From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ciao.gmane.io (ciao.gmane.io [116.202.254.214]) by sourceware.org (Postfix) with ESMTPS id D6DC43857379 for ; Wed, 20 Apr 2022 20:27:40 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org D6DC43857379 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1nhGvL-0001mm-Ig for fortran@gcc.gnu.org; Wed, 20 Apr 2022 22:27:39 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: fortran@gcc.gnu.org From: Harald Anlauf Subject: Re: [PATCH] PR fortran/105310 - ICE when UNION is after the 8th field in a DEC STRUCTURE with -finit-derived -finit-local-zero Date: Wed, 20 Apr 2022 22:27:29 +0200 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Content-Language: en-US In-Reply-To: Cc: gcc-patches@gcc.gnu.org X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS, KAM_DMARC_STATUS, NICE_REPLY_A, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: fortran@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Fortran mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Apr 2022 20:27:42 -0000 Message-ID: <20220420202729.j2XPSTWqt46lf4fdb5IU7kVpHENii5VsfXaJheNx-uc@z> Hi Fritz, Am 20.04.22 um 20:03 schrieb Fritz Reese via Fortran: > See the bug report at gcc dot gnu dot org/bugzilla/show_bug.cgi?id=105310 . > > This code was originally authored by me and the fix is trivial, so I > intend to commit the attached patch in the next few days if there is > no dissent. OK if you add a/the testcase. > > The bug is caused by gfc_conv_union_initializer in > gcc/fortran/trans-expr.cc, which accepts a pointer to a vector of > constructor trees (vec*) as an argument, then > appends one or two field constructors to the vector. The problem is > the use of CONSTRUCTOR_APPEND_ELT(v, ...) within > gfc_conv_union_initializer, which modifies the vector pointer v when a > reallocation of the vector occurs, but the pointer is passed by value. > Therefore, when a vector reallocation occurs, the caller's > (gfc_conv_structure) vector pointer is not updated and subsequently > points to freed memory. Chaos ensues. > > The bug only occurs when gfc_conv_union_initializer itself triggers > the reallocation, which is whenever the vector is "full" > (v->m_vecpfx.m_alloc == v->m_vecpfx.m_num). Since the vector defaults > to allocating 8 elements and doubles in size for every reallocation, > the bug only occurs when there are 8, 16, 32, etc... fields with > initializers prior to the union, causing the vector of constructors to > be resized when entering gfc_conv_union_initializer. The > -finit-derived and -finit-local-zero options together ensure each > field has an initializer, triggering the bug. > > The patch fixes the bug by passing the vector pointer to > gfc_conv_union_initializer by reference, matching the signature of > vec_safe_push from within the CONSTRUCTOR_APPEND_ELT macro. > > -- > Fritz Reese As this affects all branches, you may backport the patch as far as you feel reasonable. (No, I do not use DEC extensions personally.) Thanks for the patch! Harald