[Bug fortran/95537] New: [11 regression] gfortran.dg/pr95090.f90 since r11-670

[Bug fortran/95537] New: [11 regression] gfortran.dg/pr95090.f90 since r11-670

[seurer at linux dot vnet.ibm.com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95537

            Bug ID: 95537
           Summary: [11 regression] gfortran.dg/pr95090.f90 since r11-670
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: fortran
          Assignee: unassigned at gcc dot gnu.org
          Reporter: seurer at linux dot vnet.ibm.com
  Target Milestone: ---

make -k check-gcc-fortran RUNTESTFLAGS=dg.exp=gfortran.dg/pr95090.f90

FAIL: gfortran.dg/pr95090.f90   -O  (internal compiler error)
FAIL: gfortran.dg/pr95090.f90   -O  (test for excess errors)

# of unexpected failures        2

Executing on host:
/home3/seurer/gcc/git/build/gcc-test/gcc/testsuite/gfortran/../../gfortran
-B/home3/seurer/gcc/git/build/gcc-test/gcc/testsuite/gfortran/../../
-B/home3/seurer/gcc/git/build/gcc-test/powerpc64le-unknown-linux-gnu/./libgfortran/
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gfortran.dg/pr95090.f90   
-fno-diagnostics-show-caret -fno-diagnostics-show-line-numbers
-fdiagnostics-color=never  -fdiagnostics-urls=never 
-fno-diagnostics-show-caret -fno-diagnostics-show-line-numbers
-fdiagnostics-color=never  -fdiagnostics-urls=never    -O  -fcoarray=lib
-fsecond-underscore -S -o pr95090.s    (timeout = 300)
spawn -ignore SIGHUP
/home3/seurer/gcc/git/build/gcc-test/gcc/testsuite/gfortran/../../gfortran
-B/home3/seurer/gcc/git/build/gcc-test/gcc/testsuite/gfortran/../../
-B/home3/seurer/gcc/git/build/gcc-test/powerpc64le-unknown-linux-gnu/./libgfortran/
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gfortran.dg/pr95090.f90
-fno-diagnostics-show-caret -fno-diagnostics-show-line-numbers
-fdiagnostics-color=never -fdiagnostics-urls=never -fno-diagnostics-show-caret
-fno-diagnostics-show-line-numbers -fdiagnostics-color=never
-fdiagnostics-urls=never -O -fcoarray=lib -fsecond-underscore -S -o pr95090.s
*** buffer overflow detected ***:
/home3/seurer/gcc/git/build/gcc-test/gcc/testsuite/gfortran/../../f951
terminated
f951: internal compiler error: Aborted
0x10bdd713 crash_signal
        /home/seurer/gcc/git/gcc-test/gcc/toplev.c:328

[Bug fortran/95537] [11 regression] gfortran.dg/pr95090.f90 since r11-670

[seurer at linux dot vnet.ibm.com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95537

--- Comment #1 from Bill Seurer <seurer at linux dot vnet.ibm.com> ---
Wait, perhaps this is the same as pr95530?  It started with a different
revision, though.

[Bug fortran/95537] [11 regression] gfortran.dg/pr95090.f90 since r11-670

[anlauf at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95537

anlauf at gcc dot gnu.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |anlauf at gcc dot gnu.org

--- Comment #2 from anlauf at gcc dot gnu.org ---
It might be related.  This testcase and the one in PR95530 exercise
code paths with possibly latent bugs.

Nevertheless, are you able to produce a traceback?

valgrind on x86_64 unfortunately does not provide any useful hints.

[Bug fortran/95537] [11 regression] gfortran.dg/pr95090.f90 since r11-670

[seurer at linux dot vnet.ibm.com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95537

--- Comment #3 from Bill Seurer <seurer at linux dot vnet.ibm.com> ---
Running f951 directly via gdb on a power 9 LE system I see:

(gdb) run /home/seurer/gcc/git/gcc-test/gcc/testsuite/gfortran.dg/pr95090.f90
-quiet -dumpbase pr95090.f90 -dumpbase-ext .f90 -mcpu=power9 -O -version
-fdiagnostics-color=never -fdiagnostics-urls=never -fno-diagnostics-show-caret
-fno-diagnostics-show-line-numbers -fdiagnostics-urls=never -fcoarray=lib
-fsecond-underscore -o pr95090.s -fintrinsic-modules-path finclude
Starting program: /home3/seurer/gcc/git/build/gcc-test/gcc/f951
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gfortran.dg/pr95090.f90 -quiet
-dumpbase pr95090.f90 -dumpbase-ext .f90 -mcpu=power9 -O -version
-fdiagnostics-color=never -fdiagnostics-urls=never -fno-diagnostics-show-caret
-fno-diagnostics-show-line-numbers -fdiagnostics-urls=never -fcoarray=lib
-fsecond-underscore -o pr95090.s -fintrinsic-modules-path finclude
GNU Fortran (GCC) version 11.0.0 20200604 (experimental) [remotes/origin/HEAD
revision 0ddb93ce7:d48b471b9:7ece3bd8088983289731450826c238eb2bdd2db5]
(powerpc64le-unknown-linux-gnu)
        compiled by GNU C version 7.4.0, GMP version 6.1.0, MPFR version 3.1.4,
MPC version 1.0.3, isl version isl-0.18-GMP

GGC heuristics: --param ggc-min-expand=30 --param ggc-min-heapsize=4096
GNU Fortran2008 (GCC) version 11.0.0 20200604 (experimental)
[remotes/origin/HEAD revision
0ddb93ce7:d48b471b9:7ece3bd8088983289731450826c238eb2bdd2db5]
(powerpc64le-unknown-linux-gnu)
        compiled by GNU C version 7.4.0, GMP version 6.1.0, MPFR version 3.1.4,
MPC version 1.0.3, isl version isl-0.18-GMP

GGC heuristics: --param ggc-min-expand=30 --param ggc-min-heapsize=4096
*** buffer overflow detected ***: /home3/seurer/gcc/git/build/gcc-test/gcc/f951
terminated

Program received signal SIGABRT, Aborted.
0x00007ffff7bfe98c in __libc_signal_restore_set (set=0x7fffffffd488) at
../sysdeps/unix/sysv/linux/nptl-signals.h:80
80      ../sysdeps/unix/sysv/linux/nptl-signals.h: No such file or directory.
(gdb) where
#0  0x00007ffff7bfe98c in __libc_signal_restore_set (set=0x7fffffffd488) at
../sysdeps/unix/sysv/linux/nptl-signals.h:80
#1  __GI_raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:48
#2  0x00007ffff7c00be0 in __GI_abort () at abort.c:79
#3  0x00007ffff7c508fc in __libc_message (action=<optimized out>,
fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:181
#4  0x00007ffff7d24d74 in __GI___fortify_fail_abort (need_backtrace=true,
msg=<optimized out>) at fortify_fail.c:33
#5  0x00007ffff7d24e10 in __GI___fortify_fail (msg=<optimized out>) at
fortify_fail.c:44
#6  0x00007ffff7d21680 in __GI___chk_fail () at chk_fail.c:28
#7  0x00007ffff7d203e4 in __strcpy_chk (dest=0x7fffffffda98
"t2345678901234567890123456789012345678901234567890123456789_123",
src=0x7ffff5c40360
"pdtt2345678901234567890123456789012345678901234567890123456789_123",
destlen=64)
    at strcpy_chk.c:30
#8  0x0000000010289c7c in strcpy (__src=<optimized out>, __dest=0x7fffffffda98
"t2345678901234567890123456789012345678901234567890123456789_123") at
/usr/include/powerpc64le-linux-gnu/bits/string_fortified.h:90
#9  gfc_match_decl_type_spec (ts=0x123ebdb0 <current_ts>,
implicit_flag=<optimized out>) at
/home/seurer/gcc/git/gcc-test/gcc/fortran/decl.c:4287
#10 0x000000001028b4b8 in gfc_match_data_decl () at
/home/seurer/gcc/git/gcc-test/gcc/fortran/decl.c:6119
#11 0x0000000010320974 in match_word (str=0x0, subr=<optimized out>,
old_locus=0x7fffffffde28) at
/home/seurer/gcc/git/gcc-test/gcc/fortran/parse.c:65
#12 0x0000000010324884 in decode_statement () at
/home/seurer/gcc/git/gcc-test/gcc/fortran/parse.c:376
#13 0x0000000010327368 in next_free () at
/home/seurer/gcc/git/gcc-test/gcc/fortran/parse.c:1279
#14 next_statement () at /home/seurer/gcc/git/gcc-test/gcc/fortran/parse.c:1511
#15 0x000000001032b604 in parse_spec (st=ST_NONE) at
/home/seurer/gcc/git/gcc-test/gcc/fortran/parse.c:3738
#16 0x000000001032e37c in parse_progunit (st=ST_NONE) at
/home/seurer/gcc/git/gcc-test/gcc/fortran/parse.c:5851
#17 0x000000001032e854 in parse_contained (module=1) at
/home/seurer/gcc/git/gcc-test/gcc/fortran/parse.c:5752
#18 0x000000001032ffa4 in parse_module () at
/home/seurer/gcc/git/gcc-test/gcc/fortran/parse.c:6125
#19 0x000000001033039c in gfc_parse_file () at
/home/seurer/gcc/git/gcc-test/gcc/fortran/parse.c:6428
#20 0x00000000103a4120 in gfc_be_parse_file () at
/home/seurer/gcc/git/gcc-test/gcc/fortran/f95-lang.c:212
#21 0x0000000010bdd974 in compile_file () at
/home/seurer/gcc/git/gcc-test/gcc/toplev.c:458
#22 0x0000000010249b34 in do_compile () at
/home/seurer/gcc/git/gcc-test/gcc/toplev.c:2302
#23 toplev::main (this=0x7fffffffe8a6, argc=<optimized out>, argv=<optimized
out>) at /home/seurer/gcc/git/gcc-test/gcc/toplev.c:2441
#24 0x000000001024c004 in main (argc=<optimized out>, argv=0x7fffffffecc8) at
/home/seurer/gcc/git/gcc-test/gcc/main.c:39

[Bug fortran/95537] [11 regression] gfortran.dg/pr95090.f90 since r11-670

[anlauf at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95537

anlauf at gcc dot gnu.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |NEW
           Priority|P3                          |P4
   Last reconfirmed|                            |2020-06-04

--- Comment #4 from anlauf at gcc dot gnu.org ---
Thanks for the backtrace.

Can you please try the following patch?

diff --git a/gcc/fortran/decl.c b/gcc/fortran/decl.c
index 3ad5559c3ec..1c1626d3fa4 100644
--- a/gcc/fortran/decl.c
+++ b/gcc/fortran/decl.c
@@ -4094,7 +4094,8 @@ match_byte_typespec (gfc_typespec *ts)
 match
 gfc_match_decl_type_spec (gfc_typespec *ts, int implicit_flag)
 {
-  char name[GFC_MAX_SYMBOL_LEN + 1];
+  /* Provide sufficient space to hold "pdtsymbol".  */
+  char name[GFC_MAX_SYMBOL_LEN + 1 + 3];
   gfc_symbol *sym, *dt_sym;
   match m;
   char c;
@@ -4284,7 +4285,11 @@ gfc_match_decl_type_spec (gfc_typespec *ts, int
implicit_flag)
            return m;
          gcc_assert (!sym->attr.pdt_template && sym->attr.pdt_type);
          ts->u.derived = sym;
-         strcpy (name, gfc_dt_lower_string (sym->name));
+         const char* lower = gfc_dt_lower_string (sym->name);
+         size_t len = strnlen (lower, sizeof (name));
+         gcc_assert (len < sizeof (name));
+         memcpy (name, lower, len);
+         name[len] = '\0';
        }

       if (sym && sym->attr.flavor == FL_STRUCT)

[Bug fortran/95537] [11 regression] gfortran.dg/pr95090.f90 since r11-670

[seurer at linux dot vnet.ibm.com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95537

--- Comment #5 from Bill Seurer <seurer at linux dot vnet.ibm.com> ---
Still fails:

make -k check-gcc-fortran RUNTESTFLAGS=dg.exp=gfortran.dg/pr95090.f90

FAIL: gfortran.dg/pr95090.f90   -O  (internal compiler error)
FAIL: gfortran.dg/pr95090.f90   -O  (test for excess errors)

git diff
diff --git a/gcc/fortran/gfortran.h b/gcc/fortran/gfortran.h
index 5af44847f..0ef7b1b0e 100644
--- a/gcc/fortran/gfortran.h
+++ b/gcc/fortran/gfortran.h
@@ -1677,7 +1677,8 @@ typedef struct gfc_common_head
   char use_assoc, saved, threadprivate;
   unsigned char omp_declare_target : 1;
   unsigned char omp_declare_target_link : 1;
-  char name[GFC_MAX_SYMBOL_LEN + 1];
+  /* Provide sufficient space to hold "symbol.eq.1234567890".  */
+  char name[GFC_MAX_SYMBOL_LEN + 1 + 14];
   struct gfc_symbol *head;
   const char* binding_label;
   int is_bind_c;

[Bug fortran/95537] [11 regression] gfortran.dg/pr95090.f90 since r11-670

[anlauf at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95537

anlauf at gcc dot gnu.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|unassigned at gcc dot gnu.org      |anlauf at gcc dot gnu.org

--- Comment #6 from anlauf at gcc dot gnu.org ---
(In reply to Bill Seurer from comment #5)
> Still fails:
> 
> make -k check-gcc-fortran RUNTESTFLAGS=dg.exp=gfortran.dg/pr95090.f90
> 
> FAIL: gfortran.dg/pr95090.f90   -O  (internal compiler error)
> FAIL: gfortran.dg/pr95090.f90   -O  (test for excess errors)

It turns out that this PR and PR95530 are unrelated issues regarding
buffer overflow in different places.

Can you add the patch in this PR, comment#4, and in PR95530 comment#6?

I've "regtested" on x86_64-pc-linux-gnu, but this might miss further
buffer overflows elsewhere.

[Bug fortran/95537] [11 regression] gfortran.dg/pr95090.f90 since r11-670

[seurer at linux dot vnet.ibm.com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95537

--- Comment #7 from Bill Seurer <seurer at linux dot vnet.ibm.com> ---
I used the wrong patch file, sorry.

This patch did not apply cleanly to current trunk.

patching file gcc/fortran/decl.c
Hunk #2 FAILED at 4285.
1 out of 2 hunks FAILED -- saving rejects to file gcc/fortran/decl.c.rej

I will try those others.

[Bug fortran/95537] [11 regression] gfortran.dg/pr95090.f90 since r11-670

[seurer at linux dot vnet.ibm.com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95537

--- Comment #8 from Bill Seurer <seurer at linux dot vnet.ibm.com> ---
Nope, still fails.

[Bug fortran/95537] [11 regression] gfortran.dg/pr95090.f90 since r11-670

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95537

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |11.0

[Bug fortran/95537] [11 regression] gfortran.dg/pr95090.f90 since r11-670

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95537

--- Comment #9 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Harald Anlauf <anlauf@gcc.gnu.org>:

https://gcc.gnu.org/g:bcd96c9cce962ca5b2c6f8459597fb759f945ccf

commit r11-1009-gbcd96c9cce962ca5b2c6f8459597fb759f945ccf
Author: Harald Anlauf <anlauf@gmx.de>
Date:   Fri Jun 5 20:30:34 2020 +0200

    PR fortran/95530, PR fortran/95537 - Buffer overflows with long symbols

    The testcases for PR95090 and PR95106 trigger buffer overflows with long
    symbols that were found with an instrumented compiler.  Enlarge the
    affected buffers, and add checks that the buffers will suffice.

    2020-06-05  Harald Anlauf  <anlauf@gmx.de>

    gcc/fortran/
            PR fortran/95530
            PR fortran/95537
            * decl.c (gfc_match_decl_type_spec): Enlarge buffer, and enhance
            string copy to detect buffer overflow.
            * gfortran.h (gfc_common_head): Enlarge buffer.
            * trans-common.c (finish_equivalences): Enhance string copy to
            detect buffer overflow.

[Bug fortran/95537] [11 regression] gfortran.dg/pr95090.f90 since r11-670

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95537

--- Comment #10 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-10 branch has been updated by Harald Anlauf
<anlauf@gcc.gnu.org>:

https://gcc.gnu.org/g:36442ee216acbe9a345ae625be53efbde8626477

commit r10-8254-g36442ee216acbe9a345ae625be53efbde8626477
Author: Harald Anlauf <anlauf@gmx.de>
Date:   Fri Jun 5 20:30:34 2020 +0200

    PR fortran/95530, PR fortran/95537 - Buffer overflows with long symbols

    The testcases for PR95090 and PR95106 trigger buffer overflows with long
    symbols that were found with an instrumented compiler.  Enlarge the
    affected buffers, and add checks that the buffers will suffice.

    2020-06-05  Harald Anlauf  <anlauf@gmx.de>

    gcc/fortran/
            PR fortran/95530
            PR fortran/95537
            * decl.c (gfc_match_decl_type_spec): Enlarge buffer, and enhance
            string copy to detect buffer overflow.
            * gfortran.h (gfc_common_head): Enlarge buffer.
            * trans-common.c (finish_equivalences): Enhance string copy to
            detect buffer overflow.

    (cherry picked from commit bcd96c9cce962ca5b2c6f8459597fb759f945ccf)

[Bug fortran/95537] [11 regression] gfortran.dg/pr95090.f90 since r11-670

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95537

--- Comment #11 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-9 branch has been updated by Harald Anlauf
<anlauf@gcc.gnu.org>:

https://gcc.gnu.org/g:075bec57a1c63a1b1de9d95909866a6548380390

commit r9-8654-g075bec57a1c63a1b1de9d95909866a6548380390
Author: Harald Anlauf <anlauf@gmx.de>
Date:   Fri Jun 5 20:30:34 2020 +0200

    PR fortran/95530, PR fortran/95537 - Buffer overflows with long symbols

    The testcases for PR95090 and PR95106 trigger buffer overflows with long
    symbols that were found with an instrumented compiler.  Enlarge the
    affected buffers, and add checks that the buffers will suffice.

    2020-06-05  Harald Anlauf  <anlauf@gmx.de>

    gcc/fortran/
            PR fortran/95530
            PR fortran/95537
            * decl.c (gfc_match_decl_type_spec): Enlarge buffer, and enhance
            string copy to detect buffer overflow.
            * gfortran.h (gfc_common_head): Enlarge buffer.
            * trans-common.c (finish_equivalences): Enhance string copy to
            detect buffer overflow.

    (cherry picked from commit bcd96c9cce962ca5b2c6f8459597fb759f945ccf)

[Bug fortran/95537] [11 regression] gfortran.dg/pr95090.f90 since r11-670

[anlauf at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95537

anlauf at gcc dot gnu.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #12 from anlauf at gcc dot gnu.org ---
Fixed on master for GCC-11, and backported to 10-branch and 9-branch.

Thanks for the report and assistance in pinpointing the origin of the problem!