public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "jakub at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug ipa/111960] [14 Regression] ICE: during GIMPLE pass: rebuild_frequencies: SIGSEGV (Invalid read of size 4) with -fdump-tree-rebuild_frequencies-all Date: Wed, 21 Feb 2024 20:21:02 +0000 [thread overview] Message-ID: <bug-111960-4-6KCwpqxSUf@http.gcc.gnu.org/bugzilla/> (raw) In-Reply-To: <bug-111960-4@http.gcc.gnu.org/bugzilla/> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111960 --- Comment #10 from Jakub Jelinek <jakub at gcc dot gnu.org> --- So, I believe the really problematic change was r14-2389-g3cce8d98f270f48f which introduced at least in theory the buffer overflow, before that the maximum string length no matter what m_val was was 62 chars. Now, I wonder what is the reason to have methods dump it into a buffer and then dump the buffer to FILE *, when the former method is only used in the latter method and nowhere else. 2024-02-21 Jakub Jelinek <jakub@redhat.com> PR ipa/111960 * profile-count.h (profile_count::dump): Remove overload with char * first argument. * profile-count.cc (profile_count::dump): Change overload with char * first argument which uses sprintf into the overfload with FILE * first argument and use fprintf instead. Remove overload which wrapped it. --- gcc/profile-count.h.jj 2024-01-03 11:51:30.309748150 +0100 +++ gcc/profile-count.h 2024-02-21 21:04:22.338905728 +0100 @@ -1299,9 +1299,6 @@ public: /* Output THIS to F. */ void dump (FILE *f, struct function *fun = NULL) const; - /* Output THIS to BUFFER. */ - void dump (char *buffer, struct function *fun = NULL) const; - /* Print THIS to stderr. */ void debug () const; --- gcc/profile-count.cc.jj 2024-01-03 11:51:40.782602796 +0100 +++ gcc/profile-count.cc 2024-02-21 21:05:28.521994913 +0100 @@ -84,34 +84,24 @@ const char *profile_quality_display_name "precise" }; -/* Dump THIS to BUFFER. */ +/* Dump THIS to F. */ void -profile_count::dump (char *buffer, struct function *fun) const +profile_count::dump (FILE *f, struct function *fun) const { if (!initialized_p ()) - sprintf (buffer, "uninitialized"); + fprintf (f, "uninitialized"); else if (fun && initialized_p () && fun->cfg && ENTRY_BLOCK_PTR_FOR_FN (fun)->count.initialized_p ()) - sprintf (buffer, "%" PRId64 " (%s, freq %.4f)", m_val, + fprintf (f, "%" PRId64 " (%s, freq %.4f)", m_val, profile_quality_display_names[m_quality], to_sreal_scale (ENTRY_BLOCK_PTR_FOR_FN (fun)->count).to_double ()); else - sprintf (buffer, "%" PRId64 " (%s)", m_val, + fprintf (f, "%" PRId64 " (%s)", m_val, profile_quality_display_names[m_quality]); } -/* Dump THIS to F. */ - -void -profile_count::dump (FILE *f, struct function *fun) const -{ - char buffer[64]; - dump (buffer, fun); - fputs (buffer, f); -} - /* Dump THIS to stderr. */ void patch certainly fixes the buffer overflow... Or of course just enlarge the buffer. But, I don't really see anything that would bound sreal values to be within some small double range, the range of m_exp is range of int, so in theory the ldexp can always overflow to infinity or result in close to maximum finite representable doubles.
next prev parent reply other threads:[~2024-02-21 20:21 UTC|newest] Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-10-24 16:32 [Bug tree-optimization/111960] New: " zsojka at seznam dot cz 2023-10-27 7:19 ` [Bug tree-optimization/111960] [14 Regression] " pinskia at gcc dot gnu.org 2023-10-27 7:23 ` [Bug ipa/111960] " pinskia at gcc dot gnu.org 2023-10-31 12:02 ` sjames at gcc dot gnu.org 2023-10-31 15:05 ` zsojka at seznam dot cz 2024-01-10 10:36 ` rguenth at gcc dot gnu.org 2024-02-16 16:25 ` hubicka at gcc dot gnu.org 2024-02-21 16:32 ` jakub at gcc dot gnu.org 2024-02-21 16:35 ` pinskia at gcc dot gnu.org 2024-02-21 16:35 ` jakub at gcc dot gnu.org 2024-02-21 19:59 ` jakub at gcc dot gnu.org 2024-02-21 20:21 ` jakub at gcc dot gnu.org [this message] 2024-02-22 12:08 ` cvs-commit at gcc dot gnu.org 2024-02-22 12:20 ` jakub at gcc dot gnu.org 2024-02-22 12:58 ` hubicka at ucw dot cz
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-111960-4-6KCwpqxSUf@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).