[COMMITTED] ada: Fix double free on finalization of Vector in array aggregate

public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed

* [COMMITTED] ada: Fix double free on finalization of Vector in array aggregate
@ 2023-05-26  7:36 Marc Poulhiès
  0 siblings, 0 replies; only message in thread
From: Marc Poulhiès @ 2023-05-26  7:36 UTC (permalink / raw)
  To: gcc-patches; +Cc: Eric Botcazou

From: Eric Botcazou <ebotcazou@adacore.com>

The handling of finalization is delicate during the expansion of aggregates
since the generated assignments must not cause the finalization of the RHS.
That's why the No_Ctrl_Actions flag is set on them and the adjustments are
generated manually.

This was not done in the case of an array of array with controlled component
when its subaggregates are not expanded in place but instead are replaced by
temporaries, leading to double free or memory corruption.

gcc/ada/

	* exp_aggr.adb (Initialize_Array_Component): Remove obsolete code.
	(Expand_Array_Aggregate): In the case where a temporary is created
	and the parent is an assignment statement with No_Ctrl_Actions set,
	set Is_Ignored_Transient on the temporary.

Tested on x86_64-pc-linux-gnu, committed on master.

---
 gcc/ada/exp_aggr.adb | 27 +++++++++------------------
 1 file changed, 9 insertions(+), 18 deletions(-)

diff --git a/gcc/ada/exp_aggr.adb b/gcc/ada/exp_aggr.adb
index 1dcbfade86c..a6a7d810185 100644
--- a/gcc/ada/exp_aggr.adb
+++ b/gcc/ada/exp_aggr.adb
@@ -1422,24 +1422,6 @@ package body Exp_Aggr is
                 Expression => New_Copy_Tree (Init_Expr));
             Set_No_Ctrl_Actions (Init_Stmt);
 
-            --  If this is an aggregate for an array of arrays, each
-            --  subaggregate will be expanded as well, and even with
-            --  No_Ctrl_Actions the assignments of inner components will
-            --  require attachment in their assignments to temporaries. These
-            --  temporaries must be finalized for each subaggregate. Generate:
-
-            --    begin
-            --       Arr_Comp := Init_Expr;
-            --    end;
-
-            if Finalization_OK and then Is_Array_Type (Comp_Typ) then
-               Init_Stmt :=
-                 Make_Block_Statement (Loc,
-                   Handled_Statement_Sequence =>
-                     Make_Handled_Sequence_Of_Statements (Loc,
-                       Statements => New_List (Init_Stmt)));
-            end if;
-
             Append_To (Blk_Stmts, Init_Stmt);
 
             --  Adjust the tag due to a possible view conversion. Generate:
@@ -7072,6 +7054,15 @@ package body Exp_Aggr is
            and then Parent_Kind = N_Allocator
          then
             Establish_Transient_Scope (N, Manage_Sec_Stack => False);
+
+         --  If the parent is an assignment for which no controlled actions
+         --  should take place, prevent the temporary from being finalized.
+
+         elsif Parent_Kind = N_Assignment_Statement
+           and then No_Ctrl_Actions (Parent_Node)
+         then
+            Mutate_Ekind (Tmp, E_Variable);
+            Set_Is_Ignored_Transient (Tmp);
          end if;
 
          Insert_Action (N, Tmp_Decl);
-- 
2.40.0


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2023-05-26  7:36 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-26  7:36 [COMMITTED] ada: Fix double free on finalization of Vector in array aggregate Marc Poulhiès

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).