[Bug tree-optimization/82977] [8 Regression] AddressSanitizer: heap-use-after-free in strlen_optimize_stmt .././../gcc/tree-ssa-strlen.c:2971

jakub at gcc dot gnu.org gcc-bugzilla@gcc.gnu.org
Tue Nov 14 09:38:00 GMT 2017


https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82977

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|unassigned at gcc dot gnu.org      |jakub at gcc dot gnu.org

--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Created attachment 42599
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=42599&action=edit
gcc8-pr82977.patch

Untested fix.  The bug is obvious, hash_map::put does:
  bool put (const Key &k, const Value &v)
    {
      hash_entry *e = m_table.find_slot_with_hash (k, Traits::hash (k),
                                                   INSERT);
      bool existed = !hash_entry::is_empty (*e);
      if (!existed)
        e->m_key = k;

      e->m_value = v;
      return existed;
    }
so passing it a reference to a value inside of the hash map is wrong, because
if the hash map needs to be reallocated, it will make the reference refer to
freed memory.

I'll bootstrap/regtest this.

In any case,
static hash_map<tree, stridx_strlenloc> strlen_to_stridx;
is also wrong because it uselessly requires static initialization.  See e.g.
decl_to_stridxlist_htab next to it, that is a pointer to hash_map instead.


More information about the Gcc-bugs mailing list