From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugs-return-458014-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 13569 invoked by alias); 8 Aug 2014 08:17:45 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Received: (qmail 13360 invoked by uid 48); 8 Aug 2014 08:17:40 -0000
From: "rguenth at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug tree-optimization/62035] [4.9/4.10 Regression] wrong code building libapache-mod-perl with -O1, works with -O1 -fno-tree-dse
Date: Fri, 08 Aug 2014 08:17:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: tree-optimization
X-Bugzilla-Version: 4.9.0
X-Bugzilla-Keywords: wrong-code
X-Bugzilla-Severity: normal
X-Bugzilla-Who: rguenth at gcc dot gnu.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: 4.9.2
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_status resolution
Message-ID: <bug-62035-4-kkIs6EeTVq@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-62035-4@http.gcc.gnu.org/bugzilla/>
References: <bug-62035-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-08/txt/msg00511.txt.bz2

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62035

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID

--- Comment #3 from Richard Biener <rguenth at gcc dot gnu.org> ---
I can reproduce the bad assembly with -O -g -fwrapv -fstack-protector -fPIC
--param ssp-buffer-size=4 --param ssp-buffer-size=4

The only dead store deleted in modperl_env_table_populate is

  Deleted dead store 'sv = sv.5_31;

and that's ok because we have a clobber of 'sv' in this path.

  <bb 7>:
  _29 = _22->val;
  sv.5_31 = Perl_newSVpv (my_perl_7(D), _29, 0);
  sv = sv.5_31;
  _33 = _22->key;
  Perl_hv_common_key_len (my_perl_7(D), hv_10, _33, klen_26, 36, sv.5_31, 0);
  _35 = _22->key;
  Perl_sv_magic (my_perl_7(D), sv.5_31, 0B, 101, _35, klen_26);
  # DEBUG svp => &sv
  sv ={v} {CLOBBER};

  <bb 8>:
  # svp_2 = PHI <&sv(7), svp_28(6)>
  # DEBUG svp => svp_2
  _41 = my_perl_7(D)->Itainting;
  if (_41 != 0)
    goto <bb 9>;
  else
    goto <bb 10>;

  <bb 9>:
  _42 = *svp_2;
  Perl_sv_magic (my_perl_7(D), _42, 0B, 116, 0B, 0);

but a use-after-free here through *svp_2.  Prettified preprocessed souce
looks like

        SV **svp = ((SV**) Perl_hv_common_key_len(my_perl,
(hv),(elts[i].key),(klen),((0)) ? (0x20 | 0x10) : 0x20,((void *)0),0));
        if (svp) { 
          Perl_sv_setpv(my_perl, *svp,elts[i].val);
        } else { 
          SV *sv = Perl_newSVpv(my_perl, elts[i].val,0);
          (void)((SV**) Perl_hv_common_key_len(my_perl,
(hv),(elts[i].key),(klen),(0x04|0x20),(sv),((0))));
          Perl_sv_magic(my_perl, sv,(SV *)((void *)0),'e',elts[i].key,klen);
          svp = &sv;
        } 
        if (0) modperl_trace(__func__, "$ENV{%s} = \"%s\";", elts[i].key,
elts[i].val);
        (void)({ 
          if(((my_perl->Itainting))){Perl_sv_magic(my_perl, (*svp),((void
*)0),'t',((void *)0),0);

so 'sv' is declared inside the 'else' but you make its address escape
through the 'svp' variable declared in the outer block.

Invalid.

A fix is to move the declaration of SV *sv up one block.