tree-optimization/114624 - fix use-after-free in SCCP

Message ID	20240408093719.AEE87385842A@sourceware.org
State	New
Headers	show Return-Path: <gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org> DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 3356A3858D20 Date: Mon, 8 Apr 2024 11:36:55 +0200 (CEST) From: Richard Biener <rguenther@suse.de> To: gcc-patches@gcc.gnu.org Subject: [PATCH] tree-optimization/114624 - fix use-after-free in SCCP MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII default: False [-1.74 / 50.00]; BAYES_HAM(-3.00)[100.00%]; MISSING_MID(2.50)[]; NEURAL_HAM_LONG(-0.95)[-0.954]; NEURAL_HAM_SHORT(-0.18)[-0.918]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ZERO(0.00)[0]; ARC_NA(0.00)[]; MISSING_XM_UA(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[] Precedence: list Errors-To: gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org Message-Id: <20240408093719.AEE87385842A@sourceware.org>
Series	tree-optimization/114624 - fix use-after-free in SCCP \| expand tree-optimization/114624 - fix use-after-free in SCCP

Message ID

20240408093719.AEE87385842A@sourceware.org

State

New

Headers

DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 3356A3858D20
Date: Mon, 8 Apr 2024 11:36:55 +0200 (CEST)
From: Richard Biener <rguenther@suse.de>
To: gcc-patches@gcc.gnu.org
Subject: [PATCH] tree-optimization/114624 - fix use-after-free in SCCP
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Precedence: list
Errors-To: gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org
Message-Id: <20240408093719.AEE87385842A@sourceware.org>

Series

tree-optimization/114624 - fix use-after-free in SCCP | expand

Commit Message

Richard Biener April 8, 2024, 9:36 a.m. UTC

We're inspecting the replaced PHI node after releasing it.

Bootstrapped and tested on x86-64-unknown-linux-gnu, pushed.

	PR tree-optimization/114624
	* tree-scalar-evolution.cc (final_value_replacement_loop):
	Get at the PHI arg location before releasing the PHI node.

	* gcc.dg/torture/pr114624.c: New testcase.
---
 gcc/testsuite/gcc.dg/torture/pr114624.c | 20 ++++++++++++++++++++
 gcc/tree-scalar-evolution.cc            |  4 ++--
 2 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 gcc/testsuite/gcc.dg/torture/pr114624.c

diff --git a/gcc/testsuite/gcc.dg/torture/pr114624.c b/gcc/testsuite/gcc.dg/torture/pr114624.c
new file mode 100644
index 00000000000..ae031356982
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/torture/pr114624.c
@@ -0,0 +1,20 @@ 
+/* { dg-do compile } */
+
+int a, b;
+int main() {
+  int c, d = 1;
+  while (a) {
+    while (b)
+      if (d)
+        while (a)
+          ;
+    for (; b < 2; b++)
+      if (b)
+        for (c = 0; c < 8; c++)
+          d = 0;
+      else
+        for (a = 0; a < 2; a++)
+          ;
+  }
+  return 0;
+}
diff --git a/gcc/tree-scalar-evolution.cc b/gcc/tree-scalar-evolution.cc
index 25e3130e2f1..b0a5e09a77c 100644
--- a/gcc/tree-scalar-evolution.cc
+++ b/gcc/tree-scalar-evolution.cc
@@ -3877,6 +3877,7 @@  final_value_replacement_loop (class loop *loop)
 	 to a GIMPLE sequence or to a statement list (keeping this a
 	 GENERIC interface).  */
       def = unshare_expr (def);
+      auto loc = gimple_phi_arg_location (phi, exit->dest_idx);
       remove_phi_node (&psi, false);
 
       /* Propagate constants immediately, but leave an unused initialization
@@ -3888,8 +3889,7 @@  final_value_replacement_loop (class loop *loop)
       gimple_seq stmts;
       def = force_gimple_operand (def, &stmts, false, NULL_TREE);
       gassign *ass = gimple_build_assign (rslt, def);
-      gimple_set_location (ass,
-			   gimple_phi_arg_location (phi, exit->dest_idx));
+      gimple_set_location (ass, loc);
       gimple_seq_add_stmt (&stmts, ass);
 
       /* If def's type has undefined overflow and there were folded

tree-optimization/114624 - fix use-after-free in SCCP

Commit Message

Patch