* Fix a few use-after-free issues
@ 2011-03-21 17:37 Jeff Law
2011-03-21 17:44 ` Diego Novillo
2011-03-21 17:50 ` Jakub Jelinek
0 siblings, 2 replies; 5+ messages in thread
From: Jeff Law @ 2011-03-21 17:37 UTC (permalink / raw)
To: gcc-patches
[-- Attachment #1: Type: text/plain, Size: 1954 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This fixes a couple use-after-free problems and one use-after-free
non-problem.
In cfgrtl.c, redirect_branch_edge may delete its first argument, so this
code is clearly erroneous:
e->flags &= ~EDGE_FALLTHRU;
redirected = redirect_branch_edge (e, dest);
gcc_assert (redirected);
e->flags |= EDGE_FALLTHRU;
df_set_bb_dirty (e->src);
return e;
This fix is obvious, use REDIRECTED rather than E after the call to
redirect_branch_edge.
Similarly for redirect_edge_succ_nodup in this fragment:
ret = redirect_edge_succ_nodup (e, dest);
if (dump_file)
fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
e->src->index, e->dest->index, dest->index);
}
Luckily in this case the use-after-free only occurs when dumping, so it
won't typically affect end users.
The non-problem is this code in cfg.c:
if (s->probability > REG_BR_PROB_BASE)
s->probability = REG_BR_PROB_BASE;
s->count += e->count;
remove_edge (e);
redirect_edge_var_map_dup (s, e);
e = s;
remove_edge frees E, when we then use in redirect_edge_var_map_dup.
Luckily we only care about the pointer value of E which doesn't change.
Regardless, I fixed this to keep the static checkers quiet.
Bootstrapped and regression tested on x86_64-unknown-linux-gnu. Ok for
the trunk?
Jeff
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNh4zMAAoJEBRtltQi2kC7LFMH/j5/rNrFTvxX9mEv0qV4ezGk
fGuuitZfKEqXFY1oSKiyhawPpql0RbmmAJAOg4RHQzMnxMdUFJXcxpLzuXQG6TOr
9IapfQHi7siUKyAGq3OKChXFL+6Gx+NiTP7Ll8l6zSoF41FNEbrkHxfD0FXj/fkI
7JJyOsJEfrAbZiffU6e828Ku6mYwPc6wbDhk1YekFgZKQWfYDbkExZ2/twEyH1hO
yPMHgC0Jd9Nysnj1lxxDeGIW0Jhzej14aC8ugfzzMf/auj1hOIjk4t8k6KKSYvTu
ZzX5rHxfel0xDwAXbum/M38pgnEUznl6kIbLDiJOBJfIA/YBdDk+XTyB99OLcdc=
=QNh1
-----END PGP SIGNATURE-----
[-- Attachment #2: patch --]
[-- Type: text/plain, Size: 2367 bytes --]
* cfg.c (redirect_edge_succ_nodup): Duplicate the var map
before removing the edge.
* cfgrtl.c (cfg_layout_redirect_edge_and_branch): Do not use
E after it may have been freed by redirect_branch_edge or
redirect_edge_succ_nodup.
Index: cfg.c
===================================================================
*** cfg.c (revision 171074)
--- cfg.c (working copy)
*************** redirect_edge_succ_nodup (edge e, basic_
*** 402,409 ****
if (s->probability > REG_BR_PROB_BASE)
s->probability = REG_BR_PROB_BASE;
s->count += e->count;
- remove_edge (e);
redirect_edge_var_map_dup (s, e);
e = s;
}
else
--- 402,409 ----
if (s->probability > REG_BR_PROB_BASE)
s->probability = REG_BR_PROB_BASE;
s->count += e->count;
redirect_edge_var_map_dup (s, e);
+ remove_edge (e);
e = s;
}
else
Index: cfgrtl.c
===================================================================
*** cfgrtl.c (revision 171074)
--- cfgrtl.c (working copy)
*************** cfg_layout_redirect_edge_and_branch (edg
*** 2537,2545 ****
e->flags &= ~EDGE_FALLTHRU;
redirected = redirect_branch_edge (e, dest);
gcc_assert (redirected);
! e->flags |= EDGE_FALLTHRU;
! df_set_bb_dirty (e->src);
! return e;
}
/* In case we are redirecting fallthru edge to the branch edge
of conditional jump, remove it. */
--- 2537,2545 ----
e->flags &= ~EDGE_FALLTHRU;
redirected = redirect_branch_edge (e, dest);
gcc_assert (redirected);
! redirected->flags |= EDGE_FALLTHRU;
! df_set_bb_dirty (redirected->src);
! return redirected;
}
/* In case we are redirecting fallthru edge to the branch edge
of conditional jump, remove it. */
*************** cfg_layout_redirect_edge_and_branch (edg
*** 2556,2562 ****
ret = redirect_edge_succ_nodup (e, dest);
if (dump_file)
fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
! e->src->index, e->dest->index, dest->index);
}
else
ret = redirect_branch_edge (e, dest);
--- 2556,2562 ----
ret = redirect_edge_succ_nodup (e, dest);
if (dump_file)
fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
! ret->src->index, ret->dest->index, dest->index);
}
else
ret = redirect_branch_edge (e, dest);
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fix a few use-after-free issues
2011-03-21 17:37 Fix a few use-after-free issues Jeff Law
@ 2011-03-21 17:44 ` Diego Novillo
2011-03-21 17:50 ` Jakub Jelinek
1 sibling, 0 replies; 5+ messages in thread
From: Diego Novillo @ 2011-03-21 17:44 UTC (permalink / raw)
To: Jeff Law; +Cc: gcc-patches
On Mon, Mar 21, 2011 at 13:37, Jeff Law <law@redhat.com> wrote:
> Bootstrapped and regression tested on x86_64-unknown-linux-gnu. Ok for
> the trunk?
OK.
Diego.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fix a few use-after-free issues
2011-03-21 17:37 Fix a few use-after-free issues Jeff Law
2011-03-21 17:44 ` Diego Novillo
@ 2011-03-21 17:50 ` Jakub Jelinek
2011-03-23 14:26 ` Jeff Law
1 sibling, 1 reply; 5+ messages in thread
From: Jakub Jelinek @ 2011-03-21 17:50 UTC (permalink / raw)
To: Jeff Law; +Cc: gcc-patches
On Mon, Mar 21, 2011 at 11:37:16AM -0600, Jeff Law wrote:
> Similarly for redirect_edge_succ_nodup in this fragment:
>
> ret = redirect_edge_succ_nodup (e, dest);
> if (dump_file)
> fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
> e->src->index, e->dest->index, dest->index);
> }
> Luckily in this case the use-after-free only occurs when dumping, so it
> won't typically affect end users.
Well, the message is wrong anyway, becase e->dest->index will be
dest->index (with the exception that e has been remove_edge, but then it is
the use after free). Guess the message should be printed before the
redirect_edge_succ_nodup call, or remember e->dest->index in some local
variable and print that variable after the call.
Jakub
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fix a few use-after-free issues
2011-03-21 17:50 ` Jakub Jelinek
@ 2011-03-23 14:26 ` Jeff Law
2011-03-23 17:37 ` Jeff Law
0 siblings, 1 reply; 5+ messages in thread
From: Jeff Law @ 2011-03-23 14:26 UTC (permalink / raw)
To: Jakub Jelinek; +Cc: gcc-patches
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/21/11 11:50, Jakub Jelinek wrote:
> On Mon, Mar 21, 2011 at 11:37:16AM -0600, Jeff Law wrote:
>> Similarly for redirect_edge_succ_nodup in this fragment:
>>
>> ret = redirect_edge_succ_nodup (e, dest);
>> if (dump_file)
>> fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
>> e->src->index, e->dest->index, dest->index);
>> }
>> Luckily in this case the use-after-free only occurs when dumping, so it
>> won't typically affect end users.
>
> Well, the message is wrong anyway, becase e->dest->index will be
> dest->index (with the exception that e has been remove_edge, but then it is
> the use after free). Guess the message should be printed before the
> redirect_edge_succ_nodup call, or remember e->dest->index in some local
> variable and print that variable after the call.
Yea, I'll just move the message before the call to
redirecT_edge_succ_nodup.
jeff
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNigLtAAoJEBRtltQi2kC7uDUH/ReumZW8xHR6cPVhSnVzoqn4
Ft0Ot84ADY/1n31Hw+b3T4XIEUNu3yr2PX8LCo+wbS8/fsWv6AEzSvAlJH3wgO06
RQOyf9+8fskDFCQWiGNXqJKdZXSUeFo4MwPfypjH699phx2QegarR+vEjhIlbUvu
qDOSwdh1K7YsRB670ktwwvzOmDgLXoyL4KW3V6SzNTlyII8/VvlML+izOF/kwxMG
WuiQCljCZCoUnAkrYfs4kyTTLnYKYr3734B1YxvI9KyIq4gEkMAXMSTYV+TZBz9Q
38xjBu5cPoZwN+cez8j1Uq4gXYhMsQ3aE5WNSVgQ+rkToYQUywpqRDH4Y8vjnTo=
=rCaO
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fix a few use-after-free issues
2011-03-23 14:26 ` Jeff Law
@ 2011-03-23 17:37 ` Jeff Law
0 siblings, 0 replies; 5+ messages in thread
From: Jeff Law @ 2011-03-23 17:37 UTC (permalink / raw)
To: Jakub Jelinek; +Cc: gcc-patches
[-- Attachment #1: Type: text/plain, Size: 1660 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/23/11 08:25, Jeff Law wrote:
> On 03/21/11 11:50, Jakub Jelinek wrote:
>> On Mon, Mar 21, 2011 at 11:37:16AM -0600, Jeff Law wrote:
>>> Similarly for redirect_edge_succ_nodup in this fragment:
>>>
>>> ret = redirect_edge_succ_nodup (e, dest);
>>> if (dump_file)
>>> fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
>>> e->src->index, e->dest->index, dest->index);
>>> }
>>> Luckily in this case the use-after-free only occurs when dumping, so it
>>> won't typically affect end users.
>
>> Well, the message is wrong anyway, becase e->dest->index will be
>> dest->index (with the exception that e has been remove_edge, but then it is
>> the use after free). Guess the message should be printed before the
>> redirect_edge_succ_nodup call, or remember e->dest->index in some local
>> variable and print that variable after the call.
> Yea, I'll just move the message before the call to
> redirecT_edge_succ_nodup.
Attached is the actual patch that was checked in after another bootstrap
and regression test.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNii+4AAoJEBRtltQi2kC7aLsIAJQ8JrBCCCSNC0HH+1NgAdyp
aUFEpQJUV9KgYpKzcqtKY5+kJI4WXRnRXsMmXuC4rWKV5rsnGmCzOSoHolHecLXB
F7J3KaCwg51tcJ/wxXUCPUy+MhZ/ZWHBVbLzw+aQ+O4mXqwnHoRRxnUwGmas6rDk
+pFXjmTArphMQdQ/xnOtXqUylecf4iu06Axn+0UXVy2J3CHT3jPvjuNZUHVUcVq+
qNrUTwYhDMHPXQtZWGz4RNqoACmpY/ku53xXwJq4PrcD1g/rl8Vy6aVnTPE9lONv
rXmxr/FgNFZixKxNhaYz6A+maXbM4uRGZvSoGuO0do/YulZXXN+Ym5HHlocM/pQ=
=/fA+
-----END PGP SIGNATURE-----
[-- Attachment #2: patch --]
[-- Type: text/plain, Size: 2285 bytes --]
Index: cfg.c
===================================================================
*** cfg.c (revision 171351)
--- cfg.c (working copy)
*************** redirect_edge_succ_nodup (edge e, basic_
*** 402,409 ****
if (s->probability > REG_BR_PROB_BASE)
s->probability = REG_BR_PROB_BASE;
s->count += e->count;
- remove_edge (e);
redirect_edge_var_map_dup (s, e);
e = s;
}
else
--- 402,409 ----
if (s->probability > REG_BR_PROB_BASE)
s->probability = REG_BR_PROB_BASE;
s->count += e->count;
redirect_edge_var_map_dup (s, e);
+ remove_edge (e);
e = s;
}
else
Index: cfgrtl.c
===================================================================
*** cfgrtl.c (revision 171351)
--- cfgrtl.c (working copy)
*************** cfg_layout_redirect_edge_and_branch (edg
*** 2537,2545 ****
e->flags &= ~EDGE_FALLTHRU;
redirected = redirect_branch_edge (e, dest);
gcc_assert (redirected);
! e->flags |= EDGE_FALLTHRU;
! df_set_bb_dirty (e->src);
! return e;
}
/* In case we are redirecting fallthru edge to the branch edge
of conditional jump, remove it. */
--- 2537,2545 ----
e->flags &= ~EDGE_FALLTHRU;
redirected = redirect_branch_edge (e, dest);
gcc_assert (redirected);
! redirected->flags |= EDGE_FALLTHRU;
! df_set_bb_dirty (redirected->src);
! return redirected;
}
/* In case we are redirecting fallthru edge to the branch edge
of conditional jump, remove it. */
*************** cfg_layout_redirect_edge_and_branch (edg
*** 2553,2562 ****
&& onlyjump_p (BB_END (src)))
delete_insn (BB_END (src));
}
- ret = redirect_edge_succ_nodup (e, dest);
if (dump_file)
fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
e->src->index, e->dest->index, dest->index);
}
else
ret = redirect_branch_edge (e, dest);
--- 2553,2562 ----
&& onlyjump_p (BB_END (src)))
delete_insn (BB_END (src));
}
if (dump_file)
fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
e->src->index, e->dest->index, dest->index);
+ ret = redirect_edge_succ_nodup (e, dest);
}
else
ret = redirect_branch_edge (e, dest);
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-03-23 17:37 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-03-21 17:37 Fix a few use-after-free issues Jeff Law
2011-03-21 17:44 ` Diego Novillo
2011-03-21 17:50 ` Jakub Jelinek
2011-03-23 14:26 ` Jeff Law
2011-03-23 17:37 ` Jeff Law
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).