4006e6 in implied_do_bug
at /home/lada/f/testy/stackoverflow//q77300746.f90:10
#1 0x400717 in main
at /home/lada/f/testy/stackoverflow//q77300746.f90:11
With address sanitization:
> gfortran-13 -O1 q77300746.f90 -fsanitize=address,undefined
> ./a.out
=================================================================
==30012==ERROR: AddressSanitizer: stack-buffer-underflow on address
0x7fdf3930002c at pc 0x00000040128b bp 0x7ffe56f222b0 sp 0x7ffe56f222a8
READ of size 4 at 0x7fdf3930002c thread T0
#0 0x40128a in MAIN__ (/home/lada/f/testy/stackoverflow/a.out+0x40128a)
(BuildId: 4f112b517d93d007bc1b001caf3ac9b317046f1c)
#1 0x401358 in main (/home/lada/f/testy/stackoverflow/a.out+0x401358)
(BuildId: 4f112b517d93d007bc1b001caf3ac9b317046f1c)
#2 0x7fdf3b76e24c in __libc_start_main (/lib64/libc.so.6+0x3524c) (BuildId:
171a59c1c43a8f7b93c3dff765aae0b675fe10f6)
#3 0x400b59 in _start ../sysdeps/x86_64/start.S:120
Address 0x7fdf3930002c is located in stack of thread T0 at offset 44 in frame
#0 0x400c15 in MAIN__ (/home/lada/f/testy/stackoverflow/a.out+0x400c15)
(BuildId: 4f112b517d93d007bc1b001caf3ac9b317046f1c)
This frame has 4 object(s):
[48, 52) 'ni' (line 5) <== Memory access at offset 44 underflows this
variable
[64, 96) 'arr' (line 4)
[128, 240) 'parm.4' (line 10)
[272, 800) 'dt_parm.3' (line 10)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow
(/home/lada/f/testy/stackoverflow/a.out+0x40128a) (BuildId:
4f112b517d93d007bc1b001caf3ac9b317046f1c) in MAIN__
Shadow bytes around the buggy address:
0x7fdf392ffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fdf392ffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fdf392ffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fdf392fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fdf392fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7fdf39300000: f1 f1 f1 f1 f1[f1]04 f2 00 00 00 00 f2 f2 f2 f2
0x7fdf39300080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2
0x7fdf39300100: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fdf39300180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fdf39300200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fdf39300280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==30012==ABORTING
