From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by sourceware.org (Postfix) with ESMTPS id A0B913858405; Wed, 20 Apr 2022 20:27:33 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A0B913858405 X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.178.29] ([93.207.89.174]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MVeI2-1nHrlv1I0a-00RaTq; Wed, 20 Apr 2022 22:27:31 +0200 Message-ID: Date: Wed, 20 Apr 2022 22:27:29 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Subject: Re: [PATCH] PR fortran/105310 - ICE when UNION is after the 8th field in a DEC STRUCTURE with -finit-derived -finit-local-zero Content-Language: en-US To: Fritz Reese , fortran Cc: gcc-patches Newsgroups: gmane.comp.gcc.fortran,gmane.comp.gcc.patches References: From: Harald Anlauf In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:23KCblQ1Esxw5HliAwVT9NCk2aWjYpIXGZsATzThXB7MPE/hWaC WmDvFZgDRrf9adNuVzhtU2HTJBqYVzafc12Z76hNb3SxiDv8ZcCrxZY1N7S5QT+lpJxychx xnf0daYO6g8YbtA4bsbh3+SKrjgr7NR3lfmln5/QrtFzNEw9bmBm5BuPqe6nLCoOSVJNbqp DcHM7XgGXIgSgyObfaWKA== X-UI-Out-Filterresults: notjunk:1;V03:K0:EOKlFGnDuzE=:Wt+x+oGAsBMO/KQGcbYY+y 0M3Jsnmdt9wCSknA45s1wYRXlabh4qVfSTzVL9pwQr/iJqLsJXP5cVL/MVJ25vPSrjFtqYKgK Jmu5dnP2/KdGGYWiPfnG83gUZT4Ub7kxiWbMqwF4M36OT8Y2CYa0EXGuq8cmUZfOpLVjX7z+N KGPE/cc6FHN4eF/U2GYONK4OLt/YoFzvVpTzbFIlwXVv2iDzgyvGgTK7LmXJ0kvd+VHii0ngT Qa3ArUfEYcR70QAu1s4WhJ66TKaBcGVHdKgsQz/1X35zpNn8e+hmbMPWId+XsB5XhIvtzZcEh MvF+pYiahlYg0kK/PHayW+M/kRtXIruKxV0Hq1+Wvkj2+h73yXkDs/UKj44tCGbNsJUmjLRVl mn5vvFLaoAhEAo4u8H8/uO9g6lHBDknxjERb8qsuTLwsOtOJyMZfRj+RlMpV2aU0AD49Ohk2L BeUj81l0Vf1zPjRGdIJcL9glFDckFgSJyIcDwWli/BfXhTzFrtqW3Rf5bCgEv0ckMfRGYXpd7 5gvqFKgbJsgMgyQy7L+4Am2aw26H5GtL4pea62koeDHyX+4HrNoEnEQJisMxRpTcIHLCH2nvP w9VtpdMHvV/bfFKrhdZizi6ij+qWp1HY+zVBmt2vrsGWguyDGD77ZTWPEiqdWUNB/lM7/W3As bk/1MofcsOfi2heNTN8PbD9m5wsMFY9B/YTWA4cQwJ7RTpIaWICFJRHXXQe570htcukQK07jD u3pTaMPH5/K2t1yMR4eWMVn5aMDndYUmXojNoIQT5FxHqFM0y00cNezlBW6ORkC9nj76ugHg6 4gWztxIMNLVcoHV52ScDwNPRf/VSVDq6UMVSPrm9v59khjDjfXVAFuDp153Y+MyaDERoeVy5Y 8dfIdTq+slnV+VFu+v4Fo7PGlPdNYUHEIYJMIOfmZC0rZxjs/vOw97gnFz+fP9FRRIhUsWgoz T5gzxe97DpOdhglZb3haPD6y8kdEFDR+5nkl1Mz0lPr9xwr7xLTGOD1qu3FQrVIZ0W1LNEh4b IsWtuJtizcH08tLHw4xnc4prrUV2MGsREnVSFFiQs1pWE3S5mBVXVGq74o7UZlpsIQ== X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, FREEMAIL_FROM, NICE_REPLY_A, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: fortran@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Fortran mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Apr 2022 20:27:35 -0000 Hi Fritz, Am 20.04.22 um 20:03 schrieb Fritz Reese via Fortran: > See the bug report at gcc dot gnu dot org/bugzilla/show_bug.cgi?id=3D105= 310 . > > This code was originally authored by me and the fix is trivial, so I > intend to commit the attached patch in the next few days if there is > no dissent. OK if you add a/the testcase. > > The bug is caused by gfc_conv_union_initializer in > gcc/fortran/trans-expr.cc, which accepts a pointer to a vector of > constructor trees (vec*) as an argument, then > appends one or two field constructors to the vector. The problem is > the use of CONSTRUCTOR_APPEND_ELT(v, ...) within > gfc_conv_union_initializer, which modifies the vector pointer v when a > reallocation of the vector occurs, but the pointer is passed by value. > Therefore, when a vector reallocation occurs, the caller's > (gfc_conv_structure) vector pointer is not updated and subsequently > points to freed memory. Chaos ensues. > > The bug only occurs when gfc_conv_union_initializer itself triggers > the reallocation, which is whenever the vector is "full" > (v->m_vecpfx.m_alloc =3D=3D v->m_vecpfx.m_num). Since the vector default= s > to allocating 8 elements and doubles in size for every reallocation, > the bug only occurs when there are 8, 16, 32, etc... fields with > initializers prior to the union, causing the vector of constructors to > be resized when entering gfc_conv_union_initializer. The > -finit-derived and -finit-local-zero options together ensure each > field has an initializer, triggering the bug. > > The patch fixes the bug by passing the vector pointer to > gfc_conv_union_initializer by reference, matching the signature of > vec_safe_push from within the CONSTRUCTOR_APPEND_ELT macro. > > -- > Fritz Reese As this affects all branches, you may backport the patch as far as you feel reasonable. (No, I do not use DEC extensions personally.) Thanks for the patch! Harald From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ciao.gmane.io (ciao.gmane.io [116.202.254.214]) by sourceware.org (Postfix) with ESMTPS id D6DC43857379 for ; Wed, 20 Apr 2022 20:27:40 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org D6DC43857379 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1nhGvL-0001mm-Ig for fortran@gcc.gnu.org; Wed, 20 Apr 2022 22:27:39 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: fortran@gcc.gnu.org From: Harald Anlauf Subject: Re: [PATCH] PR fortran/105310 - ICE when UNION is after the 8th field in a DEC STRUCTURE with -finit-derived -finit-local-zero Date: Wed, 20 Apr 2022 22:27:29 +0200 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Content-Language: en-US In-Reply-To: Cc: gcc-patches@gcc.gnu.org X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS, KAM_DMARC_STATUS, NICE_REPLY_A, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: fortran@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Fortran mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Apr 2022 20:27:42 -0000 Message-ID: <20220420202729.j2XPSTWqt46lf4fdb5IU7kVpHENii5VsfXaJheNx-uc@z> Hi Fritz, Am 20.04.22 um 20:03 schrieb Fritz Reese via Fortran: > See the bug report at gcc dot gnu dot org/bugzilla/show_bug.cgi?id=105310 . > > This code was originally authored by me and the fix is trivial, so I > intend to commit the attached patch in the next few days if there is > no dissent. OK if you add a/the testcase. > > The bug is caused by gfc_conv_union_initializer in > gcc/fortran/trans-expr.cc, which accepts a pointer to a vector of > constructor trees (vec*) as an argument, then > appends one or two field constructors to the vector. The problem is > the use of CONSTRUCTOR_APPEND_ELT(v, ...) within > gfc_conv_union_initializer, which modifies the vector pointer v when a > reallocation of the vector occurs, but the pointer is passed by value. > Therefore, when a vector reallocation occurs, the caller's > (gfc_conv_structure) vector pointer is not updated and subsequently > points to freed memory. Chaos ensues. > > The bug only occurs when gfc_conv_union_initializer itself triggers > the reallocation, which is whenever the vector is "full" > (v->m_vecpfx.m_alloc == v->m_vecpfx.m_num). Since the vector defaults > to allocating 8 elements and doubles in size for every reallocation, > the bug only occurs when there are 8, 16, 32, etc... fields with > initializers prior to the union, causing the vector of constructors to > be resized when entering gfc_conv_union_initializer. The > -finit-derived and -finit-local-zero options together ensure each > field has an initializer, triggering the bug. > > The patch fixes the bug by passing the vector pointer to > gfc_conv_union_initializer by reference, matching the signature of > vec_safe_push from within the CONSTRUCTOR_APPEND_ELT macro. > > -- > Fritz Reese As this affects all branches, you may backport the patch as far as you feel reasonable. (No, I do not use DEC extensions personally.) Thanks for the patch! Harald