[Bug fortran/50409] New: SIGSEGV in gfc_simplify_expr

[Bug fortran/50409] New: SIGSEGV in gfc_simplify_expr

[zeccav at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50409

             Bug #: 50409
           Summary: SIGSEGV in gfc_simplify_expr
    Classification: Unclassified
           Product: gcc
           Version: 4.7.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: fortran
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: zeccav@gmail.com


Created attachment 25285
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=25285
just compile it

SIGSEGV in gfc_simplify_expr

[Bug fortran/50409] SIGSEGV in gfc_simplify_expr

[dominiq at lps dot ens.fr]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50409

Dominique d'Humieres <dominiq at lps dot ens.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2011-09-15
     Ever Confirmed|0                           |1

--- Comment #1 from Dominique d'Humieres <dominiq at lps dot ens.fr> 2011-09-15 11:04:05 UTC ---
On x86_64-apple-darwin10 from gfortran 4.4 to 4.7 I had to interrupt the
compilation after several minutes. Sampling the compilation yielded:

Sampling process 55479 for 3 seconds with 1 millisecond of run time between
samples
Sampling completed, processing symbols...
Analysis of sampling f951 (pid 55479) every 1 millisecond
Process:         f951 [55479]
Path:           
/opt/gcc/gcc4.7w/libexec/gcc/x86_64-apple-darwin10.8.0/4.7.0/f951
Load Address:    0x100000000
Identifier:      f951
Version:         ??? (???)
Code Type:       X86-64 (Native)
Parent Process:  gfortran [55477]

Date/Time:       2011-09-15 11:05:43.420 +0200
OS Version:      Mac OS X 10.6.8 (10K549)
Report Version:  6

Call graph:
    2366 Thread_2859011   DispatchQueue_1: com.apple.main-thread  (serial)
      2366 gfc_simplify_expr(gfc_expr*, int)
        2366 __memcpy
          2366 _sigtramp
            2366 crash_signal(int)
              2366 internal_error(char const*, ...)
                2366 diagnostic_set_info(diagnostic_info*, char const*,
__va_list_tag (*) [1], unsigned int, diagnostic_t)
                  2366 libintl_dcigettext
                    2366 strcmp

Total number in stack (recursive counted multiple, when >=5):

Sort by top of stack, same collapsed (when >= 5):
        strcmp        2366

Binary Images:
       0x100000000 -        0x100d5bfef +f951 ??? (???)
<69BA1A11-FFE8-2BE9-0157-915E87E95F7C>
/opt/gcc/gcc4.7w/libexec/gcc/x86_64-apple-darwin10.8.0/4.7.0/f951
       0x14145b000 -        0x141462fff +libintl.8.dylib 9.2.0 (compatibility
9.0.0) <77764503-B558-C86F-5C9D-0896504B2BA5> /sw64/lib/libintl.8.dylib
       0x141467000 -        0x141562fe7 +libiconv.2.dylib 7.0.0 (compatibility
7.0.0) <2F723465-84E7-77FB-F9FD-572D6A0DBBCC> /sw64/lib/libiconv.2.dylib
       0x14157e000 -        0x14159aff7 +libcloog-isl.2.dylib 3.0.0
(compatibility 3.0.0) <E60A7BC6-03C5-DD6E-A6EF-27B85411B2A4>
/opt/sw64/lib/libcloog-isl.2.dylib
       0x1415a5000 -        0x141646ff7 +libisl.7.dylib 8.0.0 (compatibility
8.0.0) <B502B39E-85E7-4346-20F6-AE72BC5E44D9> /opt/sw64/lib/libisl.7.dylib
       0x141668000 -        0x141ac1ff7 +libppl_c.4.dylib 5.0.0 (compatibility
5.0.0) <E05D2529-6FEB-6511-7B01-474FF91FD359> /opt/sw64/lib/libppl_c.4.dylib
       0x141c45000 -        0x141d1fff7 +libppl.9.dylib 10.0.0 (compatibility
10.0.0) <A5F94C60-C0C2-B343-F8C3-5C04EA05A356> /opt/sw64/lib/libppl.9.dylib
       0x141d92000 -        0x141d94fff +libgmpxx.4.dylib 7.2.0 (compatibility
7.0.0) <0AAF15CD-F0FC-E622-38E0-06C422E3ED95> /opt/sw64/lib/libgmpxx.4.dylib
       0x141d98000 -        0x141da8fff +libmpc.2.dylib 3.0.0 (compatibility
3.0.0) <306CC750-3595-7C0D-5FAE-286A1A7BA40E> /opt/sw64/lib/libmpc.2.dylib
       0x141dad000 -        0x141df9ff7 +libmpfr.4.dylib 5.1.0 (compatibility
5.0.0) <99C678CB-35EA-1551-2921-8FAA54300718> /opt/sw64/lib/libmpfr.4.dylib
       0x141e04000 -        0x141e62ff7 +libgmp.10.dylib 11.2.0 (compatibility
11.0.0) <B66ADC3C-CB23-AA46-1E5D-38009780079D> /opt/sw64/lib/libgmp.10.dylib
       0x141e73000 -        0x141e74fff +libpwl.5.dylib 6.0.0 (compatibility
6.0.0) <6A4D7AF5-89E9-6E5E-1062-2DDA1628C121> /opt/sw64/lib/libpwl.5.dylib
    0x7fff5fc00000 -     0x7fff5fc3bdef  dyld 132.1 (???)
<B536F2F1-9DF1-3B6C-1C2C-9075EA219A06> /usr/lib/dyld
    0x7fff802f4000 -     0x7fff802f8ff7  libmathCommon.A.dylib 315.0.0
(compatibility 1.0.0) <95718673-FEEE-B6ED-B127-BCDBDB60D4E5>
/usr/lib/system/libmathCommon.A.dylib
    0x7fff82201000 -     0x7fff8224dfff  libauto.dylib ??? (???)
<F7221B46-DC4F-3153-CE61-7F52C8C293CF> /usr/lib/libauto.dylib
    0x7fff83667000 -     0x7fff83828fef  libSystem.B.dylib 125.2.11
(compatibility 1.0.0) <9AB4F1D1-89DC-0E8A-DC8E-A4FE4D69DB69>
/usr/lib/libSystem.B.dylib
    0x7fff8387e000 -     0x7fff83934ff7  libobjc.A.dylib 227.0.0 (compatibility
1.0.0) <03140531-3B2D-1EBA-DA7F-E12CC8F63969> /usr/lib/libobjc.A.dylib
    0x7fff85fd5000 -     0x7fff86052fef  libstdc++.6.dylib 7.9.0 (compatibility
7.0.0) <35ECA411-2C08-FD7D-11B1-1B7A04921A5C> /usr/lib/libstdc++.6.dylib
    0x7fff87636000 -     0x7fff877adfe7  com.apple.CoreFoundation 6.6.5
(550.43) <31A1C118-AD96-0A11-8BDF-BD55B9940EDC>
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
    0x7fff87c6f000 -     0x7fff87e2dfff  libicucore.A.dylib 40.0.0
(compatibility 1.0.0) <4274FC73-A257-3A56-4293-5968F3428854>
/usr/lib/libicucore.A.dylib
    0x7fff899ad000 -     0x7fff899beff7  libz.1.dylib 1.2.3 (compatibility
1.0.0) <FB5EE53A-0534-0FFA-B2ED-486609433717> /usr/lib/libz.1.dylib
    0x7fffffe00000 -     0x7fffffe01fff  libSystem.B.dylib ??? (???)
<9AB4F1D1-89DC-0E8A-DC8E-A4FE4D69DB69> /usr/lib/libSystem.B.dylib
Sample analysis of process 55479 written to file /dev/stdout

[Bug fortran/50409] SIGSEGV in gfc_simplify_expr

[kargl at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50409

kargl at gcc dot gnu.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kargl at gcc dot gnu.org

--- Comment #2 from kargl at gcc dot gnu.org 2011-09-15 18:05:11 UTC ---
I suspect that this chunk of code in gfc_simplify_expr
stating at line 1859 needs to special case zero-sized
strings:

      s = gfc_get_wide_string (end - start + 2);
      memcpy (s, p->value.character.string + start,
          (end - start) * sizeof (gfc_char_t));
      s[end - start + 1] = '\0';  /* TODO: C-style string.  */
      free (p->value.character.string);
      p->value.character.string = s;
      p->value.character.length = end - start;
      p->ts.u.cl = gfc_new_charlen (gfc_current_ns, NULL);
      p->ts.u.cl->length = gfc_get_int_expr (gfc_default_integer_kind,
                         NULL,
                         p->value.character.length);

[Bug fortran/50409] SIGSEGV in gfc_simplify_expr

[fxcoudert at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50409

Francois-Xavier Coudert <fxcoudert at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |ice-on-valid-code, patch
             Status|NEW                         |ASSIGNED
                 CC|                            |fxcoudert at gcc dot
                   |                            |gnu.org

--- Comment #3 from Francois-Xavier Coudert <fxcoudert at gcc dot gnu.org> 2011-11-08 22:31:36 UTC ---
This is actually the same bug as PR48876, but the original fix was not enough.
The following fixes it for good (fingers crosser, obviously!):

Index: expr.c
===================================================================
--- expr.c    (revision 181149)
+++ expr.c    (working copy)
@@ -1853,8 +1853,8 @@ gfc_simplify_expr (gfc_expr *p, int type
       if (p->ref && p->ref->u.ss.end)
         gfc_extract_int (p->ref->u.ss.end, &end);

-      if (end < 0)
-        end = 0;
+      if (end < start)
+        end = start;

       s = gfc_get_wide_string (end - start + 2);
       memcpy (s, p->value.character.string + start,

[Bug fortran/50409] SIGSEGV in gfc_simplify_expr

[fxcoudert at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50409

--- Comment #4 from Francois-Xavier Coudert <fxcoudert at gcc dot gnu.org> 2011-11-08 23:15:16 UTC ---
Author: fxcoudert
Date: Tue Nov  8 23:15:11 2011
New Revision: 181181

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=181181
Log:
    PR fortran/50409
    * expr.c (gfc_simplify_expr): Substrings can't have negative
    length.
    * gcc/testsuite/gfortran.dg/string_5.f90: Improve testcase.

Modified:
    trunk/gcc/fortran/ChangeLog
    trunk/gcc/fortran/expr.c
    trunk/gcc/testsuite/ChangeLog
    trunk/gcc/testsuite/gfortran.dg/string_5.f90

[Bug fortran/50409] SIGSEGV in gfc_simplify_expr

[fxcoudert at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50409

Francois-Xavier Coudert <fxcoudert at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED

--- Comment #5 from Francois-Xavier Coudert <fxcoudert at gcc dot gnu.org> 2011-11-08 23:15:46 UTC ---
Fixed on trunk.