[Bug libfortran/120196] In findloc2_s* when "back" is true loop goes one more step than needed.

anlauf at gcc dot gnu.org via Gcc-bugs Fri, 09 May 2025 10:34:42 -0700

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=120196


--- Comment #2 from anlauf at gcc dot gnu.org ---
(In reply to anlauf from comment #1)
> Here's a testcase that fails under valgrind:
> 
> program p
>   implicit none
>   character(:), allocatable :: a(:), s
>   allocate (character(16) :: a(10), s)
>   a(:)(:) = ""
>   s(:)    = "*"
>   print *, findloc (a, s, dim=1, back=.true.)
>   deallocate (a, s)
> end program p

It also fails with -fsanitize=address here:

=================================================================
==25625==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7c4060ae0030 at pc 0x7f6061ee5e13 bp 0x7fff5db66110 sp 0x7fff5db658d0
READ of size 16 at 0x7c4060ae0030 thread T0
    #0 0x7f6061ee5e12 in MemcmpInterceptorCommon(void*, int (*)(void const*,
void const*, unsigned long), void const*, void const*, unsigned long)
../../../../gcc-trunk/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:847
    #1 0x7f6061ee62c1 in memcmp
../../../../gcc-trunk/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:879
    #2 0x7f6061ee62c1 in memcmp
../../../../gcc-trunk/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:874
    #3 0x0000004179fa in _gfortrani_compare_string
../../../gcc-trunk/libgfortran/intrinsics/string_intrinsics_inc.c:98
    #4 0x000000404922 in _gfortran_findloc2_s1
../../../gcc-trunk/libgfortran/generated/findloc2_s1.c:54
    #5 0x000000403069 in MAIN__ (/home/anlauf/gcc-bugs/a.out+0x403069)
    #6 0x00000040322d in main (/home/anlauf/gcc-bugs/a.out+0x40322d)
    #7 0x7f6061a40e6b in __libc_start_call_main (/lib64/libc.so.6+0x40e6b)
(BuildId: 3c23d9be9ad37c86aafb5d405431f5f140ab0d8e)
    #8 0x7f6061a40f34 in __libc_start_main_alias_1 (/lib64/libc.so.6+0x40f34)
(BuildId: 3c23d9be9ad37c86aafb5d405431f5f140ab0d8e)
    #9 0x000000402c20 in _start ../sysdeps/x86_64/start.S:115

0x7c4060ae0030 is located 16 bytes before 160-byte region
[0x7c4060ae0040,0x7c4060ae00e0)
allocated by thread T0 here:
    #0 0x7f6061f1ff7b in malloc
../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cpp:67
    #1 0x000000402da7 in MAIN__ (/home/anlauf/gcc-bugs/a.out+0x402da7)

SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../gcc-trunk/libgfortran/intrinsics/string_intrinsics_inc.c:98 in
_gfortrani_compare_string
Shadow bytes around the buggy address:
  0x7c4060adfd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7c4060adfe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7c4060adfe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7c4060adff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7c4060adff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7c4060ae0000: fa fa fa fa fa fa[fa]fa 00 00 00 00 00 00 00 00
  0x7c4060ae0080: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x7c4060ae0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7c4060ae0180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7c4060ae0200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7c4060ae0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25625==ABORTING

[Bug libfortran/120196] In findloc2_s* when "back" is true loop goes one more step than needed.

Reply via email to