From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugs-return-483010-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 59685 invoked by alias); 8 Apr 2015 13:42:14 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Received: (qmail 59600 invoked by uid 48); 8 Apr 2015 13:42:11 -0000
From: "jakub at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug fortran/65089] FAIL: gfortran.dg/io_real_boz(2|_[45]).f90 when tested with -fsanitize=address
Date: Wed, 08 Apr 2015 13:42:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: fortran
X-Bugzilla-Version: 5.0
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: jakub at gcc dot gnu.org
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields:
Message-ID: <bug-65089-4-0FgvCb8myB@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-65089-4@http.gcc.gnu.org/bugzilla/>
References: <bug-65089-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-04/txt/msg00562.txt.bz2

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65089

--- Comment #7 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Sounds like either libgfortran bug, or fortran FE bug.
What asan_finish_file sees for .LC3 is:
 <string_cst 0x7ffff169ce40
    type <array_type 0x7ffff16c7d20
        type <integer_type 0x7ffff15083f0 character(kind=1) asm_written public
unsigned string-flag QI
            size <integer_cst 0x7ffff1504cc0 constant 8>
            unit size <integer_cst 0x7ffff1504cd8 constant 1>
            align 8 symtab -244602288 alias set -1 canonical type
0x7ffff15083f0 precision 8 min <integer_cst 0x7ffff1504cf0 0> max <integer_cst
0x7ffff1504c90 255>
            pointer_to_this <pointer_type 0x7ffff1527150>>
        string-flag SI
        size <integer_cst 0x7ffff1504e10 constant 32>
        unit size <integer_cst 0x7ffff1504e28 constant 4>
        align 8 symtab 0 alias set -1 canonical type 0x7ffff16c7d20
        domain <integer_type 0x7ffff16c7c78 type <integer_type 0x7ffff1508690
integer(kind=4)>
            SI size <integer_cst 0x7ffff1504e10 32> unit size <integer_cst
0x7ffff1504e28 4>
            align 32 symtab 0 alias set -1 canonical type 0x7ffff16c7c78
precision 32 min <integer_cst 0x7ffff1504f78 1> max <integer_cst 0x7ffff16c55b8
4>>>
    constant asm_written "(z0)">
i.e. a 4 bytes long string literal, which is not NUL terminated.
If you compile without -fsanitize=address, you can see that (z0) is directly
followed by unrelated strings:
 0000 696f5f72 65616c5f 626f7a5f 352e6639  io_real_boz_5.f9
 0010 3000287a 30295800 00000000 00000000  0.(z0)X.........
 0020 02010000 9b010000 00000000 00000000  ................
 0030 01000000 01000000 00000000 00000000  ................
 0040 1f000000 0000803f                    .......?        
so calling strlen on this is obviously undefined behavior.  Doesn't the FE pass
format_len which tells you how long the string is?  It really doesn't seem to
be NUL terminated unless by accident.
Isn't:
       character(len=32) :: str1
       character(len=4) :: str2
       str2 = '(z0)'
       x = 1.0_16 + 2.0_16**(-105)
       write (str1,str2) 'X'
       end
equivalent to that (again, with no NUL termination)?