From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugs-return-489317-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 105273 invoked by alias); 18 Jun 2015 14:32:45 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Received: (qmail 105241 invoked by uid 48); 18 Jun 2015 14:32:40 -0000
From: "vehre at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug fortran/66578] [F2008] Invalid free on allocate(...,source=a(:)) in block
Date: Thu, 18 Jun 2015 14:32:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: fortran
X-Bugzilla-Version: 6.0
X-Bugzilla-Keywords: wrong-code
X-Bugzilla-Severity: normal
X-Bugzilla-Who: vehre at gcc dot gnu.org
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: vehre at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields:
Message-ID: <bug-66578-4-sntCeLcwV6@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-66578-4@http.gcc.gnu.org/bugzilla/>
References: <bug-66578-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-06/txt/msg01649.txt.bz2

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66578

--- Comment #4 from vehre at gcc dot gnu.org ---
Further analysis showed that while the offset of source's temporary descriptor
parm.3 is not as expected:

// allocate(c, source=a(:))
//       lb, ub,    , offset, data
parm.3 = {1, ub(a)+1,      0, &a[0]} // offset should be -1, when lb is set to
1.

c is initialized like this:

c = { parm.3.lb, parm.3.ub, -parm.3.lb, malloc( ((parm.3.ub - parm.3.lb) + 1) *
sizeof(int)) }

the loop to copy the data from "a", aka "parm.3.data", is this (simplified to
show the mistake more clearly):

for (i= 0; i <= c.ub; ++i)
  c.data[i + c.lb + c.offset] = parm.3.data[i + parm.3.offset]

The issue is that the loop is iterating over c.ub + 1 elements. It should
either be starting at 1 or stop at i < c.ub. Unfortunately is this computed by
the scalarizer, which I just don't understand. I assume, that having the offset
of parm.3 set correctly and the from setting of the loop to be 1 should resolve
the issue reliably. 

Any thoughts?