Fix a few use-after-free issues

Fix a few use-after-free issues

[Jeff Law]

[-- Attachment #1: Type: text/plain, Size: 1954 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This fixes a couple use-after-free problems and one use-after-free
non-problem.

In cfgrtl.c, redirect_branch_edge may delete its first argument, so this
code is clearly erroneous:

  	  e->flags &= ~EDGE_FALLTHRU;
  	  redirected = redirect_branch_edge (e, dest);
  	  gcc_assert (redirected);
 	  e->flags |= EDGE_FALLTHRU;
 	  df_set_bb_dirty (e->src);
 	  return e;

This fix is obvious, use REDIRECTED rather than E after the call to
redirect_branch_edge.

Similarly for redirect_edge_succ_nodup in this fragment:

        ret = redirect_edge_succ_nodup (e, dest);
        if (dump_file)
  	fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
 		 e->src->index, e->dest->index, dest->index);
      }
Luckily in this case the use-after-free only occurs when dumping, so it
won't typically affect end users.


The non-problem is this code in cfg.c:

        if (s->probability > REG_BR_PROB_BASE)
  	s->probability = REG_BR_PROB_BASE;
        s->count += e->count;
        remove_edge (e);
        redirect_edge_var_map_dup (s, e);
        e = s;

remove_edge frees E, when we then use in redirect_edge_var_map_dup.
Luckily we only care about the pointer value of E which doesn't change.
 Regardless, I fixed this to keep the static checkers quiet.

Bootstrapped and regression tested on x86_64-unknown-linux-gnu.  Ok for
the trunk?

Jeff
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNh4zMAAoJEBRtltQi2kC7LFMH/j5/rNrFTvxX9mEv0qV4ezGk
fGuuitZfKEqXFY1oSKiyhawPpql0RbmmAJAOg4RHQzMnxMdUFJXcxpLzuXQG6TOr
9IapfQHi7siUKyAGq3OKChXFL+6Gx+NiTP7Ll8l6zSoF41FNEbrkHxfD0FXj/fkI
7JJyOsJEfrAbZiffU6e828Ku6mYwPc6wbDhk1YekFgZKQWfYDbkExZ2/twEyH1hO
yPMHgC0Jd9Nysnj1lxxDeGIW0Jhzej14aC8ugfzzMf/auj1hOIjk4t8k6KKSYvTu
ZzX5rHxfel0xDwAXbum/M38pgnEUznl6kIbLDiJOBJfIA/YBdDk+XTyB99OLcdc=
=QNh1
-----END PGP SIGNATURE-----

[-- Attachment #2: patch --]
[-- Type: text/plain, Size: 2367 bytes --]

	* cfg.c (redirect_edge_succ_nodup): Duplicate the var map
	before removing the edge.

	* cfgrtl.c (cfg_layout_redirect_edge_and_branch): Do not use
	E after it may have been freed by redirect_branch_edge or
	redirect_edge_succ_nodup.

Index: cfg.c
===================================================================
*** cfg.c	(revision 171074)
--- cfg.c	(working copy)
*************** redirect_edge_succ_nodup (edge e, basic_
*** 402,409 ****
        if (s->probability > REG_BR_PROB_BASE)
  	s->probability = REG_BR_PROB_BASE;
        s->count += e->count;
-       remove_edge (e);
        redirect_edge_var_map_dup (s, e);
        e = s;
      }
    else
--- 402,409 ----
        if (s->probability > REG_BR_PROB_BASE)
  	s->probability = REG_BR_PROB_BASE;
        s->count += e->count;
        redirect_edge_var_map_dup (s, e);
+       remove_edge (e);
        e = s;
      }
    else
Index: cfgrtl.c
===================================================================
*** cfgrtl.c	(revision 171074)
--- cfgrtl.c	(working copy)
*************** cfg_layout_redirect_edge_and_branch (edg
*** 2537,2545 ****
  	  e->flags &= ~EDGE_FALLTHRU;
  	  redirected = redirect_branch_edge (e, dest);
  	  gcc_assert (redirected);
! 	  e->flags |= EDGE_FALLTHRU;
! 	  df_set_bb_dirty (e->src);
! 	  return e;
  	}
        /* In case we are redirecting fallthru edge to the branch edge
  	 of conditional jump, remove it.  */
--- 2537,2545 ----
  	  e->flags &= ~EDGE_FALLTHRU;
  	  redirected = redirect_branch_edge (e, dest);
  	  gcc_assert (redirected);
! 	  redirected->flags |= EDGE_FALLTHRU;
! 	  df_set_bb_dirty (redirected->src);
! 	  return redirected;
  	}
        /* In case we are redirecting fallthru edge to the branch edge
  	 of conditional jump, remove it.  */
*************** cfg_layout_redirect_edge_and_branch (edg
*** 2556,2562 ****
        ret = redirect_edge_succ_nodup (e, dest);
        if (dump_file)
  	fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
! 		 e->src->index, e->dest->index, dest->index);
      }
    else
      ret = redirect_branch_edge (e, dest);
--- 2556,2562 ----
        ret = redirect_edge_succ_nodup (e, dest);
        if (dump_file)
  	fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
! 		 ret->src->index, ret->dest->index, dest->index);
      }
    else
      ret = redirect_branch_edge (e, dest);

Re: Fix a few use-after-free issues

[Diego Novillo]

On Mon, Mar 21, 2011 at 13:37, Jeff Law <law@redhat.com> wrote:

> Bootstrapped and regression tested on x86_64-unknown-linux-gnu.  Ok for
> the trunk?

OK.


Diego.

Re: Fix a few use-after-free issues

[Jakub Jelinek]

On Mon, Mar 21, 2011 at 11:37:16AM -0600, Jeff Law wrote:
> Similarly for redirect_edge_succ_nodup in this fragment:
> 
>         ret = redirect_edge_succ_nodup (e, dest);
>         if (dump_file)
>   	fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
>  		 e->src->index, e->dest->index, dest->index);
>       }
> Luckily in this case the use-after-free only occurs when dumping, so it
> won't typically affect end users.

Well, the message is wrong anyway, becase e->dest->index will be
dest->index (with the exception that e has been remove_edge, but then it is
the use after free).  Guess the message should be printed before the
redirect_edge_succ_nodup call, or remember e->dest->index in some local
variable and print that variable after the call.

	Jakub

Re: Fix a few use-after-free issues

[Jeff Law]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/21/11 11:50, Jakub Jelinek wrote:
> On Mon, Mar 21, 2011 at 11:37:16AM -0600, Jeff Law wrote:
>> Similarly for redirect_edge_succ_nodup in this fragment:
>>
>>         ret = redirect_edge_succ_nodup (e, dest);
>>         if (dump_file)
>>   	fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
>>  		 e->src->index, e->dest->index, dest->index);
>>       }
>> Luckily in this case the use-after-free only occurs when dumping, so it
>> won't typically affect end users.
> 
> Well, the message is wrong anyway, becase e->dest->index will be
> dest->index (with the exception that e has been remove_edge, but then it is
> the use after free).  Guess the message should be printed before the
> redirect_edge_succ_nodup call, or remember e->dest->index in some local
> variable and print that variable after the call.
Yea, I'll just move the message before the call to
redirecT_edge_succ_nodup.

jeff
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNigLtAAoJEBRtltQi2kC7uDUH/ReumZW8xHR6cPVhSnVzoqn4
Ft0Ot84ADY/1n31Hw+b3T4XIEUNu3yr2PX8LCo+wbS8/fsWv6AEzSvAlJH3wgO06
RQOyf9+8fskDFCQWiGNXqJKdZXSUeFo4MwPfypjH699phx2QegarR+vEjhIlbUvu
qDOSwdh1K7YsRB670ktwwvzOmDgLXoyL4KW3V6SzNTlyII8/VvlML+izOF/kwxMG
WuiQCljCZCoUnAkrYfs4kyTTLnYKYr3734B1YxvI9KyIq4gEkMAXMSTYV+TZBz9Q
38xjBu5cPoZwN+cez8j1Uq4gXYhMsQ3aE5WNSVgQ+rkToYQUywpqRDH4Y8vjnTo=
=rCaO
-----END PGP SIGNATURE-----

Re: Fix a few use-after-free issues

[Jeff Law]

[-- Attachment #1: Type: text/plain, Size: 1660 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/23/11 08:25, Jeff Law wrote:
> On 03/21/11 11:50, Jakub Jelinek wrote:
>> On Mon, Mar 21, 2011 at 11:37:16AM -0600, Jeff Law wrote:
>>> Similarly for redirect_edge_succ_nodup in this fragment:
>>>
>>>         ret = redirect_edge_succ_nodup (e, dest);
>>>         if (dump_file)
>>>   	fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
>>>  		 e->src->index, e->dest->index, dest->index);
>>>       }
>>> Luckily in this case the use-after-free only occurs when dumping, so it
>>> won't typically affect end users.
> 
>> Well, the message is wrong anyway, becase e->dest->index will be
>> dest->index (with the exception that e has been remove_edge, but then it is
>> the use after free).  Guess the message should be printed before the
>> redirect_edge_succ_nodup call, or remember e->dest->index in some local
>> variable and print that variable after the call.
> Yea, I'll just move the message before the call to
> redirecT_edge_succ_nodup.
Attached is the actual patch that was checked in after another bootstrap
and regression test.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNii+4AAoJEBRtltQi2kC7aLsIAJQ8JrBCCCSNC0HH+1NgAdyp
aUFEpQJUV9KgYpKzcqtKY5+kJI4WXRnRXsMmXuC4rWKV5rsnGmCzOSoHolHecLXB
F7J3KaCwg51tcJ/wxXUCPUy+MhZ/ZWHBVbLzw+aQ+O4mXqwnHoRRxnUwGmas6rDk
+pFXjmTArphMQdQ/xnOtXqUylecf4iu06Axn+0UXVy2J3CHT3jPvjuNZUHVUcVq+
qNrUTwYhDMHPXQtZWGz4RNqoACmpY/ku53xXwJq4PrcD1g/rl8Vy6aVnTPE9lONv
rXmxr/FgNFZixKxNhaYz6A+maXbM4uRGZvSoGuO0do/YulZXXN+Ym5HHlocM/pQ=
=/fA+
-----END PGP SIGNATURE-----

[-- Attachment #2: patch --]
[-- Type: text/plain, Size: 2285 bytes --]

Index: cfg.c
===================================================================
*** cfg.c	(revision 171351)
--- cfg.c	(working copy)
*************** redirect_edge_succ_nodup (edge e, basic_
*** 402,409 ****
        if (s->probability > REG_BR_PROB_BASE)
  	s->probability = REG_BR_PROB_BASE;
        s->count += e->count;
-       remove_edge (e);
        redirect_edge_var_map_dup (s, e);
        e = s;
      }
    else
--- 402,409 ----
        if (s->probability > REG_BR_PROB_BASE)
  	s->probability = REG_BR_PROB_BASE;
        s->count += e->count;
        redirect_edge_var_map_dup (s, e);
+       remove_edge (e);
        e = s;
      }
    else
Index: cfgrtl.c
===================================================================
*** cfgrtl.c	(revision 171351)
--- cfgrtl.c	(working copy)
*************** cfg_layout_redirect_edge_and_branch (edg
*** 2537,2545 ****
  	  e->flags &= ~EDGE_FALLTHRU;
  	  redirected = redirect_branch_edge (e, dest);
  	  gcc_assert (redirected);
! 	  e->flags |= EDGE_FALLTHRU;
! 	  df_set_bb_dirty (e->src);
! 	  return e;
  	}
        /* In case we are redirecting fallthru edge to the branch edge
  	 of conditional jump, remove it.  */
--- 2537,2545 ----
  	  e->flags &= ~EDGE_FALLTHRU;
  	  redirected = redirect_branch_edge (e, dest);
  	  gcc_assert (redirected);
! 	  redirected->flags |= EDGE_FALLTHRU;
! 	  df_set_bb_dirty (redirected->src);
! 	  return redirected;
  	}
        /* In case we are redirecting fallthru edge to the branch edge
  	 of conditional jump, remove it.  */
*************** cfg_layout_redirect_edge_and_branch (edg
*** 2553,2562 ****
  	      && onlyjump_p (BB_END (src)))
  	    delete_insn (BB_END (src));
  	}
-       ret = redirect_edge_succ_nodup (e, dest);
        if (dump_file)
  	fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
  		 e->src->index, e->dest->index, dest->index);
      }
    else
      ret = redirect_branch_edge (e, dest);
--- 2553,2562 ----
  	      && onlyjump_p (BB_END (src)))
  	    delete_insn (BB_END (src));
  	}
        if (dump_file)
  	fprintf (dump_file, "Fallthru edge %i->%i redirected to %i\n",
  		 e->src->index, e->dest->index, dest->index);
+       ret = redirect_edge_succ_nodup (e, dest);
      }
    else
      ret = redirect_branch_edge (e, dest);