[Bug ipa/103449] [12 Regression] use-after-free in ipa_param_body_adjustments::prepare_debug_expressions(tree_node*) (ipa-param-manipulation.c:1283) since r12-4920-g1ece90ffa9ce63b4

Mon, 29 Nov 2021 07:41:19 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103449

--- Comment #3 from Martin Liška <marxin at gcc dot gnu.org> ---
(In reply to Martin Jambor from comment #2)
> The second "Invalid read of size 8" can be avoided with the following
> (untested but correct):
> 
> diff --git a/gcc/ipa-param-manipulation.c b/gcc/ipa-param-manipulation.c
> index 479c20b3871..ff65dad0971 100644
> --- a/gcc/ipa-param-manipulation.c
> +++ b/gcc/ipa-param-manipulation.c
> @@ -1280,8 +1280,9 @@ ipa_param_body_adjustments::prepare_debug_expressions
> (tree dead_ssa)
>           && TREE_CODE (gimple_assign_rhs1 (def)) == SSA_NAME)
>         {
>           tree *d = m_dead_ssa_debug_equiv.get (gimple_assign_rhs1 (def));
> +         gcc_assert (*d);
>           m_dead_ssa_debug_equiv.put (dead_ssa, *d);
> -         return (*d != NULL_TREE);
> +         return true;
>         }
>  
>        tree val
> 
> 
> But the first one, at least at this point, is somewhat a mystery to
> me.  It happens within the m_dead_ssa_debug_equiv.put() just before
> the return... and, if I understand the valgrind output well, it seems
> that inside that hash_map<tree, tree> its m_table.find_slot_with_hash
> returned a pointer to a memory the same m_table released before?

I think the fix for that is:

diff --git a/gcc/ipa-param-manipulation.c b/gcc/ipa-param-manipulation.c
index 479c20b3871..163af94cde0 100644
--- a/gcc/ipa-param-manipulation.c
+++ b/gcc/ipa-param-manipulation.c
@@ -1279,9 +1279,10 @@ ipa_param_body_adjustments::prepare_debug_expressions
(tree dead_ssa)
       if (gimple_assign_copy_p (def)
          && TREE_CODE (gimple_assign_rhs1 (def)) == SSA_NAME)
        {
-         tree *d = m_dead_ssa_debug_equiv.get (gimple_assign_rhs1 (def));
-         m_dead_ssa_debug_equiv.put (dead_ssa, *d);
-         return (*d != NULL_TREE);
+         tree d = *m_dead_ssa_debug_equiv.get (gimple_assign_rhs1 (def));
+         gcc_assert (d);
+         m_dead_ssa_debug_equiv.put (dead_ssa, d);
+         return true;
        }

       tree val

What likely happens is that 'tree *d' is a pointer to the hash_map. Then you
want to put another item in the same hash_map (m_dead_ssa_debug_equiv.put),
it's resized and then the dereference of d happens and it's the invalid read
as it points to the map before it was grown (reallocated).

Reply via email to