https://gcc.gnu.org/bugzilla/show_bug.cgi?id=121628
Bug ID: 121628
Summary: Use-after-free in compiler-generated assignment
operators
Product: gcc
Version: 15.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: fortran
Assignee: unassigned at gcc dot gnu.org
Reporter: albert at tugraz dot at
Target Milestone: ---
Created attachment 62168
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=62168&action=edit
Minimal reproducible example
Subject: Use-after-free in compiler-generated assignment operators for
self-referential derived types with allocatable components
Component: fortran
Version: 15.2.1
Keywords: wrong-code, accepts-invalid
Severity: normal
Priority: P3
Hardware: x86_64
OS: Linux
Description:
GCC's automatic assignment operator for self-referential derived types with
allocatable components generates code that accesses freed memory, causing
use-after-free errors. Intel Fortran (ifx 2025.2.0) compiles and runs the same
code correctly, confirming this is a GCC-specific bug.
System Information:
- GCC Version: gcc version 15.2.1 20250813 (GCC) (also reproduces on 14.3.1)
- System: x86_64-pc-linux-gnu
- Configuration: /build/gcc/src/gcc/configure
--enable-languages=ada,c,c++,d,fortran,go,lto,m2,objc,obj-c++,rust,cobol
--enable-bootstrap --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib
--mandir=/usr/share/man --infodir=/usr/share/info
--with-bugurl=https://gitlab.archlinux.org/archlinux/packaging/packages/gcc/-/issues
--with-build-config=bootstrap-lto --with-linker-hash-style=gnu
--with-system-zlib --enable-__cxa_atexit --enable-cet=auto
--enable-checking=release --enable-clocale=gnu --enable-default-pie
--enable-default-ssp --enable-gnu-indirect-function --enable-gnu-unique-object
--enable-libstdcxx-backtrace --enable-link-serialization=1
--enable-linker-build-id --enable-lto --enable-multilib --enable-plugin
--enable-shared --enable-threads=posix --disable-libssp --disable-libstdcxx-pch
--disable-werror
- Command Line: gfortran -g MINIMAL_BUG.f90 -o MINIMAL_BUG
- Error: free(): invalid pointer / Segmentation fault
How to Reproduce:
Trigger Pattern:
1. Self-referential type with allocatable component: type(T), allocatable ::
children(:)
2. Nested allocation (2+ levels deep)
3. Circular assignment in loop: a = b; c = a; b = c
Expected Results:
Program should execute without memory errors, as it does with Intel Fortran.
Actual Results:
Program crashes with "free(): invalid pointer" error or segmentation fault.
Additional Information:
Validation:
- Intel Fortran 2025.2.0: PASSES (all test cases work correctly)
- GCC 14.3.1 & 15.2.1: CRASHES with identical use-after-free errors
- Explicit assignment operators: WORK CORRECTLY (same logic, manual
implementation)
- Logic validation with integers: WORKS CORRECTLY
Files:
- MINIMAL_BUG.f90 - 36-line minimal reproducer
- test_with_explicit_assignment.f90 - Shows explicit assignment works
- test_logic_validation.f90 - Validates logic is sound
- Makefile - Build and test with make minimal, make ifx, make gcc14
Quick Test:
make minimal # Build and run (crashes on iteration 2)
make ifx # Compare with Intel Fortran (passes)
make gcc14 # Test with GCC 14.x (also crashes)
Minimal Reproducer (MINIMAL_BUG.f90):
program minimal_bug
implicit none
type :: nested_t
character(len=:), allocatable :: name
type(nested_t), allocatable :: children(:)
end type nested_t
type(nested_t) :: a, b, c
integer :: i
! Create nested structure (2+ levels deep)
b%name = "root"
allocate(b%children(1))
b%children(1)%name = "child"
allocate(b%children(1)%children(1))
b%children(1)%children(1)%name = "grandchild"
! Circular assignment - crashes on iteration 2
do i = 1, 3
print *, "Iteration", i
a = b ! Compiler-generated assignment
c = a
b = c ! Use-after-free occurs here
end do
print *, "SUCCESS"
end program minimal_bug
Expected: Program runs successfully (as with Intel Fortran)
Actual: Crashes with free(): invalid pointer on iteration 2
Compiler Comparison:
- GCC 14.3.1: CRASHED (free(): invalid pointer)
- GCC 15.2.1: CRASHED (free(): invalid pointer)
- Intel Fortran 2025.2.0: PASSED (all patterns work)
This confirms the bug is specific to GCC's implementation of automatic
assignment operators for self-referential derived types with allocatable
components.
