From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-74.mimecast.com (us-smtp-delivery-74.mimecast.com [63.128.21.74]) by sourceware.org (Postfix) with ESMTP id ADA13385DC04 for ; Mon, 30 Mar 2020 22:51:57 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org ADA13385DC04 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-160-aBUdsxD2NteP-sR-8OYfuA-1; Mon, 30 Mar 2020 18:51:53 -0400 X-MC-Unique: aBUdsxD2NteP-sR-8OYfuA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 986CB107ACC9; Mon, 30 Mar 2020 22:51:52 +0000 (UTC) Received: from [10.10.118.191] (ovpn-118-191.rdu2.redhat.com [10.10.118.191]) by smtp.corp.redhat.com (Postfix) with ESMTP id A53CA96F88; Mon, 30 Mar 2020 22:51:51 +0000 (UTC) Subject: Re: [PATCH] lra: set insn_code_data to NULL when freeing To: David Malcolm Cc: Andrea Corallo , gcc-patches@gcc.gnu.org, jit@gcc.gnu.org, nd References: <20200330160608.10383-1-dmalcolm@redhat.com> From: Vladimir Makarov Message-ID: Date: Mon, 30 Mar 2020 18:51:50 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 In-Reply-To: <20200330160608.10383-1-dmalcolm@redhat.com> Content-Language: en-US X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-33.3 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: jit@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Jit mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Mar 2020 22:51:58 -0000 On 2020-03-30 12:06 p.m., David Malcolm wrote: > It's a double-free bug in lra.c, albeit one that requires being used > in a multithreaded way from libgccjit to be triggered. > > libgccjit's test-threads.c repeatedly compiles and runs numerous tests, > each in a separate thread. > > Attempting to add an empty test that generates no code leads to a > double-free ICE within that thread, within lra.c's > finish_insn_code_data_once. > > The root cause is that the insn_code_data array is cleared in > init_insn_code_data_once, but this is only called the first time > a cgraph_node is expanded [1], whereas the "loop-over-all-elements > and free them" is unconditionally called in finalize [2]. Hence > if there are no functions: > * the array is not re-initialized for the empty context > * when finish_insn_code_data_once is called for the empty context > it still contains the freed pointers from the previous context > that held the jit mutex, and hence the free is a double-free. > > This patch sets the pointers to NULL after freeing them, fixing > the ICE. The calls to free are still guarded by a check for NULL, > which is redundant, but maybe there's a reason for not wanting to > call "free" on a possibly-NULL value many times on process exit? > (it makes the diff cleaner, at least) > > Fixes the issue in jit.dg. > > Full bootstrap & regression test in progress. > > Is it OK for master if it passes? Sure, David.=C2=A0 Thank you for the patch. > gcc/ChangeLog: > =09* lra.c (finish_insn_code_data_once): Set the array elements > =09to NULL after freeing them. > > gcc/testsuite/ChangeLog: > =09* jit.dg/all-non-failing-tests.h: Add test-empty.c > --- > gcc/lra.c | 5 ++++- > gcc/testsuite/jit.dg/all-non-failing-tests.h | 10 ++++++++++ > 2 files changed, 14 insertions(+), 1 deletion(-) > > diff --git a/gcc/lra.c b/gcc/lra.c > index d5ea3622686..5e8b75b1fda 100644 > --- a/gcc/lra.c > +++ b/gcc/lra.c > @@ -653,7 +653,10 @@ finish_insn_code_data_once (void) > for (unsigned int i =3D 0; i < NUM_INSN_CODES; i++) > { > if (insn_code_data[i] !=3D NULL) > -=09free (insn_code_data[i]); > +=09{ > +=09 free (insn_code_data[i]); > +=09 insn_code_data[i] =3D NULL; > +=09} > } > } > =20 > diff --git a/gcc/testsuite/jit.dg/all-non-failing-tests.h b/gcc/testsuite= /jit.dg/all-non-failing-tests.h > index b2acc74ae95..af744192a73 100644 > --- a/gcc/testsuite/jit.dg/all-non-failing-tests.h > +++ b/gcc/testsuite/jit.dg/all-non-failing-tests.h > @@ -116,6 +116,13 @@ > #undef create_code > #undef verify_code > =20 > +/* test-empty.c */ > +#define create_code create_code_empty > +#define verify_code verify_code_empty > +#include "test-empty.c" > +#undef create_code > +#undef verify_code > + > /* test-error-*.c: We don't use these test cases, since they deliberate= ly > introduce errors, which we don't want here. */ > =20 > @@ -328,6 +335,9 @@ const struct testcase testcases[] =3D { > {"expressions", > create_code_expressions, > verify_code_expressions}, > + {"empty", > + create_code_empty, > + verify_code_empty}, > {"factorial", > create_code_factorial, > verify_code_factorial},