public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug libfortran/62188] New: Array bounds overrun in bessel_yn_r4/8/16 and other functions
@ 2014-08-19 13:48 vogt at linux dot vnet.ibm.com
2014-08-19 16:54 ` [Bug libfortran/62188] " kargl at gcc dot gnu.org
` (9 more replies)
0 siblings, 10 replies; 11+ messages in thread
From: vogt at linux dot vnet.ibm.com @ 2014-08-19 13:48 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62188
Bug ID: 62188
Summary: Array bounds overrun in bessel_yn_r4/8/16 and other
functions
Product: gcc
Version: 5.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: libfortran
Assignee: unassigned at gcc dot gnu.org
Reporter: vogt at linux dot vnet.ibm.com
There's an array bounds overrun in
gfortran/generated/bessel_r4.c:bessel_yn_r4(). The function is passed the
arguments n1 and n2 (n1 <= n2) and allocates memory for (n2 - n1 + 1) result
values:
size_t size = n2 < n1 ? 0 : n2-n1+1;
...
ret->base_addr = xmallocarray (size, sizeof (GFC_REAL_4));
But later on it writes from index 0 to n1 + n2:
for (...; i <= n1+n2; ...)
... ^^^^^
ret->base_addr[i*stride] = ...;
The loop should be
for (i = 2; i < n2-n1; i++)
instead. The same bug exists in bessel_r8.c and bessel_r16.c and has been
present since at least gcc-4.8. The existing test cases (bessel_<n>.f90) all
use 0 or low values > 0, so they have not caught this bug yet.
^ permalink raw reply [flat|nested] 11+ messages in thread* [Bug libfortran/62188] Array bounds overrun in bessel_yn_r4/8/16 and other functions 2014-08-19 13:48 [Bug libfortran/62188] New: Array bounds overrun in bessel_yn_r4/8/16 and other functions vogt at linux dot vnet.ibm.com @ 2014-08-19 16:54 ` kargl at gcc dot gnu.org 2014-08-20 7:03 ` vogt at linux dot vnet.ibm.com ` (8 subsequent siblings) 9 siblings, 0 replies; 11+ messages in thread From: kargl at gcc dot gnu.org @ 2014-08-19 16:54 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62188 kargl at gcc dot gnu.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Last reconfirmed| |2014-08-19 CC| |kargl at gcc dot gnu.org Ever confirmed|0 |1 --- Comment #1 from kargl at gcc dot gnu.org --- Confirmed. I assume you found this by using a libc with a malloc that has buffer overflow detection. The obvious patch is Index: m4/bessel.m4 =================================================================== --- m4/bessel.m4 (revision 213593) +++ m4/bessel.m4 (working copy) @@ -163,7 +163,7 @@ bessel_yn_r'rtype_kind` ('rtype` * const x2rev = GFC_REAL_'rtype_kind`_LITERAL(2.)/x; - for (i = 2; i <= n1+n2; i++) + for (i = 2; i <= n2 - n1; i++) { #if defined('rtype_name`_INFINITY) if (unlikely (last2 == -'rtype_name`_INFINITY)) I'll commit this later. ^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libfortran/62188] Array bounds overrun in bessel_yn_r4/8/16 and other functions 2014-08-19 13:48 [Bug libfortran/62188] New: Array bounds overrun in bessel_yn_r4/8/16 and other functions vogt at linux dot vnet.ibm.com 2014-08-19 16:54 ` [Bug libfortran/62188] " kargl at gcc dot gnu.org @ 2014-08-20 7:03 ` vogt at linux dot vnet.ibm.com 2014-08-20 16:19 ` kargl at gcc dot gnu.org ` (7 subsequent siblings) 9 siblings, 0 replies; 11+ messages in thread From: vogt at linux dot vnet.ibm.com @ 2014-08-20 7:03 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62188 --- Comment #3 from Dominik Vogt <vogt at linux dot vnet.ibm.com> --- (In reply to kargl from comment #1) > I assume you found this by using a libc with > a malloc that has buffer overflow detection. Actually, no. We inspected the function manually looking for the cause of a test FAIL of bessel_7.f90 and just stumbled across it. > I'll commit this later. Great. ^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libfortran/62188] Array bounds overrun in bessel_yn_r4/8/16 and other functions 2014-08-19 13:48 [Bug libfortran/62188] New: Array bounds overrun in bessel_yn_r4/8/16 and other functions vogt at linux dot vnet.ibm.com 2014-08-19 16:54 ` [Bug libfortran/62188] " kargl at gcc dot gnu.org 2014-08-20 7:03 ` vogt at linux dot vnet.ibm.com @ 2014-08-20 16:19 ` kargl at gcc dot gnu.org 2014-08-20 16:22 ` kargl at gcc dot gnu.org ` (6 subsequent siblings) 9 siblings, 0 replies; 11+ messages in thread From: kargl at gcc dot gnu.org @ 2014-08-20 16:19 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62188 --- Comment #4 from kargl at gcc dot gnu.org --- Author: kargl Date: Wed Aug 20 16:18:27 2014 New Revision: 214229 URL: https://gcc.gnu.org/viewcvs?rev=214229&root=gcc&view=rev Log: 2014-08-20 Steven G. Kargl <kargl@gcc.gnu.org> PR libgfortran/62188 * m4/bessel.m4: Avoid indexing off the end of an array. * generated/bessel_r10.c: Regenerated. * generated/bessel_r16.c: Ditto. * generated/bessel_r4.c: Ditto. * generated/bessel_r8.c: Ditto. Modified: trunk/libgfortran/ChangeLog trunk/libgfortran/generated/bessel_r10.c trunk/libgfortran/generated/bessel_r16.c trunk/libgfortran/generated/bessel_r4.c trunk/libgfortran/generated/bessel_r8.c trunk/libgfortran/m4/bessel.m4 ^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libfortran/62188] Array bounds overrun in bessel_yn_r4/8/16 and other functions 2014-08-19 13:48 [Bug libfortran/62188] New: Array bounds overrun in bessel_yn_r4/8/16 and other functions vogt at linux dot vnet.ibm.com ` (2 preceding siblings ...) 2014-08-20 16:19 ` kargl at gcc dot gnu.org @ 2014-08-20 16:22 ` kargl at gcc dot gnu.org 2014-08-20 16:24 ` kargl at gcc dot gnu.org ` (5 subsequent siblings) 9 siblings, 0 replies; 11+ messages in thread From: kargl at gcc dot gnu.org @ 2014-08-20 16:22 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62188 --- Comment #5 from kargl at gcc dot gnu.org --- Author: kargl Date: Wed Aug 20 16:22:20 2014 New Revision: 214230 URL: https://gcc.gnu.org/viewcvs?rev=214230&root=gcc&view=rev Log: 2014-08-20 Steven G. Kargl <kargl@gcc.gnu.org> PR libgfortran/62188 * m4/bessel.m4: Avoid indexing off the end of an array. * generated/bessel_r10.c: Regenerated. * generated/bessel_r16.c: Ditto. * generated/bessel_r4.c: Ditto. * generated/bessel_r8.c: Ditto. Modified: branches/gcc-4_9-branch/libgfortran/ChangeLog branches/gcc-4_9-branch/libgfortran/generated/bessel_r10.c branches/gcc-4_9-branch/libgfortran/generated/bessel_r16.c branches/gcc-4_9-branch/libgfortran/generated/bessel_r4.c branches/gcc-4_9-branch/libgfortran/generated/bessel_r8.c branches/gcc-4_9-branch/libgfortran/m4/bessel.m4 ^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libfortran/62188] Array bounds overrun in bessel_yn_r4/8/16 and other functions 2014-08-19 13:48 [Bug libfortran/62188] New: Array bounds overrun in bessel_yn_r4/8/16 and other functions vogt at linux dot vnet.ibm.com ` (3 preceding siblings ...) 2014-08-20 16:22 ` kargl at gcc dot gnu.org @ 2014-08-20 16:24 ` kargl at gcc dot gnu.org 2014-08-20 16:30 ` kargl at gcc dot gnu.org ` (4 subsequent siblings) 9 siblings, 0 replies; 11+ messages in thread From: kargl at gcc dot gnu.org @ 2014-08-20 16:24 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62188 --- Comment #6 from kargl at gcc dot gnu.org --- Author: kargl Date: Wed Aug 20 16:23:55 2014 New Revision: 214231 URL: https://gcc.gnu.org/viewcvs?rev=214231&root=gcc&view=rev Log: 2014-08-20 Steven G. Kargl <kargl@gcc.gnu.org> PR libgfortran/62188 * m4/bessel.m4: Avoid indexing off the end of an array. * generated/bessel_r10.c: Regenerated. * generated/bessel_r16.c: Ditto. * generated/bessel_r4.c: Ditto. * generated/bessel_r8.c: Ditto. Modified: branches/gcc-4_8-branch/libgfortran/ChangeLog branches/gcc-4_8-branch/libgfortran/generated/bessel_r10.c branches/gcc-4_8-branch/libgfortran/generated/bessel_r16.c branches/gcc-4_8-branch/libgfortran/generated/bessel_r4.c branches/gcc-4_8-branch/libgfortran/generated/bessel_r8.c branches/gcc-4_8-branch/libgfortran/m4/bessel.m4 ^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libfortran/62188] Array bounds overrun in bessel_yn_r4/8/16 and other functions 2014-08-19 13:48 [Bug libfortran/62188] New: Array bounds overrun in bessel_yn_r4/8/16 and other functions vogt at linux dot vnet.ibm.com ` (4 preceding siblings ...) 2014-08-20 16:24 ` kargl at gcc dot gnu.org @ 2014-08-20 16:30 ` kargl at gcc dot gnu.org 2014-08-26 13:08 ` burnus at gcc dot gnu.org ` (3 subsequent siblings) 9 siblings, 0 replies; 11+ messages in thread From: kargl at gcc dot gnu.org @ 2014-08-20 16:30 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62188 kargl at gcc dot gnu.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #7 from kargl at gcc dot gnu.org --- (In reply to Dominik Vogt from comment #3) > (In reply to kargl from comment #1) > > I assume you found this by using a libc with > > a malloc that has buffer overflow detection. > > Actually, no. We inspected the function manually looking for the > cause of a test FAIL of bessel_7.f90 and just stumbled across it. Ah, bessel_7.f90. This test has some tolerances that are at the very edge of numerical accuracy. If your underlying libm implementation of yn is poor, you'll get FAIL[ures]. > > I'll commit this later. > > Great. Committed to trunk and all open branches. Thanks for the bug report. ^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libfortran/62188] Array bounds overrun in bessel_yn_r4/8/16 and other functions 2014-08-19 13:48 [Bug libfortran/62188] New: Array bounds overrun in bessel_yn_r4/8/16 and other functions vogt at linux dot vnet.ibm.com ` (5 preceding siblings ...) 2014-08-20 16:30 ` kargl at gcc dot gnu.org @ 2014-08-26 13:08 ` burnus at gcc dot gnu.org 2014-08-26 14:52 ` sgk at troutmask dot apl.washington.edu ` (2 subsequent siblings) 9 siblings, 0 replies; 11+ messages in thread From: burnus at gcc dot gnu.org @ 2014-08-26 13:08 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62188 Tobias Burnus <burnus at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |burnus at gcc dot gnu.org --- Comment #8 from Tobias Burnus <burnus at gcc dot gnu.org> --- (In reply to kargl from comment #7) > > Actually, no. We inspected the function manually looking for the > > cause of a test FAIL of bessel_7.f90 and just stumbled across it. Which would be: https://gcc.gnu.org/ml/gcc-patches/2014-08/msg02311.html > Committed to trunk and all open branches. Steve, should we also add a test case for the "n1 < 0"? ^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libfortran/62188] Array bounds overrun in bessel_yn_r4/8/16 and other functions 2014-08-19 13:48 [Bug libfortran/62188] New: Array bounds overrun in bessel_yn_r4/8/16 and other functions vogt at linux dot vnet.ibm.com ` (6 preceding siblings ...) 2014-08-26 13:08 ` burnus at gcc dot gnu.org @ 2014-08-26 14:52 ` sgk at troutmask dot apl.washington.edu 2014-08-26 17:54 ` sgk at troutmask dot apl.washington.edu 2014-08-26 18:14 ` sgk at troutmask dot apl.washington.edu 9 siblings, 0 replies; 11+ messages in thread From: sgk at troutmask dot apl.washington.edu @ 2014-08-26 14:52 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62188 --- Comment #9 from Steve Kargl <sgk at troutmask dot apl.washington.edu> --- On Tue, Aug 26, 2014 at 01:08:22PM +0000, burnus at gcc dot gnu.org wrote: > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62188 > > Tobias Burnus <burnus at gcc dot gnu.org> changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > CC| |burnus at gcc dot gnu.org > > --- Comment #8 from Tobias Burnus <burnus at gcc dot gnu.org> --- > (In reply to kargl from comment #7) > > > Actually, no. We inspected the function manually looking for the > > > cause of a test FAIL of bessel_7.f90 and just stumbled across it. > > Which would be: > https://gcc.gnu.org/ml/gcc-patches/2014-08/msg02311.html > > > Committed to trunk and all open branches. > > Steve, should we also add a test case for the "n1 < 0"? > I only looked at the specific issue raised by OP. If calling bessel_yn() with n1 < 0 violates requirements of the standard, then yes we should probably check for that situation. I'll cast an eye over this later today. ^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libfortran/62188] Array bounds overrun in bessel_yn_r4/8/16 and other functions 2014-08-19 13:48 [Bug libfortran/62188] New: Array bounds overrun in bessel_yn_r4/8/16 and other functions vogt at linux dot vnet.ibm.com ` (7 preceding siblings ...) 2014-08-26 14:52 ` sgk at troutmask dot apl.washington.edu @ 2014-08-26 17:54 ` sgk at troutmask dot apl.washington.edu 2014-08-26 18:14 ` sgk at troutmask dot apl.washington.edu 9 siblings, 0 replies; 11+ messages in thread From: sgk at troutmask dot apl.washington.edu @ 2014-08-26 17:54 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62188 --- Comment #10 from Steve Kargl <sgk at troutmask dot apl.washington.edu> --- On Tue, Aug 26, 2014 at 07:51:45AM -0700, Steve Kargl wrote: > On Tue, Aug 26, 2014 at 01:08:22PM +0000, burnus at gcc dot gnu.org wrote: > > > > Steve, should we also add a test case for the "n1 < 0"? > > > Checking in general looks broken for bessel_yn and probably _jn. program neumann_test implicit none integer n1, n2 real x, b(10) x = 42. b = bessel_yn(-5, x) n1 = -5 n2 = 5 b = bessel_yn(n1, n2, x) ! b = bessel_yn(-5, n2, x) end program neumann_test troutmask:sgk[223] gfc5x -o z bes.f90 troutmask:sgk[224] gfc5x -o z -std=f2008 bes.f90 bes.f90:8.17: b = bessel_yn(-5, x) 1 Error: GNU Extension: Negative argument N at (1) First, this GNU Extension should not exists as bessel_[jy]n are new in F2008 and I think we should adhere to the standard. Second, umcommenting he last line in the program yields bes.f90:12.7: b = bessel_yn(-5, n2, x) 1 Error: Too many arguments in call to 'bessel_yn' at (1) So, it appears the wrong checking function is getting called. It may take me a day or 2 to unravel the issue. ^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libfortran/62188] Array bounds overrun in bessel_yn_r4/8/16 and other functions 2014-08-19 13:48 [Bug libfortran/62188] New: Array bounds overrun in bessel_yn_r4/8/16 and other functions vogt at linux dot vnet.ibm.com ` (8 preceding siblings ...) 2014-08-26 17:54 ` sgk at troutmask dot apl.washington.edu @ 2014-08-26 18:14 ` sgk at troutmask dot apl.washington.edu 9 siblings, 0 replies; 11+ messages in thread From: sgk at troutmask dot apl.washington.edu @ 2014-08-26 18:14 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62188 --- Comment #11 from Steve Kargl <sgk at troutmask dot apl.washington.edu> --- On Tue, Aug 26, 2014 at 10:53:58AM -0700, Steve Kargl wrote: > On Tue, Aug 26, 2014 at 07:51:45AM -0700, Steve Kargl wrote: > > On Tue, Aug 26, 2014 at 01:08:22PM +0000, burnus at gcc dot gnu.org wrote: > > > > > > Steve, should we also add a test case for the "n1 < 0"? > > > > > > > Checking in general looks broken for bessel_yn and probably _jn. > I'm going to have to re-learn the internals of the intrinsics stuff. >From intrinsic.c, we have add_sym_2 ("besjn", GFC_ISYM_JN, CLASS_ELEMENTAL, ACTUAL_NO, BT_REAL, dr, GFC_STD_GNU, gfc_check_besn, gfc_simplify_bessel_jn, gfc_resolve_besn, n, BT_INTEGER, di, REQUIRED, x, BT_REAL, dr, REQUIRED); make_alias ("bessel_jn", GFC_STD_F2008); add_sym_2 ("dbesjn", GFC_ISYM_JN, CLASS_ELEMENTAL, ACTUAL_NO, BT_REAL, dd, GFC_STD_GNU, gfc_check_besn, gfc_simplify_bessel_jn, gfc_resolve_besn, n, BT_INTEGER, di, REQUIRED, x, BT_REAL, dd, REQUIRED); add_sym_3 ("bessel_jn", GFC_ISYM_JN2, CLASS_TRANSFORMATIONAL, ACTUAL_NO, BT_REAL, dr, GFC_STD_F2008, gfc_check_bessel_n2, gfc_simplify_bessel_jn2, gfc_resolve_bessel_n2, "n1", BT_INTEGER, di, REQUIRED,"n2", BT_INTEGER, di, REQUIRED, x, BT_REAL, dr, REQUIRED); set_attr_value (3, true, true, true); make_generic ("bessel_jn", GFC_ISYM_JN, GFC_STD_F2008); I don't see how bessel_jn can be made an alias to besjn (an entity with 2 args), and then a few lines later it is defined with 3 args and made generic? I think besjn and bessel_jn need to be dealt with separately with "n2" in bessel_jn set as OPTIONAL. ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2014-08-26 18:14 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2014-08-19 13:48 [Bug libfortran/62188] New: Array bounds overrun in bessel_yn_r4/8/16 and other functions vogt at linux dot vnet.ibm.com 2014-08-19 16:54 ` [Bug libfortran/62188] " kargl at gcc dot gnu.org 2014-08-20 7:03 ` vogt at linux dot vnet.ibm.com 2014-08-20 16:19 ` kargl at gcc dot gnu.org 2014-08-20 16:22 ` kargl at gcc dot gnu.org 2014-08-20 16:24 ` kargl at gcc dot gnu.org 2014-08-20 16:30 ` kargl at gcc dot gnu.org 2014-08-26 13:08 ` burnus at gcc dot gnu.org 2014-08-26 14:52 ` sgk at troutmask dot apl.washington.edu 2014-08-26 17:54 ` sgk at troutmask dot apl.washington.edu 2014-08-26 18:14 ` sgk at troutmask dot apl.washington.edu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).