From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23858 invoked by alias); 21 Mar 2011 17:37:40 -0000 Received: (qmail 23580 invoked by uid 22791); 21 Mar 2011 17:37:37 -0000 X-SWARE-Spam-Status: No, hits=-6.9 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_HI,SPF_HELO_PASS,T_RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Mon, 21 Mar 2011 17:37:20 +0000 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p2LHbIXW025771 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Mon, 21 Mar 2011 13:37:19 -0400 Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p2LHbIuJ031979 for ; Mon, 21 Mar 2011 13:37:18 -0400 Received: from [10.3.113.106] (ovpn-113-106.phx2.redhat.com [10.3.113.106]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id p2LHbGKJ007607 for ; Mon, 21 Mar 2011 13:37:17 -0400 Message-ID: <4D878CCC.6090000@redhat.com> Date: Mon, 21 Mar 2011 17:37:00 -0000 From: Jeff Law User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110307 Fedora/3.1.9-0.39.b3pre.fc14 Lightning/1.0b3pre Thunderbird/3.1.9 MIME-Version: 1.0 To: gcc-patches Subject: Fix a few use-after-free issues Content-Type: multipart/mixed; boundary="------------040402020900010507030103" X-IsSubscribed: yes Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org X-SW-Source: 2011-03/txt/msg01317.txt.bz2 This is a multi-part message in MIME format. --------------040402020900010507030103 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-length: 1954 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This fixes a couple use-after-free problems and one use-after-free non-problem. In cfgrtl.c, redirect_branch_edge may delete its first argument, so this code is clearly erroneous: e->flags &= ~EDGE_FALLTHRU; redirected = redirect_branch_edge (e, dest); gcc_assert (redirected); e->flags |= EDGE_FALLTHRU; df_set_bb_dirty (e->src); return e; This fix is obvious, use REDIRECTED rather than E after the call to redirect_branch_edge. Similarly for redirect_edge_succ_nodup in this fragment: ret = redirect_edge_succ_nodup (e, dest); if (dump_file) fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n", e->src->index, e->dest->index, dest->index); } Luckily in this case the use-after-free only occurs when dumping, so it won't typically affect end users. The non-problem is this code in cfg.c: if (s->probability > REG_BR_PROB_BASE) s->probability = REG_BR_PROB_BASE; s->count += e->count; remove_edge (e); redirect_edge_var_map_dup (s, e); e = s; remove_edge frees E, when we then use in redirect_edge_var_map_dup. Luckily we only care about the pointer value of E which doesn't change. Regardless, I fixed this to keep the static checkers quiet. Bootstrapped and regression tested on x86_64-unknown-linux-gnu. Ok for the trunk? Jeff -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNh4zMAAoJEBRtltQi2kC7LFMH/j5/rNrFTvxX9mEv0qV4ezGk fGuuitZfKEqXFY1oSKiyhawPpql0RbmmAJAOg4RHQzMnxMdUFJXcxpLzuXQG6TOr 9IapfQHi7siUKyAGq3OKChXFL+6Gx+NiTP7Ll8l6zSoF41FNEbrkHxfD0FXj/fkI 7JJyOsJEfrAbZiffU6e828Ku6mYwPc6wbDhk1YekFgZKQWfYDbkExZ2/twEyH1hO yPMHgC0Jd9Nysnj1lxxDeGIW0Jhzej14aC8ugfzzMf/auj1hOIjk4t8k6KKSYvTu ZzX5rHxfel0xDwAXbum/M38pgnEUznl6kIbLDiJOBJfIA/YBdDk+XTyB99OLcdc= =QNh1 -----END PGP SIGNATURE----- --------------040402020900010507030103 Content-Type: text/plain; name="patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="patch" Content-length: 2367 * cfg.c (redirect_edge_succ_nodup): Duplicate the var map before removing the edge. * cfgrtl.c (cfg_layout_redirect_edge_and_branch): Do not use E after it may have been freed by redirect_branch_edge or redirect_edge_succ_nodup. Index: cfg.c =================================================================== *** cfg.c (revision 171074) --- cfg.c (working copy) *************** redirect_edge_succ_nodup (edge e, basic_ *** 402,409 **** if (s->probability > REG_BR_PROB_BASE) s->probability = REG_BR_PROB_BASE; s->count += e->count; - remove_edge (e); redirect_edge_var_map_dup (s, e); e = s; } else --- 402,409 ---- if (s->probability > REG_BR_PROB_BASE) s->probability = REG_BR_PROB_BASE; s->count += e->count; redirect_edge_var_map_dup (s, e); + remove_edge (e); e = s; } else Index: cfgrtl.c =================================================================== *** cfgrtl.c (revision 171074) --- cfgrtl.c (working copy) *************** cfg_layout_redirect_edge_and_branch (edg *** 2537,2545 **** e->flags &= ~EDGE_FALLTHRU; redirected = redirect_branch_edge (e, dest); gcc_assert (redirected); ! e->flags |= EDGE_FALLTHRU; ! df_set_bb_dirty (e->src); ! return e; } /* In case we are redirecting fallthru edge to the branch edge of conditional jump, remove it. */ --- 2537,2545 ---- e->flags &= ~EDGE_FALLTHRU; redirected = redirect_branch_edge (e, dest); gcc_assert (redirected); ! redirected->flags |= EDGE_FALLTHRU; ! df_set_bb_dirty (redirected->src); ! return redirected; } /* In case we are redirecting fallthru edge to the branch edge of conditional jump, remove it. */ *************** cfg_layout_redirect_edge_and_branch (edg *** 2556,2562 **** ret = redirect_edge_succ_nodup (e, dest); if (dump_file) fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n", ! e->src->index, e->dest->index, dest->index); } else ret = redirect_branch_edge (e, dest); --- 2556,2562 ---- ret = redirect_edge_succ_nodup (e, dest); if (dump_file) fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n", ! ret->src->index, ret->dest->index, dest->index); } else ret = redirect_branch_edge (e, dest); --------------040402020900010507030103--