[PATCH] fix pr62009 use after free in redirect_edge_var_map_dup
Richard Biener
richard.guenther@gmail.com
Tue Aug 5 08:45:00 GMT 2014
On Mon, Aug 4, 2014 at 3:04 PM, <tsaunders@mozilla.com> wrote:
> From: Trevor Saunders <tsaunders@mozilla.com>
>
> Hi,
>
> It used to be that edge_var_maps held pointers to embedded vectors, but
> now it holds vectors. This means that now instead of copying the
> address of the embedded vector from the table we keep a pointer into the
> table. However that's incorrect because we may expand the table when
> inserting new into the map in which case our pointer into the map points
> at freed memory.
>
> gcc/
>
> * tree-ssa.c (redirect_edge_var_map_dup): copy the value in the
> map for old before inserting new.
>
> testing ongoing on x86_64-unknown-linux-gnu, ok?
Umm... can you explore what it takes to instead store some kind of
indexes?
That is, how is the above not an issue for other 'head's that may be
live somewhere?
Or can you restore what "used to be"?
Thanks,
Richard.
> Trev
>
> ---
> gcc/tree-ssa.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/gcc/tree-ssa.c b/gcc/tree-ssa.c
> index 920cbea..b949d48 100644
> --- a/gcc/tree-ssa.c
> +++ b/gcc/tree-ssa.c
> @@ -109,7 +109,11 @@ redirect_edge_var_map_dup (edge newe, edge olde)
> if (!head)
> return;
>
> - edge_var_maps->get_or_insert (newe).safe_splice (*head);
> + /* Save what head points at because if we need to insert new into the map we
> + may end up expanding the table in which case head will no longer point at
> + valid memory. */
> + vec<edge_var_map> h = *head;
> + edge_var_maps->get_or_insert (newe).safe_splice (h);
> }
>
>
> --
> 2.0.1
>
More information about the Gcc-patches
mailing list