Re: [PATCH] Fix use-after-free in the strlen pass (PR tree-optimization/82977)

[Jeff Law <law at redhat dot com>]

On 11/14/2017 02:30 PM, Martin Sebor wrote:
> On 11/14/2017 02:10 PM, Jeff Law wrote:
>> On 11/14/2017 02:04 PM, Jakub Jelinek wrote:
>>> Hi!
>>>
>>> strlen_to_stridx.get (rhs1) returns an address into the hash_map, and
>>> strlen_to_stridx.put (lhs, *ps); (in order to be efficient) doesn't
>>> make a
>>> copy of the argument just in case, first inserts the slot into it which
>>> may cause reallocation, and only afterwards runs the copy ctor to assign
>>> the value into the new slot.  So, passing it a reference to something
>>> in the hash_map is wrong.  Fixed thusly, bootstrapped/regtested on
>>> x86_64-linux and i686-linux, ok for trunk?
>>>
>>> 2017-11-14  Jakub Jelinek  <jakub@redhat.com>
>>>
>>>     PR tree-optimization/82977
>>>     * tree-ssa-strlen.c (strlen_optimize_stmt): Pass a reference to a
>>> copy
>>>     constructed temporary to strlen_to_stridx.put.
>> I've been seeing a couple new tests flip between pass and fail recently.
>>  I wonder if this is the ultimate cause.
> 
> I've been noticing it for quite a while, even before the commit,
> so I suspect something else is going on in addition to this bug.
I'm referring specifically to the Wstringop-truncation tests.  They're
ping-ponging between PASS/FAIL here with alarming regularity and no
sense of rhyme or reason.

If I had to guess I'd guess uninit memory, dangling pointer or the like,
which is precisely the kind of problem the patch is meant to fix.

jeff