From patchwork Mon Feb 10 22:58:24 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nathaniel Shead <nathanieloshead@gmail.com>
X-Patchwork-Id: 106313
Return-Path: <gcc-patches-bounces~patchwork=sourceware.org@gcc.gnu.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id B62C0385783B
	for <patchwork@sourceware.org>; Mon, 10 Feb 2025 22:59:36 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B62C0385783B
Authentication-Results: sourceware.org;
	dkim=pass (2048-bit key,
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20230601 header.b=hCX/0koE
X-Original-To: gcc-patches@gcc.gnu.org
Delivered-To: gcc-patches@gcc.gnu.org
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com
 [IPv6:2607:f8b0:4864:20::62f])
 by sourceware.org (Postfix) with ESMTPS id 172823857C7B
 for <gcc-patches@gcc.gnu.org>; Mon, 10 Feb 2025 22:58:30 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 172823857C7B
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 172823857C7B
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=2607:f8b0:4864:20::62f
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1739228310; cv=none;
 b=ZA6Ww1g3ernhmUDXdfeDOozONNb9JROJz+xRk0dl6h6CjZy8pumXv5p1YdbhpjGsuK4i7rNkAPvSr+yft42Oy3BNUzWWu3+U/nuXAug2y6XW2wrkSaQchbqSR7aKMoTSn1bsr62XVPJ1bJRsJCDFv8U+h9ZAF+wbkiporEYd+ak=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1739228310; c=relaxed/simple;
 bh=rs3oMGkSHp3gvBnz/evn129a//2RJsMOAul6fdQnzHk=;
 h=DKIM-Signature:Message-ID:Date:From:To:Subject:MIME-Version;
 b=CFg1FTKewTtpUZ8BhE1r+GRxKQYf0XlllkCLNDaQy2HxGIYMYjVSnt00dq/vo/Si8atp/KTtnyEsOkUKBbh9ZWqrBCJ4LLD0CPzWWuLcqw4Hl4bKsM+kAId0vRgPqIPIC53mgq5mPNF/tWeTN0rAvVoODoTv85N6qFmLXgexTbM=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 172823857C7B
Received: by mail-pl1-x62f.google.com with SMTP id
 d9443c01a7336-2166db59927so10157575ad.0
 for <gcc-patches@gcc.gnu.org>; Mon, 10 Feb 2025 14:58:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1739228309; x=1739833109; darn=gcc.gnu.org;
 h=content-disposition:mime-version:subject:cc:to:from:date:message-id
 :from:to:cc:subject:date:message-id:reply-to;
 bh=pG7G0xaPvQSA7oUnHJrsUSTK4MvCefs7KpROJFdoHXo=;
 b=hCX/0koEk++NZZ0d/Z9Dq/8vfWualvFqKgoUdvHFasIUsF1AZoZVSj6CDx03RLa9BY
 b3VbWcp7F/TKm7ixtpEEpxCQOi6eHmr5Z0RcyMM2hbwiurDTnRgXlcOMiy+qVaUIyiqA
 YovCWBT2tA8paVUAq2YTlhnbLSZA7TWiJbjPwg6LWekyJ7OXQya+iyqNHY/FFCmwvg2N
 PEHVi8xFcbSTzPfAyWdVnpRykyEszU+PD4HaULT+yMEbNB8YSNP7fxXLf/4HRtf/+bpU
 hLzQmKYHex+ZTQub2ZShRka0Vm99T7OHdGpE8ivVC7b97DCgIFd96HmFqRGY6MgTAJZi
 tj6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1739228309; x=1739833109;
 h=content-disposition:mime-version:subject:cc:to:from:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=pG7G0xaPvQSA7oUnHJrsUSTK4MvCefs7KpROJFdoHXo=;
 b=HkG+peB+TzGylgSck3vkYe89NAB/qHdnk0cG+lfiJ/Sn+OoriVpOiQzMV3Hk5i3B11
 g+ekfD0SRqNixCPRQWTZI2yqGc9SYlWsABNeOhr55dJVQM35K7k/N63WHtMY+o7u9/x6
 D4Z4jP2QfONJLDUbV1s5p8034m6Ga3dyhExnxg4Z/emkOPfltHqnkzbiYkdJLaR97tP/
 D+gls0RJb2kUsLecpyXKZytGzzv33xh5/yG3p0+NGdBt/evb4EJ1JQWPolsnLPjRssRE
 HThZhn6i9Z9SRK7FbSzjHj9hFJXjtj5Kf9ganW1JfMaYzuhOsNvwFWz6KMP1eb7kyX2T
 40pQ==
X-Gm-Message-State: AOJu0YwpJvpyIiyR86m5ludUfiGmRHA41juJMeWBKIcyVjIDtJJXxhYM
 BK/yoHujZ5XWbIxhW/Jg13yJkWGTtQa68+gNdOhWOmir+87+ml95mSKyiA==
X-Gm-Gg: ASbGnctl7QrxrxQCo2NW/7zXk3/syZFLTLZeSDKbC27bh/jBqnm4NUbQkZRhzQ33N2X
 +xOx08kx8Zuul+m4EoFBZVdzeHUdx5msaFjDUT9wSkUxiZDdsR9ZSKsQSJLJV2gjpE1llSzem3T
 59//VskFE87pg01liS6zZJIcll8J9xglol5nvzy0cg2hp697PXD0WUJVK6fCCcOkCHMz4Cych4m
 AXRVrWTe9GIKIH5EkHPFtVRDceYlW+JE0DXCJegwVL+gXYcn4UDETCJrJ0W98yKtkY7cFeZrhpV
 BAq9TjIKJd87ICTgp53QwY12p4eYcqY+gQhUZyloRU2//Yavcuf8CNwH
X-Google-Smtp-Source: 
 AGHT+IF5n8J1CHFpYKFD3qIxctYxgCSgtvLe1ShgbVeF7qOlUOJwhH9YEF1hZ8QAtobjUguIaE2ZRw==
X-Received: by 2002:a17:902:da88:b0:215:a81b:42e1 with SMTP id
 d9443c01a7336-21fbb8f4f99mr846105ad.8.1739228308933;
 Mon, 10 Feb 2025 14:58:28 -0800 (PST)
Received: from Thaum. (163-47-68-2.ipv4.originbroadband.com.au. [163.47.68.2])
 by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-21f3687c6ecsm84758455ad.198.2025.02.10.14.58.27
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 10 Feb 2025 14:58:28 -0800 (PST)
Message-ID: <67aa8494.170a0220.da597.54a5@mx.google.com>
X-Google-Original-Message-ID: <Z6qEkGl_drXUimSM@Thaum.>
Date: Tue, 11 Feb 2025 09:58:24 +1100
From: Nathaniel Shead <nathanieloshead@gmail.com>
To: gcc-patches@gcc.gnu.org
Cc: Jason Merrill <jason@redhat.com>
Subject: [PATCH] c++: Fix use-after-free of replaced friend instantiation
 [PR118807]
MIME-Version: 1.0
Content-Disposition: inline
X-Spam-Status: No, score=-12.0 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
Errors-To: gcc-patches-bounces~patchwork=sourceware.org@gcc.gnu.org

Bootstrapped and regtested on x86_64-pc-linux-gnu (and additionally
passed modules.exp with a checking=all build), OK for trunk?

-- >8 --

When instantiating a friend function, we call register_specialization
which adds it to the DECL_TEMPLATE_INSTANTIATIONS of the template.
However, in some circumstances we might immediately call pushdecl and
find an existing specialisation.  In this case, when reregistering the
specialisation we also need to update the DECL_TEMPLATE_INSTANTIATIONS
list so that we don't try to access the freed spec again later.

	PR c++/118807

gcc/cp/ChangeLog:

	* pt.cc (reregister_specialization): Remove spec from
	DECL_TEMPLATE_INSTANTIATIONS.

gcc/testsuite/ChangeLog:

	* g++.dg/modules/pr118807.C: New test.

Signed-off-by: Nathaniel Shead <nathanieloshead@gmail.com>
---
 gcc/cp/pt.cc                            | 11 +++++++++++
 gcc/testsuite/g++.dg/modules/pr118807.C | 11 +++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 gcc/testsuite/g++.dg/modules/pr118807.C

diff --git a/gcc/cp/pt.cc b/gcc/cp/pt.cc
index 39232b5e67f..e1764743597 100644
--- a/gcc/cp/pt.cc
+++ b/gcc/cp/pt.cc
@@ -1985,6 +1985,17 @@ reregister_specialization (tree spec, tree tinfo, tree new_spec)
       gcc_assert (entry->spec == spec || entry->spec == new_spec);
       gcc_assert (new_spec != NULL_TREE);
       entry->spec = new_spec;
+
+      /* We need to also remove the old specialisation from
+	 DECL_TEMPLATE_INSTANTIATIONS if it was placed there.  */
+      for (tree *inst = &DECL_TEMPLATE_INSTANTIATIONS (elt.tmpl);
+	   *inst; inst = &TREE_CHAIN (*inst))
+	if (TREE_VALUE (*inst) == spec)
+	  {
+	    *inst = TREE_CHAIN (*inst);
+	    break;
+	  }
+
       return 1;
     }
 
diff --git a/gcc/testsuite/g++.dg/modules/pr118807.C b/gcc/testsuite/g++.dg/modules/pr118807.C
new file mode 100644
index 00000000000..a97afb92699
--- /dev/null
+++ b/gcc/testsuite/g++.dg/modules/pr118807.C
@@ -0,0 +1,11 @@
+// PR c++/118807
+// { dg-additional-options "-fmodules --param=ggc-min-expand=0 --param=ggc-min-heapsize=0 -Wno-global-module" }
+
+module;
+template <typename> class basic_streambuf;
+template <typename> struct basic_streambuf {
+  friend void __istream_extract();
+};
+template class basic_streambuf<char>;
+template class basic_streambuf<wchar_t>;
+export module M;