On 01/09/07, Ron Blaschke <[EMAIL PROTECTED]> wrote: > Paul Cochrane wrote: > > I've had a chance to look at this and the implementation looks quite > good to me. > > There's one thing that still bothers me. The snipped output is: > > > Event alias: aliasing "(ins)->next" with "ins2" > > Also see events: [freed_arg][use_after_free] > > At conditional (1): "ins2 != 0" taking true path > > > > 512 for (ins2 = ins->next; ins2; ins2 = ins2->next) { > ... > > Event freed_arg: Pointer "ins2" freed by function "subst_ins" [model] > > Also see events: [alias][use_after_free] > > > > 536 subst_ins(unit, ins2, tmp, 1); > > There's "Also see events: [freed_arg][use_after_free]" and there's a > line saying "Event freed_arg: ..." > > Then there's "Also see events: [alias][use_after_free]" and a line > saying "Event alias: ..." > > This makes we wonder if there's any line saying "Event use_after_free: > ..." in the report? > > Thanks, > Ron >
Ron, Here's the full report (given within the context of the code). I don't know if this helps, however, I do believe it is time you got an account on Coverity Prevent yourself :-) You'll need to send an email to [EMAIL PROTECTED] to get an account. Paul 479 static int 480 constant_propagation(Interp *interp, IMC_Unit * unit) 481 { 482 Instruction *ins, *ins2, *tmp, *prev; 483 int op; 484 int i; 485 char fullname[128]; 486 SymReg *c, *old, *o; 487 int any = 0; 488 int found; 489 490 o = c = NULL; /* silence compiler uninit warning */ 491 492 IMCC_info(interp, 2, "\tconstant_propagation\n");Event use_after_free: Using freed pointer "(ins)->next" Also see events: [alias][freed_arg] 493 for (ins = unit->instructions; ins; ins = ins->next) { 494 found = 0; 495 if (!strcmp(ins->op, "set") && 496 ins->opsize == 3 && /* no keyed set */ 497 ins->r[1]->type == VTCONST && 498 ins->r[0]->set != 'P') { /* no PMC consts */ 499 found = 1; 500 c = ins->r[1]; 501 o = ins->r[0]; 502 } else if (!strcmp(ins->op, "null") && ins->r[0]->set == 'I') { 503 found = 1; 504 c = mk_const(interp, str_dup("0"), 'I'); 505 o = ins->r[0]; 506 } /* this would be good because 'set I0, 0' is reduced to 'null I0' 507 before it gets to us */ 508 509 if (found) { 510 IMCC_debug(interp, DEBUG_OPT2, 511 "propagating constant %I => \n", ins);Event alias: aliasing "(ins)->next" with "ins2" Also see events: [freed_arg][use_after_free] At conditional (1): "ins2 != 0" taking true path 512 for (ins2 = ins->next; ins2; ins2 = ins2->next) {At conditional (2): "(ins2)->type & 16777216 != 0" taking false path At conditional (3): "(ins2)->bbindex != (ins)->bbindex" taking false path 513 if (ins2->type & ITSAVES || 514 /* restrict to within a basic block */ 515 ins2->bbindex != ins->bbindex) 516 goto next_constant; 517 /* was opsize - 2, changed to n_r - 1 518 */At conditional (4): "i >= 0" taking true path At conditional (8): "i >= 0" taking true path At conditional (14): "i >= 0" taking true path 519 for (i = ins2->n_r - 1; i >= 0; i--) {At conditional (5): "strcmp == 0" taking true path At conditional (9): "strcmp == 0" taking true path At conditional (15): "strcmp == 0" taking true path 520 if (!strcmp(o->name, ins2->r[i]->name)) {At conditional (6): "instruction_writes != 0" taking false path At conditional (10): "instruction_writes != 0" taking false path At conditional (16): "instruction_writes != 0" taking true path 521 if (instruction_writes(ins2,ins2->r[i])) 522 goto next_constant;At conditional (7): "instruction_reads != 0" taking false path At conditional (11): "instruction_reads != 0" taking true path 523 else if (instruction_reads(ins2,ins2->r[i])) { 524 IMCC_debug(interp, DEBUG_OPT2, 525 "\tpropagating into %I register %i", 526 ins2, i); 527 old = ins2->r[i]; 528 ins2->r[i] = c; 529 /* first we try subst_constants for e.g. if 10 < 5 goto next*/ 530 tmp = IMCC_subst_constants(interp, 531 unit, ins2->op, ins2->r, ins2->opsize, 532 &found);At conditional (12): "found != 0" taking true path 533 if (found) { 534 prev = ins2->prev;At conditional (13): "prev != 0" taking true path 535 if (prev) {Event freed_arg: Pointer "ins2" freed by function "subst_ins" [model] Also see events: [alias][use_after_free] 536 subst_ins(unit, ins2, tmp, 1); 537 any = 1; 538 IMCC_debug(interp, DEBUG_OPT2, 539 " reduced to %I\n", tmp); 540 ins2 = prev->next; 541 } 542 } 543 else { 544 op = check_op(interp, fullname, ins2->op, 545 ins2->r, ins2->n_r, ins2->keys); 546 if (op < 0) { 547 ins2->r[i] = old; 548 IMCC_debug(interp, DEBUG_OPT2, 549 " - no %s\n", fullname); 550 } 551 else { 552 --old->use_count; 553 ins2->opnum = op; 554 any = 1; 555 IMCC_debug(interp, DEBUG_OPT2, 556 " -> %I\n", ins2); 557 } 558 } 559 } 560 } 561 562 }/* for (i ... )*/ 563 }/* for (ins2 ... )*/ 564 } /* if */ 565 next_constant:; 566 567 }/*for (ins ... )*/ 568 return any; 569 } 570