[Bug fortran/95998] New: gfc_typename use of static memory

[Bug fortran/95998] New: gfc_typename use of static memory

[dominiq at lps dot ens.fr]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95998

            Bug ID: 95998
           Summary: gfc_typename use of static memory
           Product: gcc
           Version: unknown
            Status: WAITING
          Severity: normal
          Priority: P3
         Component: fortran
          Assignee: unassigned at gcc dot gnu.org
          Reporter: tkoenig at gcc dot gnu.org
  Target Milestone: ---
            Status: WAITING
  Last reconfirmed: 2020-07-08
    Ever confirmed: 1

The comment in misc.c says it all...

/* Return a string describing the type and kind of a typespec.  Because
   we return alternating buffers, this subroutine can appear twice in
   the argument list of a single statement.  */

Did we really audit our code to make sure we keep to this restriction? :-|

--- Comment #1 from Dominique d'Humieres <dominiq at lps dot ens.fr> ---
Is static in C/C++ equivalent of SAVE in fortran (at least in the context of
gfc_typename)?

If yes, AFAIU the code the odd access to gfc_typename use buffer2, while even
ones
use buffer1? Wouldn't it be simple (safer?) to use only buffer1?

  static char buffer[GFC_MAX_SYMBOL_LEN + 7];  /* 7 for "TYPE()" + '\0'.  */
  gfc_typespec *ts1;
  gfc_charlen_t length = 0;

Same thing for gfc_dummy_typename, gfc_typename, ... .

[Bug fortran/95998] gfc_typename use of static memory

[tkoenig at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95998

--- Comment #2 from Thomas Koenig <tkoenig at gcc dot gnu.org> ---
(In reply to Dominique d'Humieres from comment #1)
> Is static in C/C++ equivalent of SAVE in fortran (at least in the context of
> gfc_typename)?

Yes.

> If yes, AFAIU the code the odd access to gfc_typename use buffer2, while
> even ones
> use buffer1? Wouldn't it be simple (safer?) to use only buffer1?
> 
>   static char buffer[GFC_MAX_SYMBOL_LEN + 7];  /* 7 for "TYPE()" + '\0'.  */
>   gfc_typespec *ts1;
>   gfc_charlen_t length = 0;
> 
> Same thing for gfc_dummy_typename, gfc_typename, ... .

If we ever have three occurences of gfc_typename in a function list,
like

   foo (gfc_typename(a), gfc_typename(b), gfc_typename(c));

we will get the wrong result for the third one.  We will also get
a wrong result for

   pa = gfc_typename(a);
   pb = gfc_typename(b);
   pc = gfc_typename(c);

because then pa will point to the same memory as pc.

[Bug fortran/95998] gfc_typename use of static memory

[dominiq at lps dot ens.fr]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95998

--- Comment #3 from Dominique d'Humieres <dominiq at lps dot ens.fr> ---
> If we ever have three occurences of gfc_typename in a function list,
> like
>
>   foo (gfc_typename(a), gfc_typename(b), gfc_typename(c));
>
> we will get the wrong result for the third one.  We will also get
> a wrong result for
>
>   pa = gfc_typename(a);
>   pb = gfc_typename(b);
>   pc = gfc_typename(c);
>
> because then pa will point to the same memory as pc.

OK. I think I am now starting to understand how this proc works.

I have looked at the occurrences of gfc_typename, and AFAICT they appear only
once or twice within
the same gfc_error, except for (line 2303 in check.c)

     gfc_error ("The function passed as OPERATOR at %L has arguments of type "
                 "%s and %s but shall have type %s", &op->where,
                 gfc_typename (&formal->sym->ts),
                 gfc_typename (&formal->next->sym->ts), gfc_typename (a));

but 'a' is a gfc_expr, while 'formal->sym->ts', and 'formal->next->sym->ts' are
gfc_typespec, so different procs and it should be OK.

Note that presently gfc_typename is only called in error messages and potential
problems will
only show as strange errors.

However in noticed a potential buffer overflow with DEC extensions:

  static char buffer1[GFC_MAX_SYMBOL_LEN + 7];  /* 7 for "TYPE()" + '\0'.  */
  static char buffer2[GFC_MAX_SYMBOL_LEN + 7];

should be

  static char buffer1[GFC_MAX_SYMBOL_LEN + 8];  /* 8 for "UNION()" + '\0'.  */
  static char buffer2[GFC_MAX_SYMBOL_LEN + 8];

[Bug fortran/95998] gfc_typename use of static memory

[dominiq at lps dot ens.fr]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95998

Dominique d'Humieres <dominiq at lps dot ens.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|WAITING                     |RESOLVED

--- Comment #4 from Dominique d'Humieres <dominiq at lps dot ens.fr> ---
The off by one problem has been fixed by r11-7873, closing.