public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug fortran/111837] New: [8,9,10,11,12,13 Regression] Out of bounds access with optimization inside io-implied-do-control
@ 2023-10-16 15:12 vladimir.fuka at gmail dot com
  2023-10-16 16:57 ` [Bug fortran/111837] [8/9/10/11/12/13/14 " anlauf at gcc dot gnu.org
                   ` (8 more replies)
  0 siblings, 9 replies; 10+ messages in thread
From: vladimir.fuka at gmail dot com @ 2023-10-16 15:12 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111837

            Bug ID: 111837
           Summary: [8,9,10,11,12,13 Regression] Out of bounds access with
                    optimization inside io-implied-do-control
           Product: gcc
           Version: 13.1.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: fortran
          Assignee: unassigned at gcc dot gnu.org
          Reporter: vladimir.fuka at gmail dot com
  Target Milestone: ---

The following code causes an out-of bounds access in array ni(1) when optimized
with -O1 or higher with GCC 8 and higher. Based on
https://stackoverflow.com/questions/77300746/how-does-gfortran-with-optimization-flags-interpret-nested-implied-do-loops

program implied_do_bug
implicit none
integer :: i,j,k
real :: arr(1,1,1)
integer, dimension(:) :: ni(1)

ni(1) = 1
arr = 1

write(*,*) (((arr(i,j,k), i=1,ni(k)), j=1,1), k=1,1)
end program



With error checker:



> gfortran-13 -O1 q77300746.f90 -fcheck=all -g
> ./a.out 
At line 10 of file q77300746.f90
Fortran runtime error: Index '0' of dimension 1 of array 'ni' below lower bound
of 1

Error termination. Backtrace:
#0  0x4006e6 in implied_do_bug
        at /home/lada/f/testy/stackoverflow//q77300746.f90:10
#1  0x400717 in main
        at /home/lada/f/testy/stackoverflow//q77300746.f90:11








With address sanitization:



> gfortran-13 -O1 q77300746.f90 -fsanitize=address,undefined
> ./a.out 
=================================================================
==30012==ERROR: AddressSanitizer: stack-buffer-underflow on address
0x7fdf3930002c at pc 0x00000040128b bp 0x7ffe56f222b0 sp 0x7ffe56f222a8
READ of size 4 at 0x7fdf3930002c thread T0
    #0 0x40128a in MAIN__ (/home/lada/f/testy/stackoverflow/a.out+0x40128a)
(BuildId: 4f112b517d93d007bc1b001caf3ac9b317046f1c)
    #1 0x401358 in main (/home/lada/f/testy/stackoverflow/a.out+0x401358)
(BuildId: 4f112b517d93d007bc1b001caf3ac9b317046f1c)
    #2 0x7fdf3b76e24c in __libc_start_main (/lib64/libc.so.6+0x3524c) (BuildId:
171a59c1c43a8f7b93c3dff765aae0b675fe10f6)
    #3 0x400b59 in _start ../sysdeps/x86_64/start.S:120

Address 0x7fdf3930002c is located in stack of thread T0 at offset 44 in frame
    #0 0x400c15 in MAIN__ (/home/lada/f/testy/stackoverflow/a.out+0x400c15)
(BuildId: 4f112b517d93d007bc1b001caf3ac9b317046f1c)

  This frame has 4 object(s):
    [48, 52) 'ni' (line 5) <== Memory access at offset 44 underflows this
variable
    [64, 96) 'arr' (line 4)
    [128, 240) 'parm.4' (line 10)
    [272, 800) 'dt_parm.3' (line 10)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow
(/home/lada/f/testy/stackoverflow/a.out+0x40128a) (BuildId:
4f112b517d93d007bc1b001caf3ac9b317046f1c) in MAIN__
Shadow bytes around the buggy address:
  0x7fdf392ffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fdf392ffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fdf392ffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fdf392fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fdf392fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7fdf39300000: f1 f1 f1 f1 f1[f1]04 f2 00 00 00 00 f2 f2 f2 f2
  0x7fdf39300080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2
  0x7fdf39300100: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fdf39300180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fdf39300200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fdf39300280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30012==ABORTING

^ permalink raw reply	[flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-12-24 22:23 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-16 15:12 [Bug fortran/111837] New: [8,9,10,11,12,13 Regression] Out of bounds access with optimization inside io-implied-do-control vladimir.fuka at gmail dot com
2023-10-16 16:57 ` [Bug fortran/111837] [8/9/10/11/12/13/14 " anlauf at gcc dot gnu.org
2023-10-16 18:03 ` anlauf at gcc dot gnu.org
2023-10-16 19:12 ` anlauf at gcc dot gnu.org
2023-10-17 17:06 ` [Bug fortran/111837] [11/12/13/14 " cvs-commit at gcc dot gnu.org
2023-10-21 19:51 ` cvs-commit at gcc dot gnu.org
2023-10-21 20:06 ` cvs-commit at gcc dot gnu.org
2023-10-21 20:22 ` cvs-commit at gcc dot gnu.org
2023-10-21 20:23 ` anlauf at gcc dot gnu.org
2023-12-24 22:23 ` pinskia at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).