On 01/09/07, Ron Blaschke <[EMAIL PROTECTED]> wrote:
> Paul Cochrane wrote:
>
> I've had a chance to look at this and the implementation looks quite
> good to me.
>
> There's one thing that still bothers me. The snipped output is:
>
> > Event alias: aliasing "(ins)->next" with "ins2"
> > Also see events: [freed_arg][use_after_free]
> > At conditional (1): "ins2 != 0" taking true path
> >
> > 512 for (ins2 = ins->next; ins2; ins2 = ins2->next) {
> ...
> > Event freed_arg: Pointer "ins2" freed by function "subst_ins" [model]
> > Also see events: [alias][use_after_free]
> >
> > 536 subst_ins(unit, ins2, tmp, 1);
>
> There's "Also see events: [freed_arg][use_after_free]" and there's a
> line saying "Event freed_arg: ..."
>
> Then there's "Also see events: [alias][use_after_free]" and a line
> saying "Event alias: ..."
>
> This makes we wonder if there's any line saying "Event use_after_free:
> ..." in the report?
>
> Thanks,
> Ron
>
Ron,
Here's the full report (given within the context of the code). I
don't know if this helps, however, I do believe it is time you got an
account on Coverity Prevent yourself :-) You'll need to send an email
to [EMAIL PROTECTED] to get an account.
Paul
479 static int
480 constant_propagation(Interp *interp, IMC_Unit * unit)
481 {
482 Instruction *ins, *ins2, *tmp, *prev;
483 int op;
484 int i;
485 char fullname[128];
486 SymReg *c, *old, *o;
487 int any = 0;
488 int found;
489
490 o = c = NULL; /* silence compiler uninit warning */
491
492 IMCC_info(interp, 2, "\tconstant_propagation\n");Event
use_after_free: Using freed pointer "(ins)->next"
Also see events: [alias][freed_arg]
493 for (ins = unit->instructions; ins; ins = ins->next) {
494 found = 0;
495 if (!strcmp(ins->op, "set") &&
496 ins->opsize == 3 && /* no keyed set */
497 ins->r[1]->type == VTCONST &&
498 ins->r[0]->set != 'P') { /* no PMC consts */
499 found = 1;
500 c = ins->r[1];
501 o = ins->r[0];
502 } else if (!strcmp(ins->op, "null") && ins->r[0]->set == 'I') {
503 found = 1;
504 c = mk_const(interp, str_dup("0"), 'I');
505 o = ins->r[0];
506 } /* this would be good because 'set I0, 0' is reduced
to 'null I0'
507 before it gets to us */
508
509 if (found) {
510 IMCC_debug(interp, DEBUG_OPT2,
511 "propagating constant %I => \n", ins);Event
alias: aliasing "(ins)->next" with "ins2"
Also see events: [freed_arg][use_after_free]
At conditional (1): "ins2 != 0" taking true path
512 for (ins2 = ins->next; ins2; ins2 = ins2->next) {At
conditional (2): "(ins2)->type & 16777216 != 0" taking false path
At conditional (3): "(ins2)->bbindex != (ins)->bbindex" taking false path
513 if (ins2->type & ITSAVES ||
514 /* restrict to within a basic block */
515 ins2->bbindex != ins->bbindex)
516 goto next_constant;
517 /* was opsize - 2, changed to n_r - 1
518 */At conditional (4): "i >= 0" taking true path
At conditional (8): "i >= 0" taking true path
At conditional (14): "i >= 0" taking true path
519 for (i = ins2->n_r - 1; i >= 0; i--) {At
conditional (5): "strcmp == 0" taking true path
At conditional (9): "strcmp == 0" taking true path
At conditional (15): "strcmp == 0" taking true path
520 if (!strcmp(o->name, ins2->r[i]->name)) {At
conditional (6): "instruction_writes != 0" taking false path
At conditional (10): "instruction_writes != 0" taking false path
At conditional (16): "instruction_writes != 0" taking true path
521 if (instruction_writes(ins2,ins2->r[i]))
522 goto next_constant;At conditional
(7): "instruction_reads != 0" taking false path
At conditional (11): "instruction_reads != 0" taking true path
523 else if (instruction_reads(ins2,ins2->r[i])) {
524 IMCC_debug(interp, DEBUG_OPT2,
525 "\tpropagating into %I register %i",
526 ins2, i);
527 old = ins2->r[i];
528 ins2->r[i] = c;
529 /* first we try subst_constants for e.g. if 10 < 5 goto next*/
530 tmp = IMCC_subst_constants(interp,
531 unit, ins2->op, ins2->r, ins2->opsize,
532 &found);At conditional (12):
"found != 0" taking true path
533 if (found) {
534 prev = ins2->prev;At conditional
(13): "prev != 0" taking true path
535 if (prev) {Event freed_arg:
Pointer "ins2" freed by function "subst_ins" [model]
Also see events: [alias][use_after_free]
536 subst_ins(unit, ins2, tmp, 1);
537 any = 1;
538 IMCC_debug(interp, DEBUG_OPT2,
539 " reduced to %I\n", tmp);
540 ins2 = prev->next;
541 }
542 }
543 else {
544 op = check_op(interp, fullname,
ins2->op,
545 ins2->r, ins2->n_r, ins2->keys);
546 if (op < 0) {
547 ins2->r[i] = old;
548 IMCC_debug(interp, DEBUG_OPT2,
549 " - no %s\n", fullname);
550 }
551 else {
552 --old->use_count;
553 ins2->opnum = op;
554 any = 1;
555 IMCC_debug(interp, DEBUG_OPT2,
556 " -> %I\n", ins2);
557 }
558 }
559 }
560 }
561
562 }/* for (i ... )*/
563 }/* for (ins2 ... )*/
564 } /* if */
565 next_constant:;
566
567 }/*for (ins ... )*/
568 return any;
569 }
570
