From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 610B73857702; Mon, 16 Oct 2023 15:12:43 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 610B73857702 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1697469163; bh=/hr8O1MSGbRPTSZhkf0CWe4I9+hY+ifeeYo3IQHSem4=; h=From:To:Subject:Date:From; b=ucG6+gYWy/xeGaiAZKoOXdBaFjZI9j6zsxspD25ZMUV1JAhwX6X6SSg2XzXrZnlm/ oWoTg4dpwSEZCZHYABMZQqHVxznDdAy6BUeWngS5DmptctsgYM9e2wscVhvvX56sF6 9CwBM0lbywQJcyJEF1W0lce8hw/YwALnka6lrmzE= From: "vladimir.fuka at gmail dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug fortran/111837] New: [8,9,10,11,12,13 Regression] Out of bounds access with optimization inside io-implied-do-control Date: Mon, 16 Oct 2023 15:12:42 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: fortran X-Bugzilla-Version: 13.1.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: vladimir.fuka at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D111837 Bug ID: 111837 Summary: [8,9,10,11,12,13 Regression] Out of bounds access with optimization inside io-implied-do-control Product: gcc Version: 13.1.1 Status: UNCONFIRMED Severity: normal Priority: P3 Component: fortran Assignee: unassigned at gcc dot gnu.org Reporter: vladimir.fuka at gmail dot com Target Milestone: --- The following code causes an out-of bounds access in array ni(1) when optim= ized with -O1 or higher with GCC 8 and higher. Based on https://stackoverflow.com/questions/77300746/how-does-gfortran-with-optimiz= ation-flags-interpret-nested-implied-do-loops program implied_do_bug implicit none integer :: i,j,k real :: arr(1,1,1) integer, dimension(:) :: ni(1) ni(1) =3D 1 arr =3D 1 write(*,*) (((arr(i,j,k), i=3D1,ni(k)), j=3D1,1), k=3D1,1) end program With error checker: > gfortran-13 -O1 q77300746.f90 -fcheck=3Dall -g > ./a.out=20 At line 10 of file q77300746.f90 Fortran runtime error: Index '0' of dimension 1 of array 'ni' below lower b= ound of 1 Error termination. Backtrace: #0 0x4006e6 in implied_do_bug at /home/lada/f/testy/stackoverflow//q77300746.f90:10 #1 0x400717 in main at /home/lada/f/testy/stackoverflow//q77300746.f90:11 With address sanitization: > gfortran-13 -O1 q77300746.f90 -fsanitize=3Daddress,undefined > ./a.out=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D30012=3D=3DERROR: AddressSanitizer: stack-buffer-underflow on address 0x7fdf3930002c at pc 0x00000040128b bp 0x7ffe56f222b0 sp 0x7ffe56f222a8 READ of size 4 at 0x7fdf3930002c thread T0 #0 0x40128a in MAIN__ (/home/lada/f/testy/stackoverflow/a.out+0x40128a) (BuildId: 4f112b517d93d007bc1b001caf3ac9b317046f1c) #1 0x401358 in main (/home/lada/f/testy/stackoverflow/a.out+0x401358) (BuildId: 4f112b517d93d007bc1b001caf3ac9b317046f1c) #2 0x7fdf3b76e24c in __libc_start_main (/lib64/libc.so.6+0x3524c) (Buil= dId: 171a59c1c43a8f7b93c3dff765aae0b675fe10f6) #3 0x400b59 in _start ../sysdeps/x86_64/start.S:120 Address 0x7fdf3930002c is located in stack of thread T0 at offset 44 in fra= me #0 0x400c15 in MAIN__ (/home/lada/f/testy/stackoverflow/a.out+0x400c15) (BuildId: 4f112b517d93d007bc1b001caf3ac9b317046f1c) This frame has 4 object(s): [48, 52) 'ni' (line 5) <=3D=3D Memory access at offset 44 underflows th= is variable [64, 96) 'arr' (line 4) [128, 240) 'parm.4' (line 10) [272, 800) 'dt_parm.3' (line 10) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-underflow (/home/lada/f/testy/stackoverflow/a.out+0x40128a) (BuildId: 4f112b517d93d007bc1b001caf3ac9b317046f1c) in MAIN__ Shadow bytes around the buggy address: 0x7fdf392ffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fdf392ffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fdf392ffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fdf392fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fdf392fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x7fdf39300000: f1 f1 f1 f1 f1[f1]04 f2 00 00 00 00 f2 f2 f2 f2 0x7fdf39300080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 0x7fdf39300100: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fdf39300180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fdf39300200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fdf39300280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D30012=3D=3DABORTING=