Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[flang] heap-use-after-free in Fortran::semantics::CheckIfArgIsDoVar #121999

Open
yype opened this issue Jan 7, 2025 · 1 comment · May be fixed by #122394
Open

[flang] heap-use-after-free in Fortran::semantics::CheckIfArgIsDoVar #121999

yype opened this issue Jan 7, 2025 · 1 comment · May be fixed by #122394
Assignees
@klausler
Labels
crash Prefer [crash-on-valid] or [crash-on-invalid] flang:frontend generated by fuzzer

Comments

@yype
Copy link

yype commented Jan 7, 2025

Hi there, flang crashes from a heap-use-after-free on the following test case:

real, intent(in), pointer :: a(:)
SUM([1]) = a(nn(x):command_argument_count()) + a(i)
end

Tested version(s): 19.1.0, trunk (ASAN build)

A Compiler Explorer demo is not available, as this crash requires an ASAN build of flang to reproduce, which is not available on Compiler Explorer yet.

Partial stack dump:

Click me 
=================================================================
==587111==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000015f2c at pc 0x55c044b0d98a bp 0x7ffeeb78c7f0 sp 0x7ffeeb78c7e8
READ of size 4 at 0x607000015f2c thread T0
    #0 0x55c044b0d989  (<path>/bin/flang-20+0x7f0e989) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #1 0x55c044b0ddce  (<path>/bin/flang-20+0x7f0edce) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #2 0x55c04436e451  (<path>/bin/flang-20+0x776f451) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #3 0x55c044392a0c  (<path>/bin/flang-20+0x7793a0c) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #4 0x55c04438f473  (<path>/bin/flang-20+0x7790473) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #5 0x55c04438e859  (<path>/bin/flang-20+0x778f859) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #6 0x55c0443abb27  (<path>/bin/flang-20+0x77acb27) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #7 0x55c04436c738  (<path>/bin/flang-20+0x776d738) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #8 0x55c044360cef  (<path>/bin/flang-20+0x7761cef) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #9 0x55c040cbcf0a  (<path>/bin/flang-20+0x40bdf0a) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #10 0x55c042277184  (<path>/bin/flang-20+0x5678184) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #11 0x55c040cbb21b  (<path>/bin/flang-20+0x40bc21b) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #12 0x55c040c6c5de  (<path>/bin/flang-20+0x406d5de) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #13 0x55c040cc77b6  (<path>/bin/flang-20+0x40c87b6) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #14 0x55c03fae79ec  (<path>/bin/flang-20+0x2ee89ec) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #15 0x55c03fae2dc1  (<path>/bin/flang-20+0x2ee3dc1) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #16 0x7f4bbd6b9d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #17 0x7f4bbd6b9e3f  (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #18 0x55c03fa2d944  (<path>/bin/flang-20+0x2e2e944) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)

0x607000015f2c is located 44 bytes inside of 80-byte region [0x607000015f00,0x607000015f50)
freed by thread T0 here:
    #0 0x55c03fae041d  (<path>/bin/flang-20+0x2ee141d) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #1 0x55c04551f20a  (<path>/bin/flang-20+0x892020a) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #2 0x55c0427ec1dd  (<path>/bin/flang-20+0x5bed1dd) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #3 0x55c0427fa224  (<path>/bin/flang-20+0x5bfb224) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #4 0x55c044bbc6b6  (<path>/bin/flang-20+0x7fbd6b6) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #5 0x55c044bbb523  (<path>/bin/flang-20+0x7fbc523) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #6 0x55c044bba4b9  (<path>/bin/flang-20+0x7fbb4b9) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #7 0x55c044be8496  (<path>/bin/flang-20+0x7fe9496) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #8 0x55c044bce2f2  (<path>/bin/flang-20+0x7fcf2f2) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #9 0x55c044bcd7b8  (<path>/bin/flang-20+0x7fce7b8) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #10 0x55c044bce8b0  (<path>/bin/flang-20+0x7fcf8b0) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #11 0x55c044bc32ea  (<path>/bin/flang-20+0x7fc42ea) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #12 0x55c044bb70c9  (<path>/bin/flang-20+0x7fb80c9) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #13 0x55c044b0dceb  (<path>/bin/flang-20+0x7f0eceb) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #14 0x55c04436e451  (<path>/bin/flang-20+0x776f451) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #15 0x55c044392a0c  (<path>/bin/flang-20+0x7793a0c) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #16 0x55c04438f473  (<path>/bin/flang-20+0x7790473) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #17 0x55c04438e859  (<path>/bin/flang-20+0x778f859) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #18 0x55c0443abb27  (<path>/bin/flang-20+0x77acb27) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #19 0x55c04436c738  (<path>/bin/flang-20+0x776d738) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #20 0x55c044360cef  (<path>/bin/flang-20+0x7761cef) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #21 0x55c040cbcf0a  (<path>/bin/flang-20+0x40bdf0a) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #22 0x55c042277184  (<path>/bin/flang-20+0x5678184) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #23 0x55c040cbb21b  (<path>/bin/flang-20+0x40bc21b) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #24 0x55c040c6c5de  (<path>/bin/flang-20+0x406d5de) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #25 0x55c040cc77b6  (<path>/bin/flang-20+0x40c87b6) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #26 0x55c03fae79ec  (<path>/bin/flang-20+0x2ee89ec) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #27 0x55c03fae2dc1  (<path>/bin/flang-20+0x2ee3dc1) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #28 0x7f4bbd6b9d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)

previously allocated by thread T0 here:
    #0 0x55c03fadfbbd  (<path>/bin/flang-20+0x2ee0bbd) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #1 0x55c0428d6563  (<path>/bin/flang-20+0x5cd7563) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #2 0x55c0428c49bf  (<path>/bin/flang-20+0x5cc59bf) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #3 0x55c0428c2e17  (<path>/bin/flang-20+0x5cc3e17) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #4 0x55c0479195f2  (<path>/bin/flang-20+0xad1a5f2) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #5 0x55c044bbc148  (<path>/bin/flang-20+0x7fbd148) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #6 0x55c044bbb523  (<path>/bin/flang-20+0x7fbc523) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #7 0x55c044bba4b9  (<path>/bin/flang-20+0x7fbb4b9) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #8 0x55c044be8496  (<path>/bin/flang-20+0x7fe9496) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #9 0x55c044bce2f2  (<path>/bin/flang-20+0x7fcf2f2) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #10 0x55c044bcd7b8  (<path>/bin/flang-20+0x7fce7b8) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #11 0x55c044bce8b0  (<path>/bin/flang-20+0x7fcf8b0) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #12 0x55c044bc32ea  (<path>/bin/flang-20+0x7fc42ea) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #13 0x55c044bb70c9  (<path>/bin/flang-20+0x7fb80c9) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #14 0x55c044b0dceb  (<path>/bin/flang-20+0x7f0eceb) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #15 0x55c04436e451  (<path>/bin/flang-20+0x776f451) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #16 0x55c044392a0c  (<path>/bin/flang-20+0x7793a0c) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #17 0x55c04438f473  (<path>/bin/flang-20+0x7790473) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #18 0x55c04438e859  (<path>/bin/flang-20+0x778f859) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #19 0x55c0443abb27  (<path>/bin/flang-20+0x77acb27) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #20 0x55c04436c738  (<path>/bin/flang-20+0x776d738) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #21 0x55c044360cef  (<path>/bin/flang-20+0x7761cef) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #22 0x55c040cbcf0a  (<path>/bin/flang-20+0x40bdf0a) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #23 0x55c042277184  (<path>/bin/flang-20+0x5678184) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #24 0x55c040cbb21b  (<path>/bin/flang-20+0x40bc21b) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #25 0x55c040c6c5de  (<path>/bin/flang-20+0x406d5de) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #26 0x55c040cc77b6  (<path>/bin/flang-20+0x40c87b6) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #27 0x55c03fae79ec  (<path>/bin/flang-20+0x2ee89ec) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #28 0x55c03fae2dc1  (<path>/bin/flang-20+0x2ee3dc1) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #29 0x7f4bbd6b9d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)

SUMMARY: AddressSanitizer: heap-use-after-free (<path>/bin/flang-20+0x7f0e989) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece) 
Shadow bytes around the buggy address:
  0x0c0e7fffab90: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fffaba0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fffabb0: fd fd fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fffabc0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e7fffabd0: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c0e7fffabe0: fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa fa fa
  0x0c0e7fffabf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffac00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffac10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffac20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffac30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==587111==ABORTING
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.	Program arguments: <path>/bin/flang -fc1 -triple x86_64-unknown-linux-gnu -emit-obj -mrelocation-model pic -pic-level 2 -pic-is-pie -target-cpu x86-64 -resource-dir <path>/lib/clang/20 -mframe-pointer=all -o /tmp/asan_crash-a4e139.o -x f95-cpp-input /tmp/asan_crash.f90
 #0 0x000055c03fa6784b backtrace (<path>/bin/flang+0x2e6884b)
 #1 0x000055c040c1791d llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /repo/llvm-project-250107-trunk/llvm/lib/Support/Unix/Signals.inc:727:8
 #2 0x000055c040c0fe37 llvm::sys::RunSignalHandlers() /repo/llvm-project-250107-trunk/llvm/lib/Support/Signals.cpp:0:5
 #3 0x000055c040c195e4 SignalHandler(int) /repo/llvm-project-250107-trunk/llvm/lib/Support/Unix/Signals.inc:0:3
 #4 0x00007f4bbd6d2520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #5 0x00007f4bbd7269fc __pthread_kill_implementation ./nptl/pthread_kill.c:44:76
 #6 0x00007f4bbd7269fc __pthread_kill_internal ./nptl/pthread_kill.c:78:10
 #7 0x00007f4bbd7269fc pthread_kill ./nptl/pthread_kill.c:89:10
 #8 0x00007f4bbd6d2476 gsignal ./signal/../sysdeps/posix/raise.c:27:6
 #9 0x00007f4bbd6b87f3 abort ./stdlib/abort.c:81:7
#10 0x000055c03facb947 (<path>/bin/flang+0x2ecc947)
#11 0x000055c03faca2a1 (<path>/bin/flang+0x2ecb2a1)
#12 0x000055c03fab2f67 (<path>/bin/flang+0x2eb3f67)
#13 0x000055c03fab5bdf __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) (<path>/bin/flang+0x2eb6bdf)
#14 0x000055c03fab67d8 __asan_report_load4 (<path>/bin/flang+0x2eb77d8)
#15 0x000055c044b0d98a index /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/variant:1626:45
#16 0x000055c044b0d98a get_if<0UL, Fortran::common::Indirection<Fortran::evaluate::Expr<Fortran::evaluate::SomeType>, true>, Fortran::evaluate::ActualArgument::AssumedType, unsigned long> /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/variant:1193:27
#17 0x000055c044b0d98a get_if<Fortran::common::Indirection<Fortran::evaluate::Expr<Fortran::evaluate::SomeType>, true>, Fortran::common::Indirection<Fortran::evaluate::Expr<Fortran::evaluate::SomeType>, true>, Fortran::evaluate::ActualArgument::AssumedType, unsigned long> /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/variant:1216:14
#18 0x000055c044b0d98a UnwrapExpr /repo/llvm-project-250107-trunk/flang/include/flang/Evaluate/call.h:94:13
#19 0x000055c044b0d98a Fortran::semantics::CheckIfArgIsDoVar(Fortran::evaluate::ActualArgument const&, Fortran::parser::CharBlock, Fortran::semantics::SemanticsContext&) /repo/llvm-project-250107-trunk/flang/lib/Semantics/check-do-forall.cpp:1080:38
#20 0x000055c044b0ddcf operator++ /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_tree.h:368:12
#21 0x000055c044b0ddcf Fortran::semantics::DoForallChecker::Leave(Fortran::parser::Expr const&) /repo/llvm-project-250107-trunk/flang/lib/Semantics/check-do-forall.cpp:1158:54
#22 0x000055c04436e452 Post<Fortran::parser::Expr> /repo/llvm-project-250107-trunk/flang/lib/Semantics/semantics.cpp:0:5
#23 0x000055c04436e452 void Fortran::parser::detail::ParseTreeVisitorLookupScope::IterativeWalk<Fortran::parser::Expr const, Fortran::semantics::SemanticsVisitor<Fortran::semantics::AllocateChecker, Fortran::semantics::ArithmeticIfStmtChecker, Fortran::semantics::AssignmentChecker, Fortran::semantics::CaseChecker, Fortran::semantics::CoarrayChecker, Fortran::semantics::DataChecker, Fortran::semantics::DeallocateChecker, Fortran::semantics::DoForallChecker, Fortran::semantics::IfStmtChecker, Fortran::semantics::IoChecker, Fortran::semantics::MiscChecker, Fortran::semantics::NamelistChecker, Fortran::semantics::NullifyChecker, Fortran::semantics::PurityChecker, Fortran::semantics::ReturnStmtChecker, Fortran::semantics::SelectRankConstructChecker, Fortran::semantics::SelectTypeChecker, Fortran::semantics::StopChecker>, Fortran::parser::Expr::IntrinsicUnary const, Fortran::parser::Expr::IntrinsicBinary const>(Fortran::parser::Expr const&, Fortran::semantics::SemanticsVisitor<Fortran::semantics::AllocateChecker, Fortran::semantics::ArithmeticIfStmtChecker, Fortran::semantics::AssignmentChecker, Fortran::semantics::CaseChecker, Fortran::semantics::CoarrayChecker, Fortran::semantics::DataChecker, Fortran::semantics::DeallocateChecker, Fortran::semantics::DoForallChecker, Fortran::semantics::IfStmtChecker, Fortran::semantics::IoChecker, Fortran::semantics::MiscChecker, Fortran::semantics::NamelistChecker, Fortran::semantics::NullifyChecker, Fortran::semantics::PurityChecker, Fortran::semantics::ReturnStmtChecker, Fortran::semantics::SelectRankConstructChecker, Fortran::semantics::SelectTypeChecker, Fortran::semantics::StopChecker>&) /repo/llvm-project-250107-trunk/flang/include/flang/Parser/parse-tree-visitor.h:527:17
#24 0x000055c044392a0d Post<Fortran::parser::AssignmentStmt> /repo/llvm-project-250107-trunk/flang/lib/Semantics/semantics.cpp:92:5
... manually truncated
#60 0x000055c044360cf0 Walk /repo/llvm-project-250107-trunk/flang/lib/Semantics/semantics.cpp:118:5
#61 0x000055c044360cf0 PerformStatementSemantics /repo/llvm-project-250107-trunk/flang/lib/Semantics/semantics.cpp:214:9
#62 0x000055c044360cf0 Fortran::semantics::Semantics::Perform() /repo/llvm-project-250107-trunk/flang/lib/Semantics/semantics.cpp:648:7
#63 0x000055c040cbcf0b Fortran::frontend::FrontendAction::runSemanticChecks() /repo/llvm-project-250107-trunk/flang/lib/Frontend/FrontendAction.cpp:0:13
#64 0x000055c042277185 Fortran::frontend::CodeGenAction::beginSourceFileAction() /repo/llvm-project-250107-trunk/flang/lib/Frontend/FrontendActions.cpp:287:34
#65 0x000055c040cbb21c Fortran::frontend::FrontendAction::beginSourceFile(Fortran::frontend::CompilerInstance&, Fortran::frontend::FrontendInputFile const&) /repo/llvm-project-250107-trunk/flang/lib/Frontend/FrontendAction.cpp:0:8
#66 0x000055c040c6c5df Fortran::frontend::CompilerInstance::executeAction(Fortran::frontend::FrontendAction&) /repo/llvm-project-250107-trunk/flang/lib/Frontend/CompilerInstance.cpp:172:9
#67 0x000055c040cc77b7 Fortran::frontend::executeCompilerInvocation(Fortran::frontend::CompilerInstance*) /repo/llvm-project-250107-trunk/flang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:25
#68 0x000055c03fae79ed fc1_main(llvm::ArrayRef<char const*>, char const*) /repo/llvm-project-250107-trunk/flang/tools/flang-driver/fc1_main.cpp:91:13
#69 0x000055c03fae2dc2 executeFC1Tool /repo/llvm-project-250107-trunk/flang/tools/flang-driver/driver.cpp:66:12
#70 0x000055c03fae2dc2 main /repo/llvm-project-250107-trunk/flang/tools/flang-driver/driver.cpp:110:14
#71 0x00007f4bbd6b9d90 __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#72 0x00007f4bbd6b9e40 call_init ./csu/../csu/libc-start.c:128:20
#73 0x00007f4bbd6b9e40 __libc_start_main ./csu/../csu/libc-start.c:379:5
#74 0x000055c03fa2d945 _start (<path>/bin/flang+0x2e2e945)
flang-20: error: unable to execute command: Aborted
flang-20: error: flang frontend command failed due to signal (use -v to see invocation)
flang version 20.0.0git (https://github.com/llvm/llvm-project.git ac604b2fa6ff0344a555954069721c0db7b874f9)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: <path>/bin
Build config: +assertions, +asan

The test case was generated by a fuzzer.
@llvmbot llvmbot added the flang Flang issues not falling into any other category label Jan 7, 2025
@EugeneZelenko EugeneZelenko added flang:frontend crash Prefer [crash-on-valid] or [crash-on-invalid] generated by fuzzer and removed flang Flang issues not falling into any other category labels Jan 7, 2025
@llvmbot
Copy link
Member

llvmbot commented Jan 7, 2025

@llvm/issue-subscribers-flang-frontend

Author: yype (yype)

Hi there, flang crashes from a heap-use-after-free on the following test case: 
real, intent(in), pointer :: a(:)
SUM([1]) = a(nn(x):command_argument_count()) + a(i)
end

Tested version(s): 19.1.0, trunk (ASAN build)

A Compiler Explorer demo is not available, as this crash requires an ASAN build of flang to reproduce, which is not available on Compiler Explorer yet.

Partial stack dump:

<details>
<summary>Click me</summary>

=================================================================
==587111==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000015f2c at pc 0x55c044b0d98a bp 0x7ffeeb78c7f0 sp 0x7ffeeb78c7e8
READ of size 4 at 0x607000015f2c thread T0
    #<!-- -->0 0x55c044b0d989  (&lt;path&gt;/bin/flang-20+0x7f0e989) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->1 0x55c044b0ddce  (&lt;path&gt;/bin/flang-20+0x7f0edce) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->2 0x55c04436e451  (&lt;path&gt;/bin/flang-20+0x776f451) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->3 0x55c044392a0c  (&lt;path&gt;/bin/flang-20+0x7793a0c) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->4 0x55c04438f473  (&lt;path&gt;/bin/flang-20+0x7790473) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->5 0x55c04438e859  (&lt;path&gt;/bin/flang-20+0x778f859) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->6 0x55c0443abb27  (&lt;path&gt;/bin/flang-20+0x77acb27) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->7 0x55c04436c738  (&lt;path&gt;/bin/flang-20+0x776d738) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->8 0x55c044360cef  (&lt;path&gt;/bin/flang-20+0x7761cef) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->9 0x55c040cbcf0a  (&lt;path&gt;/bin/flang-20+0x40bdf0a) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->10 0x55c042277184  (&lt;path&gt;/bin/flang-20+0x5678184) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->11 0x55c040cbb21b  (&lt;path&gt;/bin/flang-20+0x40bc21b) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->12 0x55c040c6c5de  (&lt;path&gt;/bin/flang-20+0x406d5de) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->13 0x55c040cc77b6  (&lt;path&gt;/bin/flang-20+0x40c87b6) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->14 0x55c03fae79ec  (&lt;path&gt;/bin/flang-20+0x2ee89ec) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->15 0x55c03fae2dc1  (&lt;path&gt;/bin/flang-20+0x2ee3dc1) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->16 0x7f4bbd6b9d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #<!-- -->17 0x7f4bbd6b9e3f  (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #<!-- -->18 0x55c03fa2d944  (&lt;path&gt;/bin/flang-20+0x2e2e944) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)

0x607000015f2c is located 44 bytes inside of 80-byte region [0x607000015f00,0x607000015f50)
freed by thread T0 here:
    #<!-- -->0 0x55c03fae041d  (&lt;path&gt;/bin/flang-20+0x2ee141d) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->1 0x55c04551f20a  (&lt;path&gt;/bin/flang-20+0x892020a) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->2 0x55c0427ec1dd  (&lt;path&gt;/bin/flang-20+0x5bed1dd) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->3 0x55c0427fa224  (&lt;path&gt;/bin/flang-20+0x5bfb224) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->4 0x55c044bbc6b6  (&lt;path&gt;/bin/flang-20+0x7fbd6b6) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->5 0x55c044bbb523  (&lt;path&gt;/bin/flang-20+0x7fbc523) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->6 0x55c044bba4b9  (&lt;path&gt;/bin/flang-20+0x7fbb4b9) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->7 0x55c044be8496  (&lt;path&gt;/bin/flang-20+0x7fe9496) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->8 0x55c044bce2f2  (&lt;path&gt;/bin/flang-20+0x7fcf2f2) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->9 0x55c044bcd7b8  (&lt;path&gt;/bin/flang-20+0x7fce7b8) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->10 0x55c044bce8b0  (&lt;path&gt;/bin/flang-20+0x7fcf8b0) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->11 0x55c044bc32ea  (&lt;path&gt;/bin/flang-20+0x7fc42ea) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->12 0x55c044bb70c9  (&lt;path&gt;/bin/flang-20+0x7fb80c9) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->13 0x55c044b0dceb  (&lt;path&gt;/bin/flang-20+0x7f0eceb) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->14 0x55c04436e451  (&lt;path&gt;/bin/flang-20+0x776f451) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->15 0x55c044392a0c  (&lt;path&gt;/bin/flang-20+0x7793a0c) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->16 0x55c04438f473  (&lt;path&gt;/bin/flang-20+0x7790473) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->17 0x55c04438e859  (&lt;path&gt;/bin/flang-20+0x778f859) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->18 0x55c0443abb27  (&lt;path&gt;/bin/flang-20+0x77acb27) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->19 0x55c04436c738  (&lt;path&gt;/bin/flang-20+0x776d738) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->20 0x55c044360cef  (&lt;path&gt;/bin/flang-20+0x7761cef) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->21 0x55c040cbcf0a  (&lt;path&gt;/bin/flang-20+0x40bdf0a) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->22 0x55c042277184  (&lt;path&gt;/bin/flang-20+0x5678184) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->23 0x55c040cbb21b  (&lt;path&gt;/bin/flang-20+0x40bc21b) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->24 0x55c040c6c5de  (&lt;path&gt;/bin/flang-20+0x406d5de) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->25 0x55c040cc77b6  (&lt;path&gt;/bin/flang-20+0x40c87b6) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->26 0x55c03fae79ec  (&lt;path&gt;/bin/flang-20+0x2ee89ec) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->27 0x55c03fae2dc1  (&lt;path&gt;/bin/flang-20+0x2ee3dc1) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->28 0x7f4bbd6b9d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)

previously allocated by thread T0 here:
    #<!-- -->0 0x55c03fadfbbd  (&lt;path&gt;/bin/flang-20+0x2ee0bbd) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->1 0x55c0428d6563  (&lt;path&gt;/bin/flang-20+0x5cd7563) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->2 0x55c0428c49bf  (&lt;path&gt;/bin/flang-20+0x5cc59bf) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->3 0x55c0428c2e17  (&lt;path&gt;/bin/flang-20+0x5cc3e17) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->4 0x55c0479195f2  (&lt;path&gt;/bin/flang-20+0xad1a5f2) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->5 0x55c044bbc148  (&lt;path&gt;/bin/flang-20+0x7fbd148) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->6 0x55c044bbb523  (&lt;path&gt;/bin/flang-20+0x7fbc523) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->7 0x55c044bba4b9  (&lt;path&gt;/bin/flang-20+0x7fbb4b9) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->8 0x55c044be8496  (&lt;path&gt;/bin/flang-20+0x7fe9496) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->9 0x55c044bce2f2  (&lt;path&gt;/bin/flang-20+0x7fcf2f2) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->10 0x55c044bcd7b8  (&lt;path&gt;/bin/flang-20+0x7fce7b8) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->11 0x55c044bce8b0  (&lt;path&gt;/bin/flang-20+0x7fcf8b0) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->12 0x55c044bc32ea  (&lt;path&gt;/bin/flang-20+0x7fc42ea) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->13 0x55c044bb70c9  (&lt;path&gt;/bin/flang-20+0x7fb80c9) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->14 0x55c044b0dceb  (&lt;path&gt;/bin/flang-20+0x7f0eceb) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->15 0x55c04436e451  (&lt;path&gt;/bin/flang-20+0x776f451) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->16 0x55c044392a0c  (&lt;path&gt;/bin/flang-20+0x7793a0c) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->17 0x55c04438f473  (&lt;path&gt;/bin/flang-20+0x7790473) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->18 0x55c04438e859  (&lt;path&gt;/bin/flang-20+0x778f859) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->19 0x55c0443abb27  (&lt;path&gt;/bin/flang-20+0x77acb27) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->20 0x55c04436c738  (&lt;path&gt;/bin/flang-20+0x776d738) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->21 0x55c044360cef  (&lt;path&gt;/bin/flang-20+0x7761cef) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->22 0x55c040cbcf0a  (&lt;path&gt;/bin/flang-20+0x40bdf0a) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->23 0x55c042277184  (&lt;path&gt;/bin/flang-20+0x5678184) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->24 0x55c040cbb21b  (&lt;path&gt;/bin/flang-20+0x40bc21b) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->25 0x55c040c6c5de  (&lt;path&gt;/bin/flang-20+0x406d5de) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->26 0x55c040cc77b6  (&lt;path&gt;/bin/flang-20+0x40c87b6) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->27 0x55c03fae79ec  (&lt;path&gt;/bin/flang-20+0x2ee89ec) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->28 0x55c03fae2dc1  (&lt;path&gt;/bin/flang-20+0x2ee3dc1) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    #<!-- -->29 0x7f4bbd6b9d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)

SUMMARY: AddressSanitizer: heap-use-after-free (&lt;path&gt;/bin/flang-20+0x7f0e989) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece) 
Shadow bytes around the buggy address:
  0x0c0e7fffab90: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fffaba0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fffabb0: fd fd fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fffabc0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e7fffabd0: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
=&gt;0x0c0e7fffabe0: fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa fa fa
  0x0c0e7fffabf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffac00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffac10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffac20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffac30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==587111==ABORTING
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.	Program arguments: &lt;path&gt;/bin/flang -fc1 -triple x86_64-unknown-linux-gnu -emit-obj -mrelocation-model pic -pic-level 2 -pic-is-pie -target-cpu x86-64 -resource-dir &lt;path&gt;/lib/clang/20 -mframe-pointer=all -o /tmp/asan_crash-a4e139.o -x f95-cpp-input /tmp/asan_crash.f90
 #<!-- -->0 0x000055c03fa6784b backtrace (&lt;path&gt;/bin/flang+0x2e6884b)
 #<!-- -->1 0x000055c040c1791d llvm::sys::PrintStackTrace(llvm::raw_ostream&amp;, int) /repo/llvm-project-250107-trunk/llvm/lib/Support/Unix/Signals.inc:727:8
 #<!-- -->2 0x000055c040c0fe37 llvm::sys::RunSignalHandlers() /repo/llvm-project-250107-trunk/llvm/lib/Support/Signals.cpp:0:5
 #<!-- -->3 0x000055c040c195e4 SignalHandler(int) /repo/llvm-project-250107-trunk/llvm/lib/Support/Unix/Signals.inc:0:3
 #<!-- -->4 0x00007f4bbd6d2520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #<!-- -->5 0x00007f4bbd7269fc __pthread_kill_implementation ./nptl/pthread_kill.c:44:76
 #<!-- -->6 0x00007f4bbd7269fc __pthread_kill_internal ./nptl/pthread_kill.c:78:10
 #<!-- -->7 0x00007f4bbd7269fc pthread_kill ./nptl/pthread_kill.c:89:10
 #<!-- -->8 0x00007f4bbd6d2476 gsignal ./signal/../sysdeps/posix/raise.c:27:6
 #<!-- -->9 0x00007f4bbd6b87f3 abort ./stdlib/abort.c:81:7
#<!-- -->10 0x000055c03facb947 (&lt;path&gt;/bin/flang+0x2ecc947)
#<!-- -->11 0x000055c03faca2a1 (&lt;path&gt;/bin/flang+0x2ecb2a1)
#<!-- -->12 0x000055c03fab2f67 (&lt;path&gt;/bin/flang+0x2eb3f67)
#<!-- -->13 0x000055c03fab5bdf __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) (&lt;path&gt;/bin/flang+0x2eb6bdf)
#<!-- -->14 0x000055c03fab67d8 __asan_report_load4 (&lt;path&gt;/bin/flang+0x2eb77d8)
#<!-- -->15 0x000055c044b0d98a index /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/variant:1626:45
#<!-- -->16 0x000055c044b0d98a get_if&lt;0UL, Fortran::common::Indirection&lt;Fortran::evaluate::Expr&lt;Fortran::evaluate::SomeType&gt;, true&gt;, Fortran::evaluate::ActualArgument::AssumedType, unsigned long&gt; /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/variant:1193:27
#<!-- -->17 0x000055c044b0d98a get_if&lt;Fortran::common::Indirection&lt;Fortran::evaluate::Expr&lt;Fortran::evaluate::SomeType&gt;, true&gt;, Fortran::common::Indirection&lt;Fortran::evaluate::Expr&lt;Fortran::evaluate::SomeType&gt;, true&gt;, Fortran::evaluate::ActualArgument::AssumedType, unsigned long&gt; /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/variant:1216:14
#<!-- -->18 0x000055c044b0d98a UnwrapExpr /repo/llvm-project-250107-trunk/flang/include/flang/Evaluate/call.h:94:13
#<!-- -->19 0x000055c044b0d98a Fortran::semantics::CheckIfArgIsDoVar(Fortran::evaluate::ActualArgument const&amp;, Fortran::parser::CharBlock, Fortran::semantics::SemanticsContext&amp;) /repo/llvm-project-250107-trunk/flang/lib/Semantics/check-do-forall.cpp:1080:38
#<!-- -->20 0x000055c044b0ddcf operator++ /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_tree.h:368:12
#<!-- -->21 0x000055c044b0ddcf Fortran::semantics::DoForallChecker::Leave(Fortran::parser::Expr const&amp;) /repo/llvm-project-250107-trunk/flang/lib/Semantics/check-do-forall.cpp:1158:54
#<!-- -->22 0x000055c04436e452 Post&lt;Fortran::parser::Expr&gt; /repo/llvm-project-250107-trunk/flang/lib/Semantics/semantics.cpp:0:5
#<!-- -->23 0x000055c04436e452 void Fortran::parser::detail::ParseTreeVisitorLookupScope::IterativeWalk&lt;Fortran::parser::Expr const, Fortran::semantics::SemanticsVisitor&lt;Fortran::semantics::AllocateChecker, Fortran::semantics::ArithmeticIfStmtChecker, Fortran::semantics::AssignmentChecker, Fortran::semantics::CaseChecker, Fortran::semantics::CoarrayChecker, Fortran::semantics::DataChecker, Fortran::semantics::DeallocateChecker, Fortran::semantics::DoForallChecker, Fortran::semantics::IfStmtChecker, Fortran::semantics::IoChecker, Fortran::semantics::MiscChecker, Fortran::semantics::NamelistChecker, Fortran::semantics::NullifyChecker, Fortran::semantics::PurityChecker, Fortran::semantics::ReturnStmtChecker, Fortran::semantics::SelectRankConstructChecker, Fortran::semantics::SelectTypeChecker, Fortran::semantics::StopChecker&gt;, Fortran::parser::Expr::IntrinsicUnary const, Fortran::parser::Expr::IntrinsicBinary const&gt;(Fortran::parser::Expr const&amp;, Fortran::semantics::SemanticsVisitor&lt;Fortran::semantics::AllocateChecker, Fortran::semantics::ArithmeticIfStmtChecker, Fortran::semantics::AssignmentChecker, Fortran::semantics::CaseChecker, Fortran::semantics::CoarrayChecker, Fortran::semantics::DataChecker, Fortran::semantics::DeallocateChecker, Fortran::semantics::DoForallChecker, Fortran::semantics::IfStmtChecker, Fortran::semantics::IoChecker, Fortran::semantics::MiscChecker, Fortran::semantics::NamelistChecker, Fortran::semantics::NullifyChecker, Fortran::semantics::PurityChecker, Fortran::semantics::ReturnStmtChecker, Fortran::semantics::SelectRankConstructChecker, Fortran::semantics::SelectTypeChecker, Fortran::semantics::StopChecker&gt;&amp;) /repo/llvm-project-250107-trunk/flang/include/flang/Parser/parse-tree-visitor.h:527:17
#<!-- -->24 0x000055c044392a0d Post&lt;Fortran::parser::AssignmentStmt&gt; /repo/llvm-project-250107-trunk/flang/lib/Semantics/semantics.cpp:92:5
... manually truncated
#<!-- -->60 0x000055c044360cf0 Walk /repo/llvm-project-250107-trunk/flang/lib/Semantics/semantics.cpp:118:5
#<!-- -->61 0x000055c044360cf0 PerformStatementSemantics /repo/llvm-project-250107-trunk/flang/lib/Semantics/semantics.cpp:214:9
#<!-- -->62 0x000055c044360cf0 Fortran::semantics::Semantics::Perform() /repo/llvm-project-250107-trunk/flang/lib/Semantics/semantics.cpp:648:7
#<!-- -->63 0x000055c040cbcf0b Fortran::frontend::FrontendAction::runSemanticChecks() /repo/llvm-project-250107-trunk/flang/lib/Frontend/FrontendAction.cpp:0:13
#<!-- -->64 0x000055c042277185 Fortran::frontend::CodeGenAction::beginSourceFileAction() /repo/llvm-project-250107-trunk/flang/lib/Frontend/FrontendActions.cpp:287:34
#<!-- -->65 0x000055c040cbb21c Fortran::frontend::FrontendAction::beginSourceFile(Fortran::frontend::CompilerInstance&amp;, Fortran::frontend::FrontendInputFile const&amp;) /repo/llvm-project-250107-trunk/flang/lib/Frontend/FrontendAction.cpp:0:8
#<!-- -->66 0x000055c040c6c5df Fortran::frontend::CompilerInstance::executeAction(Fortran::frontend::FrontendAction&amp;) /repo/llvm-project-250107-trunk/flang/lib/Frontend/CompilerInstance.cpp:172:9
#<!-- -->67 0x000055c040cc77b7 Fortran::frontend::executeCompilerInvocation(Fortran::frontend::CompilerInstance*) /repo/llvm-project-250107-trunk/flang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:25
#<!-- -->68 0x000055c03fae79ed fc1_main(llvm::ArrayRef&lt;char const*&gt;, char const*) /repo/llvm-project-250107-trunk/flang/tools/flang-driver/fc1_main.cpp:91:13
#<!-- -->69 0x000055c03fae2dc2 executeFC1Tool /repo/llvm-project-250107-trunk/flang/tools/flang-driver/driver.cpp:66:12
#<!-- -->70 0x000055c03fae2dc2 main /repo/llvm-project-250107-trunk/flang/tools/flang-driver/driver.cpp:110:14
#<!-- -->71 0x00007f4bbd6b9d90 __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#<!-- -->72 0x00007f4bbd6b9e40 call_init ./csu/../csu/libc-start.c:128:20
#<!-- -->73 0x00007f4bbd6b9e40 __libc_start_main ./csu/../csu/libc-start.c:379:5
#<!-- -->74 0x000055c03fa2d945 _start (&lt;path&gt;/bin/flang+0x2e2e945)
flang-20: error: unable to execute command: Aborted
flang-20: error: flang frontend command failed due to signal (use -v to see invocation)
flang version 20.0.0git (https://github.com/llvm/llvm-project.git ac604b2fa6ff0344a555954069721c0db7b874f9)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: &lt;path&gt;/bin
Build config: +assertions, +asan

</details>

The test case was generated by a fuzzer.

klausler added a commit to klausler/llvm-project that referenced this issue Jan 10, 2025
@klausler
[flang] Fix use-after-free cases found by valgrind
da8814f 
The expression traversal library needs to use interfaces into
triplets (and substrings) that return pointers to nested
expressions, rather than optional copies of them, since at
least one semantic analysis collects a set of references to
some subexpression representation class instances, and those
references obviously can't point to local copies of objects.

Fixes llvm#121999.
@klausler klausler linked a pull request Jan 10, 2025 that will close this issue
Open
@klausler klausler self-assigned this Jan 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@klausler klausler

Labels
crash Prefer [crash-on-valid] or [crash-on-invalid] flang:frontend generated by fuzzer
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[flang] Fix use-after-free cases found by valgrind klausler/llvm-project
4 participants
@EugeneZelenko @yype @klausler @llvmbot