This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: out of bounds access in insn-automata.c


On 03/23/2016 07:32 AM, Aldy Hernandez wrote:

int
maximal_insn_latency (rtx insn)
{
   int insn_code;

   if (insn == 0)
     insn_code = DFA__ADVANCE_CYCLE;


   else
     {
       insn_code = dfa_insn_code (as_a <rtx_insn *> (insn));
       if (insn_code > DFA__ADVANCE_CYCLE)
         return 0;
     }
   return internal_maximal_insn_latency (insn_code, insn);
}

In the case where insn==0, insn_code is set to the size of
default_latencies[] which will get accessed in the return.

Does insn==0 never happen?

I suspect it never happens in this function. I'd add a gcc_assert to that effect and try a bootstrap/test. Hmm, it seems to be a sel-sched only thing so a normal bootstrap would be meaningless, but from the context it looks fairly clearly like insn is always nonnull.

It looks like this block of code is written by a helper function that is really intended for other purposes than for maximal_insn_latency. Might be worth changing to
 int insn_code = dfa_insn_code (as_a <rtx_insn *> (insn));
 gcc_assert (insn_code <= DFA__ADVANCE_CYCLE);


Bernd


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]