Fix REE from using freed memory (PR bootstrap/52041)

Message ID	20120131081915.GL18768@tyan-ft48-01.lab.bos.redhat.com
State	New
Headers	show Return-Path: <gcc-patches-return-312381-incoming=patchwork.ozlabs.org@gcc.gnu.org> Comment: DKIM? See http://www.dkim.org Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gcc.gnu.org; h=Received:Received:X-SWARE-Spam-Status:X-Spam-Check-By:Received:Received:Received:Received:Received:Date:From:To:Cc:Subject:Message-ID:Reply-To:MIME-Version:Content-Type:Content-Disposition:User-Agent:X-IsSubscribed:Mailing-List:Precedence:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help:Sender:Delivered-To; b=KX7/tMbX+KKIaWOLXBDITwkRTmLZYlDcvyUeuRvQuaQcuoaToMU3BVBUsuCqgF vvcP9qap9zwTeuU3Hy8ZROK2FP76q0yIu1u8W1Q8Enog8fFsTaWsCVWwnnKmHa4J ts8g8Lt+KnJKDpJFxKWw8ltiNrW62W6BvOJrz7/xdjYRA=; Date: Tue, 31 Jan 2012 09:19:15 +0100 From: Jakub Jelinek <jakub@redhat.com> To: Eric Botcazou <ebotcazou@adacore.com>, Richard Guenther <rguenther@suse.de> Cc: gcc-patches@gcc.gnu.org Subject: [PATCH] Fix REE from using freed memory (PR bootstrap/52041) Message-ID: <20120131081915.GL18768@tyan-ft48-01.lab.bos.redhat.com> Reply-To: Jakub Jelinek <jakub@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk Sender: gcc-patches-owner@gcc.gnu.org

Message ID

20120131081915.GL18768@tyan-ft48-01.lab.bos.redhat.com

State

New

Headers

Comment: DKIM? See http://www.dkim.org
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gcc.gnu.org;
	h=Received:Received:X-SWARE-Spam-Status:X-Spam-Check-By:Received:Received:Received:Received:Received:Date:From:To:Cc:Subject:Message-ID:Reply-To:MIME-Version:Content-Type:Content-Disposition:User-Agent:X-IsSubscribed:Mailing-List:Precedence:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help:Sender:Delivered-To;
	b=KX7/tMbX+KKIaWOLXBDITwkRTmLZYlDcvyUeuRvQuaQcuoaToMU3BVBUsuCqgF
	vvcP9qap9zwTeuU3Hy8ZROK2FP76q0yIu1u8W1Q8Enog8fFsTaWsCVWwnnKmHa4J
	ts8g8Lt+KnJKDpJFxKWw8ltiNrW62W6BvOJrz7/xdjYRA=;
Date: Tue, 31 Jan 2012 09:19:15 +0100
From: Jakub Jelinek <jakub@redhat.com>
To: Eric Botcazou <ebotcazou@adacore.com>,
	Richard Guenther <rguenther@suse.de>
Cc: gcc-patches@gcc.gnu.org
Subject: [PATCH] Fix REE from using freed memory (PR bootstrap/52041)
Message-ID: <20120131081915.GL18768@tyan-ft48-01.lab.bos.redhat.com>
Reply-To: Jakub Jelinek <jakub@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
Sender: gcc-patches-owner@gcc.gnu.org

Commit Message

Jakub Jelinek Jan. 31, 2012, 8:19 a.m. UTC

Hi!

find_removable_extensions/add_removable_extensions was storing pointers
into the *insn_list vector in def_map array.  Unfortunately when
the vector is reallocated, this may result in all the pointers pointing
into freed memory.  Detected by valgrind, fixed by instead just
storing the vector indexes (+ 1, so that 0 means former NULL),
bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk?

For 4.8 I think the def_map array could be dropped altogether, now
that we keep the UD/DU links, but this change looks smaller and safer.

2012-01-31  Jakub Jelinek  <jakub@redhat.com>

	PR bootstrap/52041
	PR bootstrap/52039
	PR target/51974
	* ree.c (add_removable_extension): Change def_map argument
	to unsigned *, store in def_map 1 + offset into *insn_list vector
	instead of pointers into the vector.
	(find_removable_extensions): Adjust caller.


	Jakub

Comments

Eric Botcazou Jan. 31, 2012, 8:28 a.m. UTC | #1

> 2012-01-31  Jakub Jelinek  <jakub@redhat.com>
>
> 	PR bootstrap/52041
> 	PR bootstrap/52039
> 	PR target/51974
> 	* ree.c (add_removable_extension): Change def_map argument
> 	to unsigned *, store in def_map 1 + offset into *insn_list vector
> 	instead of pointers into the vector.
> 	(find_removable_extensions): Adjust caller.

OK, thanks.

--- gcc/ree.c.jj	2012-01-30 00:10:01.205444366 +0100
+++ gcc/ree.c	2012-01-30 22:54:00.864425203 +0100
@@ -747,10 +747,11 @@  combine_reaching_defs (ext_cand *cand, c
 static void
 add_removable_extension (const_rtx expr, rtx insn,
 			 VEC (ext_cand, heap) **insn_list,
-			 ext_cand **def_map)
+			 unsigned *def_map)
 {
   enum rtx_code code;
   enum machine_mode mode;
+  unsigned int idx;
   rtx src, dest;
 
   /* We are looking for SET (REG N) (ANY_EXTEND (REG N)).  */
@@ -786,7 +787,8 @@  add_removable_extension (const_rtx expr,
       /* Second, make sure the reaching definitions don't feed another and
 	 different extension.  FIXME: this obviously can be improved.  */
       for (def = defs; def; def = def->next)
-	if ((cand = def_map[INSN_UID(DF_REF_INSN (def->ref))])
+	if ((idx = def_map[INSN_UID(DF_REF_INSN (def->ref))])
+	    && (cand = VEC_index (ext_cand, *insn_list, idx - 1))
 	    && (cand->code != code || cand->mode != mode))
 	  {
 	    if (dump_file)
@@ -805,9 +807,10 @@  add_removable_extension (const_rtx expr,
       cand->code = code;
       cand->mode = mode;
       cand->insn = insn;
+      idx = VEC_length (ext_cand, *insn_list);
 
       for (def = defs; def; def = def->next)
-	def_map[INSN_UID(DF_REF_INSN (def->ref))] = cand;
+	def_map[INSN_UID(DF_REF_INSN (def->ref))] = idx;
     }
 }
 
@@ -820,7 +823,7 @@  find_removable_extensions (void)
   VEC (ext_cand, heap) *insn_list = NULL;
   basic_block bb;
   rtx insn, set;
-  ext_cand **def_map = XCNEWVEC (ext_cand *, max_insn_uid);
+  unsigned *def_map = XCNEWVEC (unsigned, max_insn_uid);
 
   FOR_EACH_BB (bb)
     FOR_BB_INSNS (bb, insn)

Fix REE from using freed memory (PR bootstrap/52041)

Commit Message

Comments

Patch