From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 1666) id 4036B385840E; Thu, 27 Apr 2023 13:00:44 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4036B385840E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1682600444; bh=ik/NKihdi/wJoORSl+ZED0u3266P35Kj4YxD18yt1wU=; h=From:To:Subject:Date:From; b=e+mIWu5/0v/E6iBRPh8h1h4LwGE52Xh/0gW0+PTZQraTbAIzqYdzXyZcTZ6+bSnkv gRJ5UNCw+0Y9CBLuxEb5KKpLn+NtYS+rGA4s9fQKNb+neCkR758EqM2F4MxDvnnAfT qmUTtbgqX7W+NZfqUcoowKI/PKPKoVl1HWg+uZ0s= MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" From: Richard Biener To: gcc-cvs@gcc.gnu.org Subject: [gcc r14-300] tree-optimization/109170 - bogus use-after-free with __builtin_expect X-Act-Checkin: gcc X-Git-Author: Richard Biener X-Git-Refname: refs/heads/master X-Git-Oldrev: b5f04a4db59f61f416f23801902cbf4d0f50dc15 X-Git-Newrev: 65369ab62cee68eb7f6ef65e3d12d1969a9e20ee Message-Id: <20230427130044.4036B385840E@sourceware.org> Date: Thu, 27 Apr 2023 13:00:44 +0000 (GMT) List-Id: https://gcc.gnu.org/g:65369ab62cee68eb7f6ef65e3d12d1969a9e20ee commit r14-300-g65369ab62cee68eb7f6ef65e3d12d1969a9e20ee Author: Richard Biener Date: Fri Mar 17 13:14:49 2023 +0100 tree-optimization/109170 - bogus use-after-free with __builtin_expect The following generalizes the range-op for __builtin_expect by using the fnspec machinery. PR tree-optimization/109170 * gimple-range-op.cc (gimple_range_op_handler::maybe_builtin_call): Handle __builtin_expect and similar via cfn_pass_through_arg1 and inspecting the calls fnspec. * builtins.cc (builtin_fnspec): Handle BUILT_IN_EXPECT and BUILT_IN_EXPECT_WITH_PROBABILITY. Diff: --- gcc/builtins.cc | 2 ++ gcc/gimple-range-op.cc | 19 +++++++++++-------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/gcc/builtins.cc b/gcc/builtins.cc index 878596c240a..bd07873a80e 100644 --- a/gcc/builtins.cc +++ b/gcc/builtins.cc @@ -11718,6 +11718,8 @@ builtin_fnspec (tree callee) case BUILT_IN_RETURN_ADDRESS: return ".c"; case BUILT_IN_ASSUME_ALIGNED: + case BUILT_IN_EXPECT: + case BUILT_IN_EXPECT_WITH_PROBABILITY: return "1cX "; /* But posix_memalign stores a pointer into the memory pointed to by its first argument. */ diff --git a/gcc/gimple-range-op.cc b/gcc/gimple-range-op.cc index f7409e35a99..04e27d6aa05 100644 --- a/gcc/gimple-range-op.cc +++ b/gcc/gimple-range-op.cc @@ -43,6 +43,7 @@ along with GCC; see the file COPYING3. If not see #include "range.h" #include "value-query.h" #include "gimple-range.h" +#include "attr-fnspec.h" // Given stmt S, fill VEC, up to VEC_SIZE elements, with relevant ssa-names // on the statement. For efficiency, it is an error to not pass in enough @@ -984,14 +985,16 @@ gimple_range_op_handler::maybe_builtin_call () m_int = &op_cfn_parity; break; - case CFN_BUILT_IN_EXPECT: - case CFN_BUILT_IN_EXPECT_WITH_PROBABILITY: - m_valid = true; - m_op1 = gimple_call_arg (call, 0); - m_int = &op_cfn_pass_through_arg1; - break; - default: - break; + { + unsigned arg; + if (gimple_call_fnspec (call).returns_arg (&arg) && arg == 0) + { + m_valid = true; + m_op1 = gimple_call_arg (call, 0); + m_int = &op_cfn_pass_through_arg1; + } + break; + } } }