From patchwork Sat Sep 12 21:00:12 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Tobias Burnus <burnus@net-b.de>
X-Patchwork-Id: 1362911
Return-Path: <gcc-patches-bounces@gcc.gnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=gcc.gnu.org
 (client-ip=8.43.85.97; helo=sourceware.org;
 envelope-from=gcc-patches-bounces@gcc.gnu.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=none (p=none dis=none) header.from=net-b.de
Received: from sourceware.org (server2.sourceware.org [8.43.85.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4BplPY5RKhz9sTK
	for <incoming@patchwork.ozlabs.org>; Sun, 13 Sep 2020 06:59:59 +1000 (AEST)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id D304B398B474;
	Sat, 12 Sep 2020 20:59:55 +0000 (GMT)
X-Original-To: gcc-patches@gcc.gnu.org
Delivered-To: gcc-patches@gcc.gnu.org
Received: from mx-relay85-hz1.antispameurope.com
 (mx-relay85-hz1.antispameurope.com [94.100.132.253])
 by sourceware.org (Postfix) with ESMTPS id 4FBF1398B45E
 for <gcc-patches@gcc.gnu.org>; Sat, 12 Sep 2020 20:59:52 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 4FBF1398B45E
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=net-b.de
Authentication-Results: sourceware.org;
 spf=none smtp.mailfrom=prvs=05179d8419=burnus@net-b.de
Received: from s041.bre.qsc.de ([195.90.7.81]) by
 mx-relay85-hz1.antispameurope.com; Sat, 12 Sep 2020 22:59:50 +0200
Received: from [192.168.52.128] (port-92-195-252-217.dynamic.as20676.net
 [92.195.252.217])
 by s041.bre.qsc.de (Postfix) with ESMTPSA id DB6822C00BB;
 Sat, 12 Sep 2020 22:59:46 +0200 (CEST)
To: fortran <fortran@gcc.gnu.org>, gcc-patches <gcc-patches@gcc.gnu.org>
From: Tobias Burnus <burnus@net-b.de>
Subject: [Patch] Fortran: Avoid double-free with parse error (PR96041,
 PR93423)
Message-ID: <299a6530-8c18-52a9-e622-e8d1d1234665@net-b.de>
Date: Sat, 12 Sep 2020 23:00:12 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.12.0
MIME-Version: 1.0
Content-Language: en-US
X-cloud-security-sender: burnus@net-b.de
X-cloud-security-recipient: gcc-patches@gcc.gnu.org
X-cloud-security-Virusscan: CLEAN
X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on
 mx-relay85-hz1.antispameurope.com with 61F9B11A003C
X-cloud-security-connect: s041.bre.qsc.de[195.90.7.81], TLS=1, IP=195.90.7.81
X-cloud-security: scantime:.4622
X-Spam-Status: No, score=-10.7 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_BARRACUDACENTRAL,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,
 SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
Cc: Harald Anlauf <anlauf@gmx.de>
Errors-To: gcc-patches-bounces@gcc.gnu.org
Sender: "Gcc-patches" <gcc-patches-bounces@gcc.gnu.org>

The testcase for PR93423 did a double free, which caused
an ICE. That's reported in PR96041.

Slightly frustrated by the FAIL in the testsuite,
I decided to debug and, hopefully, fix this.

The problem is related to putting the symtree
into a sub namespace of the symbol's ns. That's fixed up
by copying things around – except in the error case where
all those fixups are undone. Thus, when the symbol tree
is deleted, the parent's sym->formal->sym is also deleted,
causing an ICE in resolve_formal_arguments.

Hopefully, I got this all right...
I see still one memory leak for a symbol in module.c
according to valgrind, but I don't know whether it is
related to those symbols. (There are a lot of other leaks,
mostly related to polymorphism (vtab etc.).)

OK for the trunk?

Tobias

Fortran: Avoid double-free with parse error (PR96041, PR93423)

gcc/fortran/

	PR fortran/96041
	PR fortran/93423
	* decl.c (gfc_match_submod_proc): Avoid later double-free
	in the error case.

 gcc/fortran/decl.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/gcc/fortran/decl.c b/gcc/fortran/decl.c
index c612b492f3e..326e6f5db7a 100644
--- a/gcc/fortran/decl.c
+++ b/gcc/fortran/decl.c
@@ -9819,6 +9819,15 @@ gfc_match_submod_proc (void)
 
   if (gfc_match_eos () != MATCH_YES)
     {
+      /* Unset st->n.sym. Note: in reject_statement (), the symbol changes are
+	 undone, such that the st->n.sym->formal points to the original symbol;
+	 if now this namespace is finalized, the formal namespace is freed,
+	 but it might be still needed in the parent namespace.  */
+      gfc_symtree *st = gfc_find_symtree (gfc_current_ns->sym_root, sym->name);
+      st->n.sym = NULL;
+      gfc_free_symbol (sym->tlink);
+      sym->tlink = NULL;
+      sym->refs--;
       gfc_syntax_error (ST_MODULE_PROC);
       return MATCH_ERROR;
     }