From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <Tobias_Burnus@mentor.com>
Received: from esa4.mentor.iphmx.com (esa4.mentor.iphmx.com [68.232.137.252])
 by sourceware.org (Postfix) with ESMTPS id 36FF5386102E;
 Thu, 22 Jul 2021 17:55:37 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 36FF5386102E
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none)
 header.from=codesourcery.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=mentor.com
IronPort-SDR: xPArzt4bZINM3q6aevgqxu2v+4v69OZYw7qWRVsfex9JA+q2faDJJyWJHx8/i/ljC0acfv4y+u
 06VDFmLPdZG14A1aoH2eSxnp48YN3JDAGIpp8rr4cThs6BB21Pvh+5Z5SpIRTkDQNpIhD948qZ
 TuIUNnltPHqOFEUb/RdCrDWQhDPoKmb2b8wlj3srOp34fzJ74S1vWnw+9dgvtShE4CqXsbtvVm
 JxCM04Xu2oCCxeSsqI+dTmUx99IHs4HRtDrjOYc8F+uYNpJgvY2tZSynXsd8Ch56uZsMQVG1Y6
 7lcW3W8zTKw6gi33ix+nrVAu
X-IronPort-AV: E=Sophos;i="5.84,261,1620720000"; d="scan'208";a="64002726"
Received: from orw-gwy-02-in.mentorg.com ([192.94.38.167])
 by esa4.mentor.iphmx.com with ESMTP; 22 Jul 2021 09:55:36 -0800
IronPort-SDR: vlQKswJ11wv8cPmHBCDxK/u+T9Kc8FG60rkOUHIL8h+JlDxmNT3KQK1apZe0I+G8ouStmL3xoS
 xYu/q1Bkk/IIn3NolJ7sEc3FtyBCYQClUYo1y/Q4bQTgr/zpY1BOq9L5lvcg385F55OZ8Uc6YR
 UPDVnw8bgwfVhVkU0WmXpjgONAQnQIvDlANFEJUgaKDaF52IL4bwQOSFDU9bpAQO3k4OF/4gM2
 ZgSFcxl9he7O+tTsd80hu8CpHwy4OFSl1ACoBt6FhJaae1e4z2czLTKT5QnkfChSVF1WgqqrLU
 MPE=
Subject: Re: [PATCH] PR fortrsn/101564 - ICE in resolve_allocate_deallocate,
 at fortran/resolve.c:8169
To: Harald Anlauf <anlauf@gmx.de>, fortran <fortran@gcc.gnu.org>, gcc-patches
 <gcc-patches@gcc.gnu.org>
References: <trinity-6ca0c1c7-5c7d-41e0-ac49-aefde33e340b-1626899770647@3c-app-gmx-bap01>
From: Tobias Burnus <tobias@codesourcery.com>
Message-ID: <9b6187f0-d3dd-bb2d-d6f3-ada831cdecf0@codesourcery.com>
Date: Thu, 22 Jul 2021 19:55:29 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <trinity-6ca0c1c7-5c7d-41e0-ac49-aefde33e340b-1626899770647@3c-app-gmx-bap01>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: [137.202.0.90]
X-ClientProxiedBy: SVR-IES-MBX-04.mgc.mentorg.com (139.181.222.4) To
 svr-ies-mbx-01.mgc.mentorg.com (139.181.222.1)
X-Spam-Status: No, score=-11.6 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 HEADER_FROM_DIFFERENT_DOMAINS, KAM_DMARC_STATUS, KAM_NUMSUBJECT, NICE_REPLY_A,
 SPF_HELO_PASS, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jul 2021 17:55:39 -0000

On 21.07.21 22:36, Harald Anlauf via Gcc-patches wrote:

> Anyway, here's a straightforward fix for a NULL pointer dereference for
> an invalid argument to STAT.  For an alternative patch by Steve see PR.
>
> Regtested on x86_64-pc-linux-gnu.  OK for mainline / 11-branch when it
> reopens?
..
> Fortran: ICE in resolve_allocate_deallocate for invalid STAT argument
>
> gcc/fortran/ChangeLog:
>
>       PR fortran/101564
>       * resolve.c (resolve_allocate_deallocate): Avoid NULL pointer
>       dereference and shortcut for bad STAT argument to (DE)ALLOCATE.
>
> gcc/testsuite/ChangeLog:
>
>       PR fortran/101564
>       * gfortran.dg/pr101564.f90: New test.
> diff --git a/gcc/fortran/resolve.c b/gcc/fortran/resolve.c
> index 45c3ad387ac..51d312116eb 100644
> --- a/gcc/fortran/resolve.c
> +++ b/gcc/fortran/resolve.c
> @@ -8165,6 +8165,9 @@ resolve_allocate_deallocate (gfc_code *code, const =
char *fcn)
>       gfc_error ("Stat-variable at %L must be a scalar INTEGER "
>                  "variable", &stat->where);
>
> +      if (stat->expr_type =3D=3D EXPR_CONSTANT || stat->symtree =3D=3D N=
ULL)
> +     goto done_stat;
> +

I wonder whether this will catch all cases, e.g. stat->symtree !=3D NULL
but using something else than '->n.sym'. I currently cannot spot
whether a user operator or a type-bound procedure is possible
in this case, but if so, n.sym->something is not well defined.

Additionally, I wonder whether that will work with:

integer, pointer :: ptr
integer function f()
   pointer :: f
   f =3D ptr
end
allocate(A, stat=3Df())

The f() is a variable and definable =E2=80=93 but I am currently not sure i=
t sets stat->symtree
and not only stat->value.function.esym, but I have not tested it.
(Answer: it does set it - at least there is an assert in gfc_check_vardef_c=
ontext
that symtree !=3D NULL for EXPR_FUNCTION.)


Can't we just as a 'if (!' + ') goto done_stat;' around:

       gfc_check_vardef_context (stat, false, false, false,
                                 _("STAT variable"));


Additionally, I have to admit that I do not understand the
following existing condition, which you did not touch:

       if ((stat->ts.type !=3D BT_INTEGER
            && !(stat->ref && (stat->ref->type =3D=3D REF_ARRAY
                               || stat->ref->type =3D=3D REF_COMPONENT)))
           || stat->rank > 0)
         gfc_error ("Stat-variable at %L must be a scalar INTEGER "
                    "variable", &stat->where);

I mean the ts.type !=3D BT_INTEGER and stat->rank !=3D 0 is clear,
but what's the reason for the refs?

My impression is that it is supposed to handle REF_INQUIRY
such as  x%kind =E2=80=93 but that does not seem to handle x%y%kind.

It looks as if gfc_check_vardef_context needs an additional
check for REF_INQUIRY =E2=80=93 and then the check above can be
simplified to the obvious version.


Can you check? That's

* use if (!gfc_check_vardef_context ()) goto done_stat;
* Add REF_INQUIRY check to gfc_check_vardef_context
* Simplify the check to !BT_INTEGER || rank !=3D 0

And possibly add a testcase for stat=3Df() [valid]
and stat=3Dx%y%kind [invalid] as well?

Thanks,

Tobias

>         for (p =3D code->ext.alloc.list; p; p =3D p->next)
>       if (p->expr->symtree->n.sym->name =3D=3D stat->symtree->n.sym->name=
)
>         {
> @@ -8192,6 +8195,8 @@ resolve_allocate_deallocate (gfc_code *code, const =
char *fcn)
>         }
>       }
>
> +done_stat:
> +
>     /* Check the errmsg variable.  */
>     if (errmsg)
>       {
> diff --git a/gcc/testsuite/gfortran.dg/pr101564.f90 b/gcc/testsuite/gfort=
ran.dg/pr101564.f90
> new file mode 100644
> index 00000000000..1e7c9911ce6
> --- /dev/null
> +++ b/gcc/testsuite/gfortran.dg/pr101564.f90
> @@ -0,0 +1,9 @@
> +! { dg-do compile }
> +! PR fortran/101564 - ICE in resolve_allocate_deallocate
> +
> +program p
> +  integer, allocatable :: x(:)
> +  integer              :: stat
> +  allocate (x(2), stat=3Dstat)
> +  deallocate (x,  stat=3Dstat%kind) ! { dg-error "(STAT variable)" }
> +end
-----------------
Siemens Electronic Design Automation GmbH; Anschrift: Arnulfstra=C3=9Fe 201=
, 80634 M=C3=BCnchen; Gesellschaft mit beschr=C3=A4nkter Haftung; Gesch=C3=
=A4ftsf=C3=BChrer: Thomas Heurung, Frank Th=C3=BCrauf; Sitz der Gesellschaf=
t: M=C3=BCnchen; Registergericht M=C3=BCnchen, HRB 106955