Skip to content

[flang] stack-overflow in Fortran::evaluate::GetShapeHelper::CreateShape #122002

New issue
New issue
Closed
Bug
#122364
Closed
[flang] stack-overflow in Fortran::evaluate::GetShapeHelper::CreateShape#122002
Bug
#122364
Assignees
klausler
Labels
crashPrefer [crash-on-valid] or [crash-on-invalid]flang:frontendgenerated by fuzzer
@yype

Description

@yype
yype
opened on Jan 7, 2025

Hi there, flang crashes from a stack-overflow on the following test case:

complex, parameter :: n(n)
end

Tested version(s): 19.1.0, trunk (ASAN build)

This test case can crash flang without the presence of ASAN: https://godbolt.org/z/GMz8xbf39

Partial ASAN dump:

Click me 
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.	Program arguments: <path>/bin/flang -fc1 -triple x86_64-unknown-linux-gnu -emit-obj -mrelocation-model pic -pic-level 2 -pic-is-pie -target-cpu x86-64 -resource-dir <path>/lib/clang/20 -mframe-pointer=all -o /tmp/asan_crash2-188458.o -x f95-cpp-input /tmp/asan_crash2.f90
  #0 0x000055ef32c6c84b backtrace (<path>/bin/flang+0x2e6884b)
  #1 0x000055ef33e1c91d llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /repo/llvm-project-250107-trunk/llvm/lib/Support/Unix/Signals.inc:727:8
  #2 0x000055ef33e14e37 llvm::sys::RunSignalHandlers() /repo/llvm-project-250107-trunk/llvm/lib/Support/Signals.cpp:0:5
  #3 0x000055ef33e1e5e4 SignalHandler(int) /repo/llvm-project-250107-trunk/llvm/lib/Support/Unix/Signals.inc:0:3
  #4 0x00007f3113df5520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
  #5 0x000055ef32cb315b __asan_memset (<path>/bin/flang+0x2eaf15b)
  #6 0x000055ef3a56265f Fortran::evaluate::GetShapeHelper::CreateShape(int, Fortran::evaluate::NamedEntity&) const /repo/llvm-project-250107-trunk/flang/lib/Evaluate/shape.cpp:81:36
  ... manually truncated
#873 0x000055ef38d950c1 std::optional<std::vector<std::optional<Fortran::evaluate::Expr<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>>, std::allocator<std::optional<Fortran::evaluate::Expr<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>>>>> Fortran::evaluate::GetShape<Fortran::evaluate::Expr<Fortran::evaluate::SomeKind<(Fortran::common::TypeCategory)0>>>(Fortran::evaluate::FoldingContext&, Fortran::evaluate::Expr<Fortran::evaluate::SomeKind<(Fortran::common::TypeCategory)0>> const&, bool) /repo/llvm-project-250107-trunk/flang/include/flang/Evaluate/shape.h:250:12
#874 0x000055ef39596d47 std::optional<Fortran::evaluate::Expr<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>> Fortran::evaluate::ApplyElementwise<Fortran::evaluate::Convert<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>, (Fortran::common::TypeCategory)0>, Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>, Fortran::evaluate::SomeKind<(Fortran::common::TypeCategory)0>>(Fortran::evaluate::FoldingContext&, Fortran::evaluate::Operation<Fortran::evaluate::Convert<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>, (Fortran::common::TypeCategory)0>, Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>, Fortran::evaluate::SomeKind<(Fortran::common::TypeCategory)0>>&, std::function<Fortran::evaluate::Expr<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>> (Fortran::evaluate::Expr<Fortran::evaluate::SomeKind<(Fortran::common::TypeCategory)0>>&&)>&&) /repo/llvm-project-250107-trunk/flang/lib/Evaluate/fold-implementation.h:0:36
#875 0x000055ef3959660e ~_Function_base /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:243:11
#876 0x000055ef3959660e ApplyElementwise<Fortran::evaluate::Convert<Fortran::evaluate::Type<Fortran::common::TypeCategory::Integer, 8>, Fortran::common::TypeCategory::Integer>, Fortran::evaluate::Type<Fortran::common::TypeCategory::Integer, 8>, Fortran::evaluate::SomeKind<Fortran::common::TypeCategory::Integer> > /repo/llvm-project-250107-trunk/flang/lib/Evaluate/fold-implementation.h:1632:3
#877 0x000055ef3959660e Fortran::evaluate::Expr<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>> Fortran::evaluate::FoldOperation<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>, (Fortran::common::TypeCategory)0>(Fortran::evaluate::FoldingContext&, Fortran::evaluate::Convert<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>, (Fortran::common::TypeCategory)0>&&) /repo/llvm-project-250107-trunk/flang/lib/Evaluate/fold-implementation.h:1721:18
#878 0x000055ef3957b73c operator()<Fortran::evaluate::Convert<Fortran::evaluate::Type<Fortran::common::TypeCategory::Integer, 8>, Fortran::common::TypeCategory::Integer> > /repo/llvm-project-250107-trunk/flang/lib/Evaluate/fold-implementation.h:0:18
#879 0x000055ef3957b73c Fortran::evaluate::Expr<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>> Fortran::common::log2visit::Log2VisitHelper<5ul, 8ul, Fortran::evaluate::Expr<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::ExpressionBase<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>::Rewrite(Fortran::evaluate::FoldingContext&, Fortran::evaluate::Expr<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>&&)::'lambda'(auto&&), std::variant<Fortran::evaluate::Parentheses<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Negate<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Add<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Subtract<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Multiply<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Divide<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Power<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Extremum<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Convert<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>, (Fortran::common::TypeCategory)0>, Fortran::evaluate::Convert<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>, (Fortran::common::TypeCategory)2>, Fortran::evaluate::Convert<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>, (Fortran::common::TypeCategory)1>, Fortran::evaluate::ImpliedDoIndex, Fortran::evaluate::TypeParamInquiry, Fortran::evaluate::DescriptorInquiry, Fortran::evaluate::Constant<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::ArrayConstructor<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Designator<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::FunctionRef<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>>>(Fortran::evaluate::ExpressionBase<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>::Rewrite(Fortran::evaluate::FoldingContext&, Fortran::evaluate::Expr<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>&&)::'lambda'(auto&&)&&, unsigned long, std::variant<Fortran::evaluate::Parentheses<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Negate<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Add<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Subtract<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Multiply<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Divide<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Power<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Extremum<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Convert<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>, (Fortran::common::TypeCategory)0>, Fortran::evaluate::Convert<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>, (Fortran::common::TypeCategory)2>, Fortran::evaluate::Convert<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>, (Fortran::common::TypeCategory)1>, Fortran::evaluate::ImpliedDoIndex, Fortran::evaluate::TypeParamInquiry, Fortran::evaluate::DescriptorInquiry, Fortran::evaluate::Constant<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::ArrayConstructor<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::Designator<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>, Fortran::evaluate::FunctionRef<Fortran::evaluate::Type<(Fortran::common::TypeCategory)0, 8>>>&&) /repo/llvm-project-250107-trunk/flang/include/flang/Common/visit.h:46:7
AddressSanitizer:DEADLYSIGNAL
=================================================================
==592121==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe133f3b18 (pc 0x55ef32cb315b bp 0x7ffe133f4350 sp 0x7ffe133f3b20 T0)
    #0 0x55ef32cb315b  (<path>/bin/flang-20+0x2eaf15b) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece)
    ... manually truncated

SUMMARY: AddressSanitizer: stack-overflow (<path>/bin/flang-20+0x2eaf15b) (BuildId: b0badf8d95053aba610642d45dedc2818ec6eece) 
==592121==ABORTING
flang-20: error: unable to execute command: Aborted
flang-20: error: flang frontend command failed due to signal (use -v to see invocation)
flang version 20.0.0git (https://github.com/llvm/llvm-project.git ac604b2fa6ff0344a555954069721c0db7b874f9)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: <path>/bin
Build config: +assertions, +asan
flang-20: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
flang-20: note: diagnostic msg: /tmp/asan_crash2-82ca71
flang-20: note: diagnostic msg: /tmp/asan_crash2-82ca71.sh
flang-20: note: diagnostic msg: 

********************

The test case was generated by a fuzzer.

Metadata

Metadata

Assignees

Labels

crashPrefer [crash-on-valid] or [crash-on-invalid]flang:frontendgenerated by fuzzer

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions