PATCH] Fortran: fix stack overflow passing assumed-rank type to, assumed-rank class [PR60576]

  Hi all,

I tried something a little different. This patch regression tested on x86_64. 
The original bug report dates from 2019.

The patch fixes the issue found with -fsanitizer=address.

OK for mainline? Looks like it ought to be backported after a brief wait.

Regards,

Jerry
---
When an assumed-rank type(T) dummy argument was passed to an assumed-rank
class(T) dummy argument, gfortran generated a GFC_MAX_DIMENSIONS static
struct copy of the array descriptor's dim[] array.  The caller only
allocates storage for dtype.rank dimensions, so the copy read past the
physical end of the descriptor causing a stack-buffer-overflow detected
by AddressSanitizer.

Fix by checking expr->rank == -1 (assumed-rank actual) at the two copy
sites and replacing the static copy with a runtime-sized __builtin_memcpy
of dtype.rank * sizeof(descriptor_dimension) bytes.

Assisted-By: Claude Sonnet 4.6

	PR fortran/60576

gcc/fortran/ChangeLog:

	PR fortran/60576
	* trans-array.cc (gfc_conv_array_parameter): For an assumed-rank
	actual argument passed to a CLASS assumed-rank formal, use a
	runtime-sized memcpy for the dim[] entries instead of a full
	GFC_MAX_DIMENSIONS static copy.
	* trans-expr.cc (gfc_conv_derived_to_class): Likewise for the
	derived_array descriptor copy.

gcc/testsuite/ChangeLog:

	PR fortran/60576
	* gfortran.dg/assumed_rank_26.f90: New test.
---
  

Hello Jerry,

Contrary to my remark on Mattermost, this looks good to me except that
I would halve the size of the patch by refactoring it as in the
attached version. It passes regression testing like the original.

OK for mainline and backporting later on.

Thanks for re-examining this Golden Oldie!

Paul

On Wed, 3 Jun 2026 at 02:32, Jerry D <jvdelisle2@gmail.com> wrote:
>
> Hi all,
>
> I tried something a little different. This patch regression tested on x86_64.
> The original bug report dates from 2019.
>
> The patch fixes the issue found with -fsanitizer=address.
>
> OK for mainline? Looks like it ought to be backported after a brief wait.
>
> Regards,
>
> Jerry
> ---
> When an assumed-rank type(T) dummy argument was passed to an assumed-rank
> class(T) dummy argument, gfortran generated a GFC_MAX_DIMENSIONS static
> struct copy of the array descriptor's dim[] array.  The caller only
> allocates storage for dtype.rank dimensions, so the copy read past the
> physical end of the descriptor causing a stack-buffer-overflow detected
> by AddressSanitizer.
>
> Fix by checking expr->rank == -1 (assumed-rank actual) at the two copy
> sites and replacing the static copy with a runtime-sized __builtin_memcpy
> of dtype.rank * sizeof(descriptor_dimension) bytes.
>
> Assisted-By: Claude Sonnet 4.6
>
>         PR fortran/60576
>
> gcc/fortran/ChangeLog:
>
>         PR fortran/60576
>         * trans-array.cc (gfc_conv_array_parameter): For an assumed-rank
>         actual argument passed to a CLASS assumed-rank formal, use a
>         runtime-sized memcpy for the dim[] entries instead of a full
>         GFC_MAX_DIMENSIONS static copy.
>         * trans-expr.cc (gfc_conv_derived_to_class): Likewise for the
>         derived_array descriptor copy.
>
> gcc/testsuite/ChangeLog:
>
>         PR fortran/60576
>         * gfortran.dg/assumed_rank_26.f90: New test.
> ---
  

On 6/3/26 11:54 PM, Paul Richard Thomas wrote:
> Hello Jerry,
> 
> Contrary to my remark on Mattermost, this looks good to me except that
> I would halve the size of the patch by refactoring it as in the
> attached version. It passes regression testing like the original.
> 
> OK for mainline and backporting later on.
> 
> Thanks for re-examining this Golden Oldie!
> 
> Paul

Paul, the diff you attached threw claude into a tizzy. I slapped it and set it 
back on track. The attached fixes the breakage in the original 
assumed_rank_7.f90 with -fsanitize=address, passes the new 
asan/assumed_rank_26.f90 and fixed a breakage in coarray/dummy_3.f90.

I have completely regression tested this one and manually tested the original 
assume_rank_7.f90 with -fsanitize=address. All pass.

I plan to commit this shortly.

Regards,

Jerry
  

The master branch has been updated by Jerry DeLisle <jvdelisle@gcc.gnu.org>:

https://gcc.gnu.org/g:eaf4292c83804bd21b920db174401ca3702601d4

commit r17-1352-geaf4292c83804bd21b920db174401ca3702601d4
Author: Jerry DeLisle <jvdelisle@gcc.gnu.org>
Date:   Thu Jun 4 12:11:37 2026 -0700

Fixed on trunk. I will let it settle a bit before trying to backport.

Thanks to Harald and Paul for reviews.

Jerry
On 6/4/26 12:52 PM, Jerry D wrote:
> On 6/3/26 11:54 PM, Paul Richard Thomas wrote:
>> Hello Jerry,
>>
>> Contrary to my remark on Mattermost, this looks good to me except that
>> I would halve the size of the patch by refactoring it as in the
>> attached version. It passes regression testing like the original.
>>
>> OK for mainline and backporting later on.
>>
>> Thanks for re-examining this Golden Oldie!
>>
>> Paul
> 
> Paul, the diff you attached threw claude into a tizzy. I slapped it and set it 
> back on track. The attached fixes the breakage in the original 
> assumed_rank_7.f90 with -fsanitize=address, passes the new asan/ 
> assumed_rank_26.f90 and fixed a breakage in coarray/dummy_3.f90.
> 
> I have completely regression tested this one and manually tested the original 
> assume_rank_7.f90 with -fsanitize=address. All pass.
> 
> I plan to commit this shortly.
> 
> Regards,
> 
> Jerry
  

Paul, take the refactor off your list of TODOs. Its done.

Regression tested before the push.

The master branch has been updated by Jerry DeLisle <jvdelisle@gcc.gnu.org>:

https://gcc.gnu.org/g:04c3c1b5b2391e33c460d45d22cfa046121c0361

commit r17-1377-g04c3c1b5b2391e33c460d45d22cfa046121c0361
Author: Jerry DeLisle <jvdelisle@gcc.gnu.org>
Date:   Fri Jun 5 09:22:55 2026 -0700

     fortran: Refactor the commit for 60576

             PR fortran/60576

     gcc/fortran/ChangeLog:

             * trans-array.cc (gfc_resize_assumed_rank_dim_field): New
             function extracted from gfc_conv_array_parameter.
             (gfc_conv_array_parameter): Use the new function.

On 6/5/26 6:49 AM, Paul Richard Thomas wrote:
> Hi Jerry,
> 
> I am not sure that I understand why my suggested patch "threw Claude
> into a tizzy", The two chunks that you pushed are identical. My
> version turned one into a function in trans-array.cc, provided a
> prototype and called it from trans-expr.cc, thereby halving the size
> of the patch.
> 
> I have learned now that you really have to take a close look at
> Claude-generated patches. They tend to code and comment bloat. Also,
> take care with respect to pointers to the standard. It seems to
> generate them at random.
> 
> Refactoring your patch is on my todo list and I will apply it after
> you backport.
> 
> Regards
> 
> Paul
> 
> On Thu, 4 Jun 2026 at 20:52, Jerry D <jvdelisle2@gmail.com> wrote:
>>
>> On 6/3/26 11:54 PM, Paul Richard Thomas wrote:
>>> Hello Jerry,
>>>
>>> Contrary to my remark on Mattermost, this looks good to me except that
>>> I would halve the size of the patch by refactoring it as in the
>>> attached version. It passes regression testing like the original.
>>>
>>> OK for mainline and backporting later on.
>>>
>>> Thanks for re-examining this Golden Oldie!
>>>
>>> Paul
>>
>> Paul, the diff you attached threw claude into a tizzy. I slapped it and set it
>> back on track. The attached fixes the breakage in the original
>> assumed_rank_7.f90 with -fsanitize=address, passes the new
>> asan/assumed_rank_26.f90 and fixed a breakage in coarray/dummy_3.f90.
>>
>> I have completely regression tested this one and manually tested the original
>> assume_rank_7.f90 with -fsanitize=address. All pass.
>>
>> I plan to commit this shortly.
>>
>> Regards,
>>
>> Jerry