On 27/08/07, Ron Blaschke <[EMAIL PROTECTED]> wrote:
> Paul Cochrane wrote:
> > On 27/08/07, Ron Blaschke <[EMAIL PROTECTED]> wrote:
> >> Paul Cochrane wrote:
> >>> On 26/08/07, chromatic <[EMAIL PROTECTED]> wrote:
> >>>> On Sun, Aug 26, 2007 at 11:14:11AM -0700, Paul Cochrane wrote:
>
> >>> Ok, I'll just tell the Coverity thing to ignore that particular warning.
> >> Just curious, but could you please post the exact wording of the warning?
> >
> > Sure. I'll have to piece this together a bit from the various pieces
> > of info from the web app output, so please, bear with me.
> >
> > Warning:
> > USE_AFTER_FREE
> > File: compilers/imcc/optimizer.c
> > Function: constant_propagation
> > Description: Using freed pointer "(ins)->next"
> [snip]
>
> Many thanks Paul. The error message talks about "(ins)->next". There
> are two of those in constant_propagation. Coverity does not show line
> numbers, does it? Is there any way to dump the sequence of statements
> that triggers the error report?
>
> line 593:
> for (ins = unit->instructions; ins; ins = ins->next) {
>
> line 612:
> for (ins2 = ins->next; ins2; ins2 = ins2->next) {
> ^^^^^^^^^
>
> I don't have time right now to wrap my brain around this right now, but
> I'd like to think this through before dismissing it. The two loops with
> C<ins> and C<ins2> do make me a bit uncomfortable, if it's a false
> positive I'd really like to know why. But don't let me hold you up on
> this, continue as you see fit.
Ron, this is no problem at all :-) I'll try to add some more context.
Here is the relevant section highlighted by Coverity:
Event alias: aliasing "(ins)->next" with "ins2"
Also see events: [freed_arg][use_after_free]
At conditional (1): "ins2 != 0" taking true path
512 for (ins2 = ins->next; ins2; ins2 = ins2->next) {
At conditional (2): "(ins2)->type & 16777216 != 0" taking false path
At conditional (3): "(ins2)->bbindex != (ins)->bbindex" taking false path
513 if (ins2->type & ITSAVES ||
514 /* restrict to within a basic block */
515 ins2->bbindex != ins->bbindex)
516 goto next_constant;
517 /* was opsize - 2, changed to n_r - 1
518 */
At conditional (4): "i >= 0" taking true path
At conditional (8): "i >= 0" taking true path
At conditional (14): "i >= 0" taking true path
519 for (i = ins2->n_r - 1; i >= 0; i--) {
At conditional (5): "strcmp == 0" taking true path
At conditional (9): "strcmp == 0" taking true path
At conditional (15): "strcmp == 0" taking true path
520 if (!strcmp(o->name, ins2->r[i]->name)) {
At conditional (6): "instruction_writes != 0" taking false path
At conditional (10): "instruction_writes != 0" taking false path
At conditional (16): "instruction_writes != 0" taking true path
521 if (instruction_writes(ins2,ins2->r[i]))
522 goto next_constant;
At conditional (7): "instruction_reads != 0" taking false path
At conditional (11): "instruction_reads != 0" taking true path
523 else if (instruction_reads(ins2,ins2->r[i])) {
524 IMCC_debug(interp, DEBUG_OPT2,
525 "\tpropagating into %I register %i",
526 ins2, i);
527 old = ins2->r[i];
528 ins2->r[i] = c;
529 /* first we try subst_constants for e.g. if 10 < 5 goto next*/
530 tmp = IMCC_subst_constants(interp,
531 unit, ins2->op, ins2->r, ins2->opsize,
532 &found);
At conditional (12): "found != 0" taking true path
533 if (found) {
534 prev = ins2->prev;
At conditional (13): "prev != 0" taking true path
535 if (prev) {
Event freed_arg: Pointer "ins2" freed by function "subst_ins" [model]
Also see events: [alias][use_after_free]
536 subst_ins(unit, ins2, tmp, 1);
537 any = 1;
538 IMCC_debug(interp, DEBUG_OPT2,
539 " reduced to %I\n", tmp);
540 ins2 = prev->next;
541 }
542 }
The line numbers will be a little bit out due to this being relative
to the 0.4.13 release of Parrot, but this should still give you enough
context (I hope) to work out what's going on.
Paul
