From patchwork Fri Jun 13 09:56:41 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kyrylo Tkachov <kyrylo.tkachov@arm.com>
X-Patchwork-Id: 359475
Return-Path: 
 <gcc-patches-return-370174-incoming=patchwork.ozlabs.org@gcc.gnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id C09EB1400EA
	for <incoming@patchwork.ozlabs.org>;
	Fri, 13 Jun 2014 19:56:54 +1000 (EST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id
	:list-unsubscribe:list-archive:list-post:list-help:sender
	:message-id:date:from:mime-version:to:subject:content-type; q=
	dns; s=default; b=LJV49hohdDwWbQ8uE+lBdkLDvO0rvF3la5OVDYnyhqf2UQ
	1AHtP02l+QBo5QI/4sO+lOUifIGQ5/V3snuxKx5a8Alm+ZFQ1LBE88E0oIzmjzhT
	yad63/5r64Azm1MEn2NMouxWbWWYrUmReGP6KKaAf+vKqQYKgOeYMMf6lLDFg=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id
	:list-unsubscribe:list-archive:list-post:list-help:sender
	:message-id:date:from:mime-version:to:subject:content-type; s=
	default; bh=p6wTYe3QM7ArSu6pZ+snG/wrKDo=; b=rhLvlY4+BkQOEiwIWtnq
	XOq+LgBj8qXjAitr8Sxk2KX2BruMcifn27/req5+LR48cnlL3CEw5s3BSVifWGDx
	ay6UquP6lUfkqAJycJIphd/pwz6rYkexk2d1aUgTcwKf7NS7Si0/hlaMoU1ahQ1i
	tkDgYyLPtZdm+Nt6iZd3i78=
Received: (qmail 21561 invoked by alias); 13 Jun 2014 09:56:47 -0000
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-patches.gcc.gnu.org>
List-Unsubscribe: 
 <mailto:gcc-patches-unsubscribe-incoming=patchwork.ozlabs.org@gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-help@gcc.gnu.org>
Sender: gcc-patches-owner@gcc.gnu.org
Delivered-To: mailing list gcc-patches@gcc.gnu.org
Received: (qmail 21544 invoked by uid 89); 13 Jun 2014 09:56:46 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.1 required=5.0 tests=AWL, BAYES_00,
	RCVD_IN_DNSWL_LOW, SPF_PASS autolearn=ham version=3.3.2
X-HELO: service87.mimecast.com
Received: from service87.mimecast.com (HELO service87.mimecast.com)
	(91.220.42.44) by sourceware.org
	(qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP;
	Fri, 13 Jun 2014 09:56:44 +0000
Received: from cam-owa2.Emea.Arm.com (fw-tnat.cambridge.arm.com
	[217.140.96.21]) by service87.mimecast.com;
	Fri, 13 Jun 2014 10:56:41 +0100
Received: from [10.1.208.24] ([10.1.255.212]) by cam-owa2.Emea.Arm.com with
	Microsoft SMTPSVC(6.0.3790.3959); Fri, 13 Jun 2014 10:56:36 +0100
Message-ID: <539ACAD9.7030501@arm.com>
Date: Fri, 13 Jun 2014 10:56:41 +0100
From: Kyrill Tkachov <kyrylo.tkachov@arm.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: GCC Patches <gcc-patches@gcc.gnu.org>
Subject: [PATCH][genattrtab] Fix memory corruption,
	allocate enough memory for all bypassed reservations
X-MC-Unique: 114061310564128401
X-IsSubscribed: yes

Hi all,

I noticed a memory corruption bug while adding some scheduler bypasses 
in the arm backend.
genattrtab would segfault while processing the bypasses. Valgrind 
confirmed this.

The problem is that when processing the bypassed reservations, 
make_automaton_pairs allocates memory in proportion to the number of 
defined bypasses rather than the number of bypassed reservations. This 
means that if the number of bypassed reservations is sufficiently larger 
than the number of bypasses, the loop will overwrite unallocated memory.

I also observed this effect on aarch64, but there was no segfault there, 
presumably because the number of reservations in aarch64 is much smaller 
than arm at the moment (we only use two pipeline descriptions in aarch64).

This patch fixes that and valgrind confirms that there's no out of 
bounds accesses now.

Bootstrapped and tested arm-none-linux-gnueabihf, 
aarch64-none-linux-gnu, x86_64-linux.

Ok for trunk?

Thanks,
Kyrill

2014-06-13  Kyrylo Tkachov  <kyrylo.tkachov@arm.com>

     * genattrtab.c (n_bypassed): New variable.
     (process_bypasses): Initialise n_bypassed.
     Count number of bypassed reservations.
     (make_automaton_attrs): Allocate space for bypassed reservations
     rather than number of bypasses.

diff --git a/gcc/genattrtab.c b/gcc/genattrtab.c
index c5ce51c..2b6b3ce 100644
--- a/gcc/genattrtab.c
+++ b/gcc/genattrtab.c
@@ -4766,6 +4766,7 @@ struct bypass_list
 
 static struct bypass_list *all_bypasses;
 static size_t n_bypasses;
+static size_t n_bypassed;
 
 static void
 gen_bypass_1 (const char *s, size_t len)
@@ -4811,12 +4812,19 @@ process_bypasses (void)
   struct bypass_list *b;
   struct insn_reserv *r;
 
+  n_bypassed = 0;
+
   /* The reservation list is likely to be much longer than the bypass
      list.  */
   for (r = all_insn_reservs; r; r = r->next)
     for (b = all_bypasses; b; b = b->next)
       if (fnmatch (b->pattern, r->name, 0) == 0)
-	r->bypassed = true;
+        {
+          if (!r->bypassed)
+            n_bypassed++;
+
+          r->bypassed = true;
+        }
 }
 
 /* Check that attribute NAME is used in define_insn_reservation condition
@@ -5075,7 +5083,7 @@ make_automaton_attrs (void)
       process_bypasses ();
 
       byps_exp = rtx_alloc (COND);
-      XVEC (byps_exp, 0) = rtvec_alloc (n_bypasses * 2);
+      XVEC (byps_exp, 0) = rtvec_alloc (n_bypassed * 2);
       XEXP (byps_exp, 1) = make_numeric_value (0);
       for (decl = all_insn_reservs, i = 0;
 	   decl;