[PATCH] Fix UB in ira-costs.c (find_costs_and_classes)

Jakub Jelinek jakub@redhat.com
Tue Jun 20 07:27:00 GMT 2017 

Hi!

bootstrap-ubsan revealed many
../../gcc/ira-costs.c:1747:20: runtime error: member access within null pointer of type 'cost_classes *[107]'
issues.  The problem is that cost_classes_ptr is sometimes NULL, but
in those cases we have early exit:
          if (! allocno_p)
            {
              if (regno_reg_rtx[i] == NULL_RTX)
                continue;	// <----- HERE
              memcpy (temp_costs, COSTS (costs, i), struct_costs_size);
              i_mem_cost = temp_costs->mem_cost;
            }
          else
            {
              if (ira_regno_allocno_map[i] == NULL)
                continue;	// <----- or HERE
...
            }
Still, cost_classes_ptr->classes where classes is an array is UB when
cost_classes_ptr is NULL, so this patch moves it after the if (...) continue;
in both branches (because it is needed both later in the else ...
and after the whole if.

Bootstrapped/regtested on x86_64-linux and i686-linux (with
bootstrap-ubsan), ok for trunk?

2017-06-20  Jakub Jelinek  <jakub@redhat.com>

	* ira-costs.c (find_costs_and_classes): Initialize cost_classes later
	to make sure not to dereference a NULL cost_classes_ptr pointer.

--- gcc/ira-costs.c.jj	2017-06-19 22:56:35.000000000 +0200
+++ gcc/ira-costs.c	2017-06-20 00:27:38.032572231 +0200
@@ -1744,7 +1744,7 @@ find_costs_and_classes (FILE *dump_file)
 	  int best_cost, allocno_cost;
 	  enum reg_class best, alt_class;
 	  cost_classes_t cost_classes_ptr = regno_cost_classes[i];
-	  enum reg_class *cost_classes = cost_classes_ptr->classes;
+	  enum reg_class *cost_classes;
 	  int *i_costs = temp_costs->cost;
 	  int i_mem_cost;
 	  int equiv_savings = regno_equiv_gains[i];
@@ -1755,6 +1755,7 @@ find_costs_and_classes (FILE *dump_file)
 		continue;
 	      memcpy (temp_costs, COSTS (costs, i), struct_costs_size);
 	      i_mem_cost = temp_costs->mem_cost;
+	      cost_classes = cost_classes_ptr->classes;
 	    }
 	  else
 	    {
@@ -1762,6 +1763,7 @@ find_costs_and_classes (FILE *dump_file)
 		continue;
 	      memset (temp_costs, 0, struct_costs_size);
 	      i_mem_cost = 0;
+	      cost_classes = cost_classes_ptr->classes;
 	      /* Find cost of all allocnos with the same regno.  */
 	      for (a = ira_regno_allocno_map[i];
 		   a != NULL;

	Jakub

More information about the Gcc-patches mailing list