From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-patches-return-370174-listarch-gcc-patches=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 21561 invoked by alias); 13 Jun 2014 09:56:47 -0000
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-patches.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-help@gcc.gnu.org>
Sender: gcc-patches-owner@gcc.gnu.org
Received: (qmail 21544 invoked by uid 89); 13 Jun 2014 09:56:46 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.1 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2
X-HELO: service87.mimecast.com
Received: from service87.mimecast.com (HELO service87.mimecast.com) (91.220.42.44) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 13 Jun 2014 09:56:44 +0000
Received: from cam-owa2.Emea.Arm.com (fw-tnat.cambridge.arm.com [217.140.96.21]) by service87.mimecast.com; Fri, 13 Jun 2014 10:56:41 +0100
Received: from [10.1.208.24] ([10.1.255.212]) by cam-owa2.Emea.Arm.com with Microsoft SMTPSVC(6.0.3790.3959);	 Fri, 13 Jun 2014 10:56:36 +0100
Message-ID: <539ACAD9.7030501@arm.com>
Date: Fri, 13 Jun 2014 09:56:00 -0000
From: Kyrill Tkachov <kyrylo.tkachov@arm.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: GCC Patches <gcc-patches@gcc.gnu.org>
Subject: [PATCH][genattrtab] Fix memory corruption, allocate enough memory for all bypassed reservations
X-MC-Unique: 114061310564128401
Content-Type: multipart/mixed; boundary="------------080605050308020205040204"
X-IsSubscribed: yes
X-SW-Source: 2014-06/txt/msg01094.txt.bz2

This is a multi-part message in MIME format.
--------------080605050308020205040204
Content-Type: text/plain; charset=WINDOWS-1252; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-length: 1296

Hi all,

I noticed a memory corruption bug while adding some scheduler bypasses=20
in the arm backend.
genattrtab would segfault while processing the bypasses. Valgrind=20
confirmed this.

The problem is that when processing the bypassed reservations,=20
make_automaton_pairs allocates memory in proportion to the number of=20
defined bypasses rather than the number of bypassed reservations. This=20
means that if the number of bypassed reservations is sufficiently larger=20
than the number of bypasses, the loop will overwrite unallocated memory.

I also observed this effect on aarch64, but there was no segfault there,=20
presumably because the number of reservations in aarch64 is much smaller=20
than arm at the moment (we only use two pipeline descriptions in aarch64).

This patch fixes that and valgrind confirms that there's no out of=20
bounds accesses now.

Bootstrapped and tested arm-none-linux-gnueabihf,=20
aarch64-none-linux-gnu, x86_64-linux.

Ok for trunk?

Thanks,
Kyrill

2014-06-13  Kyrylo Tkachov  <kyrylo.tkachov@arm.com>

     * genattrtab.c (n_bypassed): New variable.
     (process_bypasses): Initialise n_bypassed.
     Count number of bypassed reservations.
     (make_automaton_attrs): Allocate space for bypassed reservations
     rather than number of bypasses.=

--------------080605050308020205040204
Content-Type: text/x-patch; name=genattrtab-bypasses.patch
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
 filename="genattrtab-bypasses.patch"
Content-length: 1264

diff --git a/gcc/genattrtab.c b/gcc/genattrtab.c
index c5ce51c..2b6b3ce 100644
--- a/gcc/genattrtab.c
+++ b/gcc/genattrtab.c
@@ -4766,6 +4766,7 @@ struct bypass_list
=20
 static struct bypass_list *all_bypasses;
 static size_t n_bypasses;
+static size_t n_bypassed;
=20
 static void
 gen_bypass_1 (const char *s, size_t len)
@@ -4811,12 +4812,19 @@ process_bypasses (void)
   struct bypass_list *b;
   struct insn_reserv *r;
=20
+  n_bypassed =3D 0;
+
   /* The reservation list is likely to be much longer than the bypass
      list.  */
   for (r =3D all_insn_reservs; r; r =3D r->next)
     for (b =3D all_bypasses; b; b =3D b->next)
       if (fnmatch (b->pattern, r->name, 0) =3D=3D 0)
-	r->bypassed =3D true;
+        {
+          if (!r->bypassed)
+            n_bypassed++;
+
+          r->bypassed =3D true;
+        }
 }
=20
 /* Check that attribute NAME is used in define_insn_reservation condition
@@ -5075,7 +5083,7 @@ make_automaton_attrs (void)
       process_bypasses ();
=20
       byps_exp =3D rtx_alloc (COND);
-      XVEC (byps_exp, 0) =3D rtvec_alloc (n_bypasses * 2);
+      XVEC (byps_exp, 0) =3D rtvec_alloc (n_bypassed * 2);
       XEXP (byps_exp, 1) =3D make_numeric_value (0);
       for (decl =3D all_insn_reservs, i =3D 0;
 	   decl;=

--------------080605050308020205040204--