This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
[PATCH] Fix use-after-free in the strlen pass (PR tree-optimization/82977)
- From: Jakub Jelinek <jakub at redhat dot com>
- To: Richard Biener <rguenther at suse dot de>, Martin Sebor <msebor at gmail dot com>
- Cc: gcc-patches at gcc dot gnu dot org
- Date: Tue, 14 Nov 2017 22:04:26 +0100
- Subject: [PATCH] Fix use-after-free in the strlen pass (PR tree-optimization/82977)
- Authentication-results: sourceware.org; auth=none
- Reply-to: Jakub Jelinek <jakub at redhat dot com>
Hi!
strlen_to_stridx.get (rhs1) returns an address into the hash_map, and
strlen_to_stridx.put (lhs, *ps); (in order to be efficient) doesn't make a
copy of the argument just in case, first inserts the slot into it which
may cause reallocation, and only afterwards runs the copy ctor to assign
the value into the new slot. So, passing it a reference to something
in the hash_map is wrong. Fixed thusly, bootstrapped/regtested on
x86_64-linux and i686-linux, ok for trunk?
2017-11-14 Jakub Jelinek <jakub@redhat.com>
PR tree-optimization/82977
* tree-ssa-strlen.c (strlen_optimize_stmt): Pass a reference to a copy
constructed temporary to strlen_to_stridx.put.
--- gcc/tree-ssa-strlen.c.jj 2017-11-13 09:31:30.000000000 +0100
+++ gcc/tree-ssa-strlen.c 2017-11-14 10:28:30.583110162 +0100
@@ -2968,7 +2968,7 @@ strlen_optimize_stmt (gimple_stmt_iterat
tree rhs1 = gimple_assign_rhs1 (stmt);
if (stridx_strlenloc *ps = strlen_to_stridx.get (rhs1))
- strlen_to_stridx.put (lhs, *ps);
+ strlen_to_stridx.put (lhs, stridx_strlenloc (*ps));
}
else if (TREE_CODE (lhs) != SSA_NAME && !TREE_SIDE_EFFECTS (lhs))
{
Jakub