[Bug fortran/100551] New: [11/12 Regression] Passing return value of intrinsic to class(*) dummy argument can cause segfaults

[Bug fortran/100551] New: [11/12 Regression] Passing return value of intrinsic to class(*) dummy argument can cause segfaults

[bugs at colin dot moe]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100551

            Bug ID: 100551
           Summary: [11/12 Regression] Passing return value of intrinsic
                    to class(*) dummy argument can cause segfaults
           Product: gcc
           Version: 11.1.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: fortran
          Assignee: unassigned at gcc dot gnu.org
          Reporter: bugs at colin dot moe
  Target Milestone: ---

Created attachment 50794
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=50794&action=edit
Minimum working example that induces the error.

When passing the return value of an intrinsic function (and possibly other
temporaries) into a function with a class(*) dummy argument, the resulting code
will generate a segfault in GCC 11.1 and newer.  10.2 and earlier (as early as
4.8.5 tested) worked correctly.

Minimum working example attached.

GCC Version (latest tested):

Target: x86_64-pc-linux-gnu
Configured with: ../configure --disable-multilib
--enable-languages=c,c++,fortran --with-system-zlib --prefix=[]/gcc-12.0
gcc version 12.0.0 20210511 (experimental) (GCC) 

Command line:
gfortran -Wall -Wextra mwe.f90
./a.out

Output:
Compiler builds with no issues.  In GCC 4.8.5, 9.3.0, 10.2.0, the program
output is:
15

In 11.1.0 and 12.0 (tested against master branch for 12.0):
Program received signal SIGSEGV: Segmentation fault - invalid memory reference.

Backtrace for this error:
#0  0x7f6e7a218f7f in ???
#1  0x401323 in __testmod_MOD_test
        at []/mwe.f90:15
#2  0x4015b2 in testprogram
        at []/mwe.f90:26
#3  0x40165b in main
        at []/mwe.f90:18
[1]    626265 segmentation fault (core dumped)  ./a.out

Output with -fsanitize=undefined:
mwe.f90:15:10: runtime error: member access within misaligned address
0x7ffc6198b024 for type 'struct __class__STAR_t', which requires 8 byte
alignment
0x7ffc6198b024: note: pointer points here
  60 49 30 ef 0f 00 00 00  00 00 00 00 00 00 00 00  01 00 00 00 02 00 00 00  03
00 00 00 04 00 00 00
              ^

[Bug fortran/100551] [11/12 Regression] Passing return value of intrinsic to class(*) dummy argument can cause segfaults

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100551

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |11.2
           Priority|P3                          |P4

[Bug fortran/100551] [11/12 Regression] Passing return value of intrinsic to class(*) dummy argument can cause segfaults

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100551

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2021-05-12
             Status|UNCONFIRMED                 |NEW
                 CC|                            |marxin at gcc dot gnu.org,
                   |                            |pault at gcc dot gnu.org
     Ever confirmed|0                           |1

--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
Started with r11-6928-g4225af228b5d52e8.

[Bug fortran/100551] [11/12 Regression] Passing return value of intrinsic to class(*) dummy argument can cause segfaults

[anlauf at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100551

anlauf at gcc dot gnu.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |wrong-code
                 CC|                            |anlauf at gcc dot gnu.org

--- Comment #2 from anlauf at gcc dot gnu.org ---
(In reply to Martin Liška from comment #1)
> Started with r11-6928-g4225af228b5d52e8.

The partial revert:

diff --git a/gcc/fortran/trans-expr.c b/gcc/fortran/trans-expr.c
index cce18d094a6..91efb67ac87 100644
--- a/gcc/fortran/trans-expr.c
+++ b/gcc/fortran/trans-expr.c
@@ -5826,7 +5826,8 @@ gfc_conv_procedure_call (gfc_se * se, gfc_symbol * sym,
                                     &derived_array);
        }
       else if (UNLIMITED_POLY (fsym) && e->ts.type != BT_CLASS
-              && gfc_expr_attr (e).flavor != FL_PROCEDURE)
+//            && gfc_expr_attr (e).flavor != FL_PROCEDURE)
+              )
        {
          /* The intrinsic type needs to be converted to a temporary
             CLASS object for the unlimited polymorphic formal.  */

fixes this issue but breaks testcase proc_ptr_52.f90.

Further reduced testcase for this PR:

program p
  implicit none
  integer :: result
  result = 1
! result = test (    (result)) ! works
  result = test (int (result)) ! fails
  write(*,*) result
contains
  integer function test(x)
    class(*), intent(in) :: x
    select type (x)
    type is (integer)
       test = x
    class default
       test = -1
    end select
  end function test
end program

[Bug fortran/100551] [11/12 Regression] Passing return value of intrinsic to class(*) dummy argument can cause segfaults

[anlauf at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100551

--- Comment #3 from anlauf at gcc dot gnu.org ---
Below fixes this PR and does not break the other testcase:

diff --git a/gcc/fortran/trans-expr.c b/gcc/fortran/trans-expr.c
index cce18d094a6..ebc9ea42beb 100644
--- a/gcc/fortran/trans-expr.c
+++ b/gcc/fortran/trans-expr.c
@@ -5826,7 +5826,8 @@ gfc_conv_procedure_call (gfc_se * se, gfc_symbol * sym,
                                     &derived_array);
        }
       else if (UNLIMITED_POLY (fsym) && e->ts.type != BT_CLASS
-              && gfc_expr_attr (e).flavor != FL_PROCEDURE)
+              && (gfc_expr_attr (e).flavor != FL_PROCEDURE
+                  || gfc_expr_attr (e).proc == PROC_INTRINSIC))
        {
          /* The intrinsic type needs to be converted to a temporary
             CLASS object for the unlimited polymorphic formal.  */

I would hope that Paul can explain why this works, or if this is the right
thing.

[Bug fortran/100551] [11/12 Regression] Passing return value of intrinsic to class(*) dummy argument can cause segfaults

[anlauf at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100551

--- Comment #4 from anlauf at gcc dot gnu.org ---
Playing with the testcase show that the patch in comment#3 is incomplete.
Next try:

diff --git a/gcc/fortran/trans-expr.c b/gcc/fortran/trans-expr.c
index cce18d094a6..3de53009970 100644
--- a/gcc/fortran/trans-expr.c
+++ b/gcc/fortran/trans-expr.c
@@ -5826,7 +5826,9 @@ gfc_conv_procedure_call (gfc_se * se, gfc_symbol * sym,
                                     &derived_array);
        }
       else if (UNLIMITED_POLY (fsym) && e->ts.type != BT_CLASS
-              && gfc_expr_attr (e).flavor != FL_PROCEDURE)
+              && e->ts.type != BT_PROCEDURE
+              && (gfc_expr_attr (e).flavor != FL_PROCEDURE
+                  || (gfc_expr_attr (e).proc != PROC_UNKNOWN)))
        {
          /* The intrinsic type needs to be converted to a temporary
             CLASS object for the unlimited polymorphic formal.  */

This makes the following case work again:

program p
  implicit none
  integer :: result
  result = 1
  result = test (    (result)) ! works
  if (result /= 1) stop 1
  result = test (int (result)) ! issue 1
  write(*,*) result
  result = test (f   (result)) ! issue 2
  write(*,*) result
contains
  integer function test(x)
    class(*), intent(in) :: x
    select type (x)
    type is (integer)
       test = x
    class default
       test = -1
    end select
  end function test
  integer function f(x)
    integer, intent(in) :: x
    f = 2*x
  end function f
end program

[Bug fortran/100551] [11/12 Regression] Passing return value of intrinsic to class(*) dummy argument can cause segfaults

[anlauf at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100551

anlauf at gcc dot gnu.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|unassigned at gcc dot gnu.org      |anlauf at gcc dot gnu.org

--- Comment #5 from anlauf at gcc dot gnu.org ---
Patch: https://gcc.gnu.org/pipermail/fortran/2021-May/056071.html

[Bug fortran/100551] [11/12 Regression] Passing return value of intrinsic to class(*) dummy argument can cause segfaults

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100551

--- Comment #6 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Harald Anlauf <anlauf@gcc.gnu.org>:

https://gcc.gnu.org/g:fe03f4fc9548b3fdbff3c8284a994feaa7d6307d

commit r12-1005-gfe03f4fc9548b3fdbff3c8284a994feaa7d6307d
Author: Harald Anlauf <anlauf@gmx.de>
Date:   Sun May 23 20:51:14 2021 +0200

    Fortran: fix passing return value to class(*) dummy argument

    gcc/fortran/ChangeLog:

            PR fortran/100551
            * trans-expr.c (gfc_conv_procedure_call): Adjust check for
            implicit conversion of actual argument to an unlimited polymorphic
            procedure argument.

    gcc/testsuite/ChangeLog:

            PR fortran/100551
            * gfortran.dg/pr100551.f90: New test.

[Bug fortran/100551] [11/12 Regression] Passing return value of intrinsic to class(*) dummy argument can cause segfaults

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100551

--- Comment #7 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-11 branch has been updated by Harald Anlauf
<anlauf@gcc.gnu.org>:

https://gcc.gnu.org/g:de55a48960d2f08266cba1222e233507015dd620

commit r11-8469-gde55a48960d2f08266cba1222e233507015dd620
Author: Harald Anlauf <anlauf@gmx.de>
Date:   Sun May 23 20:51:14 2021 +0200

    Fortran: fix passing return value to class(*) dummy argument

    gcc/fortran/ChangeLog:

            PR fortran/100551
            * trans-expr.c (gfc_conv_procedure_call): Adjust check for
            implicit conversion of actual argument to an unlimited polymorphic
            procedure argument.

    gcc/testsuite/ChangeLog:

            PR fortran/100551
            * gfortran.dg/pr100551.f90: New test.

    (cherry picked from commit fe03f4fc9548b3fdbff3c8284a994feaa7d6307d)

[Bug fortran/100551] [11/12 Regression] Passing return value of intrinsic to class(*) dummy argument can cause segfaults

[anlauf at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100551

anlauf at gcc dot gnu.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #8 from anlauf at gcc dot gnu.org ---
Fixed on mainline for gcc-12 and on 11-branch.  Closing.

Thanks for the report!

[Bug fortran/100551] [11/12 Regression] Passing return value of intrinsic to class(*) dummy argument can cause segfaults

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100551

--- Comment #9 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-10 branch has been updated by Harald Anlauf
<anlauf@gcc.gnu.org>:

https://gcc.gnu.org/g:6a3018a4064b39a418d95c32e45fe7d6ad17ebf3

commit r10-10384-g6a3018a4064b39a418d95c32e45fe7d6ad17ebf3
Author: Harald Anlauf <anlauf@gmx.de>
Date:   Sun May 23 20:51:14 2021 +0200

    Fortran: fix passing return value to class(*) dummy argument

    gcc/fortran/ChangeLog:

            PR fortran/100551
            * trans-expr.c (gfc_conv_procedure_call): Adjust check for
            implicit conversion of actual argument to an unlimited polymorphic
            procedure argument.

    gcc/testsuite/ChangeLog:

            PR fortran/100551
            * gfortran.dg/pr100551.f90: New test.

    (cherry picked from commit fe03f4fc9548b3fdbff3c8284a994feaa7d6307d)