From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <fritzoreese@gmail.com>
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com
 [IPv6:2607:f8b0:4864:20::530])
 by sourceware.org (Postfix) with ESMTPS id 619F33858D1E;
 Wed, 20 Apr 2022 18:04:11 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 619F33858D1E
Received: by mail-pg1-x530.google.com with SMTP id t4so2334705pgc.1;
 Wed, 20 Apr 2022 11:04:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
 bh=/MF06hDQ9fAF9R082ZuhvvK+I5ZSmg4Z5ekIj/6wmL8=;
 b=BDdBgUj16dFn2k0PfMCFYGbf2PL8cFJJWM84UGqbwtYvjt4xDj56gUyRzaLvlgXM7I
 ux0xiZkbdKZEdJv9m6QButxMQhnoD5Yv4nmS3YjPFmpq/3KtbmsocQalRmh27dodxDgI
 RVI8ZLeYzXYMG5FQR5eSzYxOS+dAKE42LJ9urxlx1dbrqovK/KVkWKc0HOaOJY6zfsdT
 QGsQXbx1sn0WDhlu4Bi5Poz3t8GocnDaQ89XI+0Y4nFFfVKIS4AaYtohz4P7dEmDx1Sq
 jfkpE8qebFunA7qCuDWIgA/aOYCwmt+rv8KNUYZgTucIEcJlRkRs/0po8RcZrdcefb9R
 dY+Q==
X-Gm-Message-State: AOAM533zsZPPjpYJZmIqMniNkdsqsGBw3yCHVqJJlyVK46XzXTCygUhg
 FrcA2j6zhR0CkuVOVWABLbXmGlOn0GHkcp1vNWGGAha4
X-Google-Smtp-Source: ABdhPJwg5ZJAJ5LYtcA2hF9Ewa196WVVVzRBfTNdDfPI8usFBEwMvKQHxofBb4T6phfr5fV93mT8qGpkmfSCqgbhU/s=
X-Received: by 2002:a63:f546:0:b0:3aa:878:e29f with SMTP id
 e6-20020a63f546000000b003aa0878e29fmr13091485pgk.439.1650477849917; Wed, 20
 Apr 2022 11:04:09 -0700 (PDT)
MIME-Version: 1.0
From: Fritz Reese <fritzoreese@gmail.com>
Date: Wed, 20 Apr 2022 14:03:59 -0400
Message-ID: <CAE4aFAmhnT9jJ_Wc+trL-BAsBbg8=STBCzsSgpeDZ31W0FrVOg@mail.gmail.com>
Subject: [PATCH] PR fortran/105310 - ICE when UNION is after the 8th field in
 a DEC STRUCTURE with -finit-derived -finit-local-zero
To: fortran <fortran@gcc.gnu.org>
Cc: gcc-patches <gcc-patches@gcc.gnu.org>
Content-Type: multipart/mixed; boundary="000000000000f4650c05dd19d12c"
X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,
 SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: fortran@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Fortran mailing list <fortran.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/fortran>,
 <mailto:fortran-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/fortran/>
List-Help: <mailto:fortran-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/fortran>,
 <mailto:fortran-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2022 18:04:13 -0000

--000000000000f4650c05dd19d12c
Content-Type: text/plain; charset="UTF-8"

See the bug report at gcc dot gnu dot org/bugzilla/show_bug.cgi?id=105310 .

This code was originally authored by me and the fix is trivial, so I
intend to commit the attached patch in the next few days if there is
no dissent.


The bug is caused by gfc_conv_union_initializer in
gcc/fortran/trans-expr.cc, which accepts a pointer to a vector of
constructor trees (vec<constructor_elt, va_gc>*) as an argument, then
appends one or two field constructors to the vector. The problem is
the use of CONSTRUCTOR_APPEND_ELT(v, ...) within
gfc_conv_union_initializer, which modifies the vector pointer v when a
reallocation of the vector occurs, but the pointer is passed by value.
Therefore, when a vector reallocation occurs, the caller's
(gfc_conv_structure) vector pointer is not updated and subsequently
points to freed memory. Chaos ensues.

The bug only occurs when gfc_conv_union_initializer itself triggers
the reallocation, which is whenever the vector is "full"
(v->m_vecpfx.m_alloc == v->m_vecpfx.m_num). Since the vector defaults
to allocating 8 elements and doubles in size for every reallocation,
the bug only occurs when there are 8, 16, 32, etc... fields with
initializers prior to the union, causing the vector of constructors to
be resized when entering gfc_conv_union_initializer. The
-finit-derived and -finit-local-zero options together ensure each
field has an initializer, triggering the bug.

The patch fixes the bug by passing the vector pointer to
gfc_conv_union_initializer by reference, matching the signature of
vec_safe_push from within the CONSTRUCTOR_APPEND_ELT macro.

--
Fritz Reese

--000000000000f4650c05dd19d12c
Content-Type: application/x-patch; name="pr105310.patch"
Content-Disposition: attachment; filename="pr105310.patch"
Content-Transfer-Encoding: base64
Content-ID: <180470ecebeaa358eb81>
X-Attachment-Id: 180470ecebeaa358eb81

ZGlmZiAtLWdpdCBhL2djYy9mb3J0cmFuL3RyYW5zLWV4cHIuY2MgYi9nY2MvZm9ydHJhbi90cmFu
cy1leHByLmNjCmluZGV4IDA2NzEzZjI0Zjk1Li44Njc3YTNiMGIyMCAxMDA2NDQKLS0tIGEvZ2Nj
L2ZvcnRyYW4vdHJhbnMtZXhwci5jYworKysgYi9nY2MvZm9ydHJhbi90cmFucy1leHByLmNjCkBA
IC05MTk1LDcgKzkxOTUsNyBAQCBnZmNfdHJhbnNfc3RydWN0dXJlX2Fzc2lnbiAodHJlZSBkZXN0
LCBnZmNfZXhwciAqIGV4cHIsIGJvb2wgaW5pdCwgYm9vbCBjb2FycmF5KQogfQogCiB2b2lkCi1n
ZmNfY29udl91bmlvbl9pbml0aWFsaXplciAodmVjPGNvbnN0cnVjdG9yX2VsdCwgdmFfZ2M+ICp2
LAorZ2ZjX2NvbnZfdW5pb25faW5pdGlhbGl6ZXIgKHZlYzxjb25zdHJ1Y3Rvcl9lbHQsIHZhX2dj
PiAqJnYsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ2ZjX2NvbXBvbmVudCAqdW4sIGdm
Y19leHByICppbml0KQogewogICBnZmNfY29uc3RydWN0b3IgKmN0b3I7Cg==
--000000000000f4650c05dd19d12c--