Dangling pointer in ICF from c_str method.

Dangling pointer in ICF from c_str method.

[Sriraman Tallam]

[-- Attachment #1: Type: text/plain, Size: 683 bytes --]

Hi,

   Doug Kwan found a bug in ICF caused by a dangling pointer from
using c_str on a temporary string object. I have attached a patch to
fix it. I suspect this as the cause of bug  reported in :
http://sourceware.org/bugzilla/show_bug.cgi?id=12388. Richard, could
you please see if this patch fixes the bug as I am unable to reproduce
it.

2011-02-02  Sriraman Tallam  <tmsriram@google.com>

	* icf.h (is_section_foldable_candidate): Change type of parameter
        to std::string.
	* icf.cc (Icf::find_identical_sections): Change type of local variable
        section_name to be std::string.
	(is_function_ctor_or_dtor): Change type of parameter to std::string.

Thanks,
-Sri.

[-- Attachment #2: gold_patch.txt --]
[-- Type: text/plain, Size: 3380 bytes --]

Index: icf.cc
===================================================================
RCS file: /cvs/src/src/gold/icf.cc,v
retrieving revision 1.18
diff -u -u -p -r1.18 icf.cc
--- icf.cc	25 Jan 2011 17:14:59 -0000	1.18
+++ icf.cc	2 Feb 2011 19:58:33 -0000
@@ -652,16 +652,17 @@ match_sections(unsigned int iteration_nu
 }
 
 // During safe icf (--icf=safe), only fold functions that are ctors or dtors.
-// This function returns true if the mangled function name is a ctor or a
-// dtor.
+// This function returns true if the section name is that of a ctor or a dtor.
 
 static bool
-is_function_ctor_or_dtor(const char* mangled_func_name)
+is_function_ctor_or_dtor(const std::string& section_name)
 {
-  if ((is_prefix_of("_ZN", mangled_func_name)
-       || is_prefix_of("_ZZ", mangled_func_name))
-      && (is_gnu_v3_mangled_ctor(mangled_func_name)
-          || is_gnu_v3_mangled_dtor(mangled_func_name)))
+  const char* mangled_func_name = strrchr(section_name.c_str(), '.');
+  gold_assert (mangled_func_name != NULL);
+  if ((is_prefix_of("._ZN", mangled_func_name)
+       || is_prefix_of("._ZZ", mangled_func_name))
+      && (is_gnu_v3_mangled_ctor(mangled_func_name + 1)
+          || is_gnu_v3_mangled_dtor(mangled_func_name + 1)))
     {
       return true;
     }
@@ -696,7 +697,7 @@ Icf::find_identical_sections(const Input
 
       for (unsigned int i = 0;i < (*p)->shnum(); ++i)
         {
-	  const char* section_name = (*p)->section_name(i).c_str();
+	  const std::string& section_name = (*p)->section_name(i);
           if (!is_section_foldable_candidate(section_name))
             continue;
           if (!(*p)->is_section_included(i))
@@ -704,13 +705,11 @@ Icf::find_identical_sections(const Input
           if (parameters->options().gc_sections()
               && symtab->gc()->is_section_garbage(*p, i))
               continue;
-	  const char* mangled_func_name = strrchr(section_name, '.');
-	  gold_assert(mangled_func_name != NULL);
 	  // With --icf=safe, check if the mangled function name is a ctor
 	  // or a dtor.  The mangled function name can be obtained from the
 	  // section name by stripping the section prefix.
 	  if (parameters->options().icf_safe_folding()
-              && !is_function_ctor_or_dtor(mangled_func_name + 1)
+              && !is_function_ctor_or_dtor(section_name)
 	      && (!target.can_check_for_function_pointers()
                   || section_has_function_pointers(*p, i)))
             {
Index: icf.h
===================================================================
RCS file: /cvs/src/src/gold/icf.h,v
retrieving revision 1.10
diff -u -u -p -r1.10 icf.h
--- icf.h	25 Aug 2010 08:36:54 -0000	1.10
+++ icf.h	2 Feb 2011 19:58:33 -0000
@@ -168,10 +168,11 @@ class Icf
 // earlier gcc versions, like 4.0.3, put constructors and destructors in
 // .gnu.linkonce.t sections and hence should be included too.
 inline bool
-is_section_foldable_candidate(const char* section_name)
+is_section_foldable_candidate(const std::string& section_name)
 {
-  return (is_prefix_of(".text", section_name)
-          || is_prefix_of(".gnu.linkonce.t", section_name));
+  const char* section_name_cstr = section_name.c_str();
+  return (is_prefix_of(".text", section_name_cstr)
+          || is_prefix_of(".gnu.linkonce.t", section_name_cstr));
 }
 
 } // End of namespace gold.
cvs diff: Diffing po
cvs diff: Diffing testsuite

Re: Dangling pointer in ICF from c_str method.

[Ian Lance Taylor]

Sriraman Tallam <tmsriram@google.com> writes:

> 2011-02-02  Sriraman Tallam  <tmsriram@google.com>
>
> 	* icf.h (is_section_foldable_candidate): Change type of parameter
>         to std::string.
> 	* icf.cc (Icf::find_identical_sections): Change type of local variable
>         section_name to be std::string.
> 	(is_function_ctor_or_dtor): Change type of parameter to std::string.

>  static bool
> -is_function_ctor_or_dtor(const char* mangled_func_name)
> +is_function_ctor_or_dtor(const std::string& section_name)
>  {
> -  if ((is_prefix_of("_ZN", mangled_func_name)
> -       || is_prefix_of("_ZZ", mangled_func_name))
> -      && (is_gnu_v3_mangled_ctor(mangled_func_name)
> -          || is_gnu_v3_mangled_dtor(mangled_func_name)))
> +  const char* mangled_func_name = strrchr(section_name.c_str(), '.');
> +  gold_assert (mangled_func_name != NULL);

No space before parenthesis.

> @@ -696,7 +697,7 @@ Icf::find_identical_sections(const Input
>  
>        for (unsigned int i = 0;i < (*p)->shnum(); ++i)
>          {
> -	  const char* section_name = (*p)->section_name(i).c_str();
> +	  const std::string& section_name = (*p)->section_name(i);

Make this a normal variable rather than a reference.  That is, drop the
'&'.  I think your code is correct but there is no need for a reference
here; RVO should apply, I think.

This is OK with those changes.

Thanks.

Ian

Re: Dangling pointer in ICF from c_str method.

[Sriraman Tallam]

[-- Attachment #1: Type: text/plain, Size: 1629 bytes --]

Made the changes and committed the patch.

Thanks,
-Sri.

On Wed, Feb 2, 2011 at 1:48 PM, Ian Lance Taylor <iant@google.com> wrote:
> Sriraman Tallam <tmsriram@google.com> writes:
>
>> 2011-02-02  Sriraman Tallam  <tmsriram@google.com>
>>
>>       * icf.h (is_section_foldable_candidate): Change type of parameter
>>         to std::string.
>>       * icf.cc (Icf::find_identical_sections): Change type of local variable
>>         section_name to be std::string.
>>       (is_function_ctor_or_dtor): Change type of parameter to std::string.
>
>>  static bool
>> -is_function_ctor_or_dtor(const char* mangled_func_name)
>> +is_function_ctor_or_dtor(const std::string& section_name)
>>  {
>> -  if ((is_prefix_of("_ZN", mangled_func_name)
>> -       || is_prefix_of("_ZZ", mangled_func_name))
>> -      && (is_gnu_v3_mangled_ctor(mangled_func_name)
>> -          || is_gnu_v3_mangled_dtor(mangled_func_name)))
>> +  const char* mangled_func_name = strrchr(section_name.c_str(), '.');
>> +  gold_assert (mangled_func_name != NULL);
>
> No space before parenthesis.
>
>> @@ -696,7 +697,7 @@ Icf::find_identical_sections(const Input
>>
>>        for (unsigned int i = 0;i < (*p)->shnum(); ++i)
>>          {
>> -       const char* section_name = (*p)->section_name(i).c_str();
>> +       const std::string& section_name = (*p)->section_name(i);
>
> Make this a normal variable rather than a reference.  That is, drop the
> '&'.  I think your code is correct but there is no need for a reference
> here; RVO should apply, I think.
>
> This is OK with those changes.
>
> Thanks.
>
> Ian
>

[-- Attachment #2: gold_patch.txt --]
[-- Type: text/plain, Size: 3378 bytes --]

Index: icf.cc
===================================================================
RCS file: /cvs/src/src/gold/icf.cc,v
retrieving revision 1.18
diff -u -u -p -r1.18 icf.cc
--- icf.cc	25 Jan 2011 17:14:59 -0000	1.18
+++ icf.cc	2 Feb 2011 21:53:56 -0000
@@ -652,16 +652,17 @@ match_sections(unsigned int iteration_nu
 }
 
 // During safe icf (--icf=safe), only fold functions that are ctors or dtors.
-// This function returns true if the mangled function name is a ctor or a
-// dtor.
+// This function returns true if the section name is that of a ctor or a dtor.
 
 static bool
-is_function_ctor_or_dtor(const char* mangled_func_name)
+is_function_ctor_or_dtor(const std::string& section_name)
 {
-  if ((is_prefix_of("_ZN", mangled_func_name)
-       || is_prefix_of("_ZZ", mangled_func_name))
-      && (is_gnu_v3_mangled_ctor(mangled_func_name)
-          || is_gnu_v3_mangled_dtor(mangled_func_name)))
+  const char* mangled_func_name = strrchr(section_name.c_str(), '.');
+  gold_assert(mangled_func_name != NULL);
+  if ((is_prefix_of("._ZN", mangled_func_name)
+       || is_prefix_of("._ZZ", mangled_func_name))
+      && (is_gnu_v3_mangled_ctor(mangled_func_name + 1)
+          || is_gnu_v3_mangled_dtor(mangled_func_name + 1)))
     {
       return true;
     }
@@ -696,7 +697,7 @@ Icf::find_identical_sections(const Input
 
       for (unsigned int i = 0;i < (*p)->shnum(); ++i)
         {
-	  const char* section_name = (*p)->section_name(i).c_str();
+	  const std::string section_name = (*p)->section_name(i);
           if (!is_section_foldable_candidate(section_name))
             continue;
           if (!(*p)->is_section_included(i))
@@ -704,13 +705,11 @@ Icf::find_identical_sections(const Input
           if (parameters->options().gc_sections()
               && symtab->gc()->is_section_garbage(*p, i))
               continue;
-	  const char* mangled_func_name = strrchr(section_name, '.');
-	  gold_assert(mangled_func_name != NULL);
 	  // With --icf=safe, check if the mangled function name is a ctor
 	  // or a dtor.  The mangled function name can be obtained from the
 	  // section name by stripping the section prefix.
 	  if (parameters->options().icf_safe_folding()
-              && !is_function_ctor_or_dtor(mangled_func_name + 1)
+              && !is_function_ctor_or_dtor(section_name)
 	      && (!target.can_check_for_function_pointers()
                   || section_has_function_pointers(*p, i)))
             {
Index: icf.h
===================================================================
RCS file: /cvs/src/src/gold/icf.h,v
retrieving revision 1.10
diff -u -u -p -r1.10 icf.h
--- icf.h	25 Aug 2010 08:36:54 -0000	1.10
+++ icf.h	2 Feb 2011 21:53:56 -0000
@@ -168,10 +168,11 @@ class Icf
 // earlier gcc versions, like 4.0.3, put constructors and destructors in
 // .gnu.linkonce.t sections and hence should be included too.
 inline bool
-is_section_foldable_candidate(const char* section_name)
+is_section_foldable_candidate(const std::string& section_name)
 {
-  return (is_prefix_of(".text", section_name)
-          || is_prefix_of(".gnu.linkonce.t", section_name));
+  const char* section_name_cstr = section_name.c_str();
+  return (is_prefix_of(".text", section_name_cstr)
+          || is_prefix_of(".gnu.linkonce.t", section_name_cstr));
 }
 
 } // End of namespace gold.
cvs diff: Diffing po
cvs diff: Diffing testsuite

Re: Dangling pointer in ICF from c_str method.

[Richard Guenther]

On Wed, 2 Feb 2011, Sriraman Tallam wrote:

> Hi,
> 
>    Doug Kwan found a bug in ICF caused by a dangling pointer from
> using c_str on a temporary string object. I have attached a patch to
> fix it. I suspect this as the cause of bug  reported in :
> http://sourceware.org/bugzilla/show_bug.cgi?id=12388. Richard, could
> you please see if this patch fixes the bug as I am unable to reproduce
> it.

It doesn't apply to the 2.21 release for me.  I'll pick it up when
2.21.1 is released.

Richard.

Re: Dangling pointer in ICF from c_str method.

[Ian Lance Taylor]

Richard Guenther <rguenther@suse.de> writes:

> On Wed, 2 Feb 2011, Sriraman Tallam wrote:
>
>> Hi,
>> 
>>    Doug Kwan found a bug in ICF caused by a dangling pointer from
>> using c_str on a temporary string object. I have attached a patch to
>> fix it. I suspect this as the cause of bug  reported in :
>> http://sourceware.org/bugzilla/show_bug.cgi?id=12388. Richard, could
>> you please see if this patch fixes the bug as I am unable to reproduce
>> it.
>
> It doesn't apply to the 2.21 release for me.  I'll pick it up when
> 2.21.1 is released.

I applied Sri's patch to binutils 2.21 branch.

Ian