From patchwork Mon Apr  8 09:36:55 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Biener <rguenther@suse.de>
X-Patchwork-Id: 88156
Return-Path: <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 4A8353858C32
	for <patchwork@sourceware.org>; Mon,  8 Apr 2024 09:37:30 +0000 (GMT)
X-Original-To: gcc-patches@gcc.gnu.org
Delivered-To: gcc-patches@gcc.gnu.org
Received: from smtp-out1.suse.de (smtp-out1.suse.de
 [IPv6:2a07:de40:b251:101:10:150:64:1])
 by sourceware.org (Postfix) with ESMTPS id 3356A3858D20
 for <gcc-patches@gcc.gnu.org>; Mon,  8 Apr 2024 09:36:57 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 3356A3858D20
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=suse.de
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=suse.de
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 3356A3858D20
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=2a07:de40:b251:101:10:150:64:1
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712569019; cv=none;
 b=vJMHm3QxYwwn1JdJ3uyt55I4B6VakiUIVxKYjm8NLZgv5SUOR/zqY7l1ByF6+Ie4MRNOq3gRI8TCPI5iFGhXB1bbXxI49/vz2ewL4LEpNXxbmvPP2VT6L81I7YSId+OCNHA0L2uFJAFf4n/ibbN6sOYx1YW5lkZ91suOTE5sfy0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1712569019; c=relaxed/simple;
 bh=V8sFKNNAkpJQ70OvKfJDl8bStnmDEFMWX6TaF0iqYq0=;
 h=DKIM-Signature:DKIM-Signature:DKIM-Signature:DKIM-Signature:Date:
 From:To:Subject:MIME-Version;
 b=NF1RMrwHo149YafEQk5X95oJ+1bzrhS/gd4Z5gfc+LWnbWsSAhm2EDG8+DlFYt1lH5lu46f+zzQEk9fBGNzJFqHOpWwPqEYxxIgFOlkgOChJ3RKCRGzBYtND+G5nisgBgKq3y1oKIlDZjRSyuiNLNTL+3NjZcneesocftjOR8p4=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from [10.168.5.241] (unknown [10.168.5.241])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-out1.suse.de (Postfix) with ESMTPS id DD6952270F
 for <gcc-patches@gcc.gnu.org>; Mon,  8 Apr 2024 09:36:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_rsa;
 t=1712569016;
 h=from:from:reply-to:date:date:to:to:cc:mime-version:mime-version:
 content-type:content-type; bh=wXpAGiVQBwp3a7HMJ+2hwc98SsHlDNQq7s59B7SPWV0=;
 b=v2lWF3eJDGYENUzk9Hu/hWRpim1QNv+5Fyt75xX1o4MFzHxBjpI9y9AVxQSJ26+L46LXEK
 k9I6hfG7eVW/4hQNlMWi6MMAb8YhYUGqgFuFl5koMsV+UAq853esNi/UnOwcPfvzh3yDT4
 M93Yg/E4ZZPTvwbd06L/JkAabWeRQ8E=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1712569016;
 h=from:from:reply-to:date:date:to:to:cc:mime-version:mime-version:
 content-type:content-type; bh=wXpAGiVQBwp3a7HMJ+2hwc98SsHlDNQq7s59B7SPWV0=;
 b=3hbagE/xU+wMkAU90+1Yv0xrq/CV0R97nyRD3SfoaRHXLLuUDzwc7Q+cqsHHTBAZaokjni
 v6KnPQXz6W4TU5DQ==
Authentication-Results: smtp-out1.suse.de;
	none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_rsa;
 t=1712569015;
 h=from:from:reply-to:date:date:to:to:cc:mime-version:mime-version:
 content-type:content-type; bh=wXpAGiVQBwp3a7HMJ+2hwc98SsHlDNQq7s59B7SPWV0=;
 b=lMo7LAoI8HFX2DwHwOMqu3HCokjuTeUPSpetmpSb/6LGv08PwSwrDx6D9pOOXclZUrxJoE
 LUfSHBS+CZik6I/W6enBqVsjH4pXswQ/8UT/KbAhyUrh9Dqt9lV2b9wbVPV8Irs6QWCPY0
 OIWZe8lNh2+2I9u9L92E8IkDYjIFAYQ=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1712569015;
 h=from:from:reply-to:date:date:to:to:cc:mime-version:mime-version:
 content-type:content-type; bh=wXpAGiVQBwp3a7HMJ+2hwc98SsHlDNQq7s59B7SPWV0=;
 b=+fZEtDMDLYk/idKmDfUHllxUTawEocLKwJy+otXdWrn1oW/iXFxTaacT83xSRhran+Anl2
 pzkIQmL1C+6eEDCA==
Date: Mon, 8 Apr 2024 11:36:55 +0200 (CEST)
From: Richard Biener <rguenther@suse.de>
To: gcc-patches@gcc.gnu.org
Subject: [PATCH] tree-optimization/114624 - fix use-after-free in SCCP
MIME-Version: 1.0
X-Spam-Score: -1.74
X-Spam-Level: 
X-Spamd-Result: default: False [-1.74 / 50.00]; BAYES_HAM(-3.00)[100.00%];
 MISSING_MID(2.50)[]; NEURAL_HAM_LONG(-0.95)[-0.954];
 NEURAL_HAM_SHORT(-0.18)[-0.918]; MIME_GOOD(-0.10)[text/plain];
 RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ZERO(0.00)[0];
 ARC_NA(0.00)[]; MISSING_XM_UA(0.00)[];
 DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];
 FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+]; TO_DN_NONE(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]
X-Spam-Status: No, score=-10.4 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, MISSING_MID,
 SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
Errors-To: gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org
Message-Id: <20240408093730.4A8353858C32@sourceware.org>

We're inspecting the replaced PHI node after releasing it.

Bootstrapped and tested on x86-64-unknown-linux-gnu, pushed.

	PR tree-optimization/114624
	* tree-scalar-evolution.cc (final_value_replacement_loop):
	Get at the PHI arg location before releasing the PHI node.

	* gcc.dg/torture/pr114624.c: New testcase.
---
 gcc/testsuite/gcc.dg/torture/pr114624.c | 20 ++++++++++++++++++++
 gcc/tree-scalar-evolution.cc            |  4 ++--
 2 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 gcc/testsuite/gcc.dg/torture/pr114624.c

diff --git a/gcc/testsuite/gcc.dg/torture/pr114624.c b/gcc/testsuite/gcc.dg/torture/pr114624.c
new file mode 100644
index 00000000000..ae031356982
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/torture/pr114624.c
@@ -0,0 +1,20 @@
+/* { dg-do compile } */
+
+int a, b;
+int main() {
+  int c, d = 1;
+  while (a) {
+    while (b)
+      if (d)
+        while (a)
+          ;
+    for (; b < 2; b++)
+      if (b)
+        for (c = 0; c < 8; c++)
+          d = 0;
+      else
+        for (a = 0; a < 2; a++)
+          ;
+  }
+  return 0;
+}
diff --git a/gcc/tree-scalar-evolution.cc b/gcc/tree-scalar-evolution.cc
index 25e3130e2f1..b0a5e09a77c 100644
--- a/gcc/tree-scalar-evolution.cc
+++ b/gcc/tree-scalar-evolution.cc
@@ -3877,6 +3877,7 @@ final_value_replacement_loop (class loop *loop)
 	 to a GIMPLE sequence or to a statement list (keeping this a
 	 GENERIC interface).  */
       def = unshare_expr (def);
+      auto loc = gimple_phi_arg_location (phi, exit->dest_idx);
       remove_phi_node (&psi, false);
 
       /* Propagate constants immediately, but leave an unused initialization
@@ -3888,8 +3889,7 @@ final_value_replacement_loop (class loop *loop)
       gimple_seq stmts;
       def = force_gimple_operand (def, &stmts, false, NULL_TREE);
       gassign *ass = gimple_build_assign (rslt, def);
-      gimple_set_location (ass,
-			   gimple_phi_arg_location (phi, exit->dest_idx));
+      gimple_set_location (ass, loc);
       gimple_seq_add_stmt (&stmts, ass);
 
       /* If def's type has undefined overflow and there were folded