[PATCH v2] fix pr62009 use after free in redirect_edge_var_map_dup

Tue Aug 5 20:00:00 GMT 2014

On Tue, Aug 05, 2014 at 02:42:17PM +0200, Richard Biener wrote:
> On Tue, Aug 5, 2014 at 2:32 PM,  <tsaunders@mozilla.com> wrote:
> > From: Trevor Saunders <tsaunders@mozilla.com>
> >
> > hi,
> >
> > The change to get the entry for the old edge before inserting the new
> > one was incorrect because if inserting the new one resized the table
> > then the pointer to the entry for the old one would become invalid.
> >
> > gcc/
> >
> >         * tree-ssa.c (redirect_edge_var_map_dup): insert newe before
> >         getting olde.
> >
> > bootstrapping on and regtest on x86_64-unknown-linux-gnu and bootstrap on
> > i686-linux-gnu ongoing, ok?
> 
> Also works for me.

committed as r213644, thanks.

Trev

> 
> Richard.
> 
> > Trev
> >
> > ---
> >  gcc/tree-ssa.c | 7 ++++---
> >  1 file changed, 4 insertions(+), 3 deletions(-)
> >
> > diff --git a/gcc/tree-ssa.c b/gcc/tree-ssa.c
> > index 920cbea..b6b3718 100644
> > --- a/gcc/tree-ssa.c
> > +++ b/gcc/tree-ssa.c
> > @@ -105,11 +105,12 @@ redirect_edge_var_map_dup (edge newe, edge olde)
> >    if (!edge_var_maps)
> >      return;
> >
> > -  auto_vec<edge_var_map> *head = edge_var_maps->get (olde);
> > -  if (!head)
> > +  auto_vec<edge_var_map> *new_head = &edge_var_maps->get_or_insert (newe);
> > +  auto_vec<edge_var_map> *old_head = edge_var_maps->get (olde);
> > +  if (!old_head)
> >      return;
> >
> > -  edge_var_maps->get_or_insert (newe).safe_splice (*head);
> > +  new_head->safe_splice (*old_head);
> >  }
> >
> >
> > --
> > 2.0.1
> >