[gcc(refs/vendors/riscv/heads/gcc-15-with-riscv-opts)] [PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch attribute
https://gcc.gnu.org/g:6ecfe86c774859597e6272af199690854dc45903
commit 6ecfe86c774859597e6272af199690854dc45903
Author: 翁愷邑
Date: Thu Apr 17 16:24:20 2025 -0600
[PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch
attribute
The build_target_option_node() function may return a cached node when
fndecl having the same effective global_options. Therefore, freeing
memory used in target nodes can lead to a use-after-free issue, as a
target node may be shared by multiple fndecl.
This issue occurs in gcc.target/riscv/target-attr-16.c, where all
functions have the same march, but the last function tries to free its
old x_riscv_arch_string (which is shared) when processing the second
target attribute.However, the behavior of this issue depends on how the
OS handles malloc. It's very likely that xstrdup returns the old address
just freed, coincidentally hiding the issue. We can verify the issue by
forcing xstrdup to return a new address, e.g.,
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
-free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
+ // Force it to use a new address, NFCI
+ const char *tmp = opts->x_riscv_arch_string;
opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ if (tmp != default_opts->x_riscv_arch_string)
+free (CONST_CAST (void *, (const void *) tmp));
This patch replaces xstrdup with ggc_strdup and let gc to take care of
unused strings.
gcc/ChangeLog:
* config/riscv/riscv-target-attr.cc
(riscv_target_attr_parser::update_settings):
Do not manually free any arch string.
(cherry picked from commit 2d6f1ca17f25b28da8f8d83622f0e029da2340e7)
Diff:
---
gcc/config/riscv/riscv-target-attr.cc | 6 +-
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/gcc/config/riscv/riscv-target-attr.cc
b/gcc/config/riscv/riscv-target-attr.cc
index 1d968655f95d..8ad3025579b2 100644
--- a/gcc/config/riscv/riscv-target-attr.cc
+++ b/gcc/config/riscv/riscv-target-attr.cc
@@ -257,11 +257,7 @@ riscv_target_attr_parser::update_settings (struct
gcc_options *opts) const
{
std::string local_arch = m_subset_list->to_string (true);
const char* local_arch_str = local_arch.c_str ();
- struct cl_target_option *default_opts
- = TREE_TARGET_OPTION (target_option_default_node);
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
- free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
- opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ opts->x_riscv_arch_string = ggc_strdup (local_arch_str);
riscv_set_arch_by_subset_list (m_subset_list, opts);
}
[gcc(refs/vendors/riscv/heads/gcc-15-with-riscv-opts)] [PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch attribute
https://gcc.gnu.org/g:233fc878fded510fad8f043c7692a91db4445da7
commit 233fc878fded510fad8f043c7692a91db4445da7
Author: 翁愷邑
Date: Thu Apr 17 16:24:20 2025 -0600
[PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch
attribute
The build_target_option_node() function may return a cached node when
fndecl having the same effective global_options. Therefore, freeing
memory used in target nodes can lead to a use-after-free issue, as a
target node may be shared by multiple fndecl.
This issue occurs in gcc.target/riscv/target-attr-16.c, where all
functions have the same march, but the last function tries to free its
old x_riscv_arch_string (which is shared) when processing the second
target attribute.However, the behavior of this issue depends on how the
OS handles malloc. It's very likely that xstrdup returns the old address
just freed, coincidentally hiding the issue. We can verify the issue by
forcing xstrdup to return a new address, e.g.,
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
-free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
+ // Force it to use a new address, NFCI
+ const char *tmp = opts->x_riscv_arch_string;
opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ if (tmp != default_opts->x_riscv_arch_string)
+free (CONST_CAST (void *, (const void *) tmp));
This patch replaces xstrdup with ggc_strdup and let gc to take care of
unused strings.
gcc/ChangeLog:
* config/riscv/riscv-target-attr.cc
(riscv_target_attr_parser::update_settings):
Do not manually free any arch string.
(cherry picked from commit 2d6f1ca17f25b28da8f8d83622f0e029da2340e7)
Diff:
---
gcc/config/riscv/riscv-target-attr.cc | 6 +-
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/gcc/config/riscv/riscv-target-attr.cc
b/gcc/config/riscv/riscv-target-attr.cc
index 1d968655f95d..8ad3025579b2 100644
--- a/gcc/config/riscv/riscv-target-attr.cc
+++ b/gcc/config/riscv/riscv-target-attr.cc
@@ -257,11 +257,7 @@ riscv_target_attr_parser::update_settings (struct
gcc_options *opts) const
{
std::string local_arch = m_subset_list->to_string (true);
const char* local_arch_str = local_arch.c_str ();
- struct cl_target_option *default_opts
- = TREE_TARGET_OPTION (target_option_default_node);
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
- free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
- opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ opts->x_riscv_arch_string = ggc_strdup (local_arch_str);
riscv_set_arch_by_subset_list (m_subset_list, opts);
}
[gcc(refs/vendors/riscv/heads/gcc-15-with-riscv-opts)] [PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch attribute
https://gcc.gnu.org/g:e653247b4d5dc03d5a964384926b4239bf9c8262
commit e653247b4d5dc03d5a964384926b4239bf9c8262
Author: 翁愷邑
Date: Thu Apr 17 16:24:20 2025 -0600
[PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch
attribute
The build_target_option_node() function may return a cached node when
fndecl having the same effective global_options. Therefore, freeing
memory used in target nodes can lead to a use-after-free issue, as a
target node may be shared by multiple fndecl.
This issue occurs in gcc.target/riscv/target-attr-16.c, where all
functions have the same march, but the last function tries to free its
old x_riscv_arch_string (which is shared) when processing the second
target attribute.However, the behavior of this issue depends on how the
OS handles malloc. It's very likely that xstrdup returns the old address
just freed, coincidentally hiding the issue. We can verify the issue by
forcing xstrdup to return a new address, e.g.,
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
-free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
+ // Force it to use a new address, NFCI
+ const char *tmp = opts->x_riscv_arch_string;
opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ if (tmp != default_opts->x_riscv_arch_string)
+free (CONST_CAST (void *, (const void *) tmp));
This patch replaces xstrdup with ggc_strdup and let gc to take care of
unused strings.
gcc/ChangeLog:
* config/riscv/riscv-target-attr.cc
(riscv_target_attr_parser::update_settings):
Do not manually free any arch string.
(cherry picked from commit 2d6f1ca17f25b28da8f8d83622f0e029da2340e7)
Diff:
---
gcc/config/riscv/riscv-target-attr.cc | 6 +-
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/gcc/config/riscv/riscv-target-attr.cc
b/gcc/config/riscv/riscv-target-attr.cc
index 1d968655f95d..8ad3025579b2 100644
--- a/gcc/config/riscv/riscv-target-attr.cc
+++ b/gcc/config/riscv/riscv-target-attr.cc
@@ -257,11 +257,7 @@ riscv_target_attr_parser::update_settings (struct
gcc_options *opts) const
{
std::string local_arch = m_subset_list->to_string (true);
const char* local_arch_str = local_arch.c_str ();
- struct cl_target_option *default_opts
- = TREE_TARGET_OPTION (target_option_default_node);
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
- free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
- opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ opts->x_riscv_arch_string = ggc_strdup (local_arch_str);
riscv_set_arch_by_subset_list (m_subset_list, opts);
}
[gcc(refs/vendors/riscv/heads/gcc-15-with-riscv-opts)] [PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch attribute
https://gcc.gnu.org/g:a7599077677a70d0f887d78860aa3131c15fb7c5
commit a7599077677a70d0f887d78860aa3131c15fb7c5
Author: 翁愷邑
Date: Thu Apr 17 16:24:20 2025 -0600
[PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch
attribute
The build_target_option_node() function may return a cached node when
fndecl having the same effective global_options. Therefore, freeing
memory used in target nodes can lead to a use-after-free issue, as a
target node may be shared by multiple fndecl.
This issue occurs in gcc.target/riscv/target-attr-16.c, where all
functions have the same march, but the last function tries to free its
old x_riscv_arch_string (which is shared) when processing the second
target attribute.However, the behavior of this issue depends on how the
OS handles malloc. It's very likely that xstrdup returns the old address
just freed, coincidentally hiding the issue. We can verify the issue by
forcing xstrdup to return a new address, e.g.,
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
-free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
+ // Force it to use a new address, NFCI
+ const char *tmp = opts->x_riscv_arch_string;
opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ if (tmp != default_opts->x_riscv_arch_string)
+free (CONST_CAST (void *, (const void *) tmp));
This patch replaces xstrdup with ggc_strdup and let gc to take care of
unused strings.
gcc/ChangeLog:
* config/riscv/riscv-target-attr.cc
(riscv_target_attr_parser::update_settings):
Do not manually free any arch string.
(cherry picked from commit 2d6f1ca17f25b28da8f8d83622f0e029da2340e7)
Diff:
---
gcc/config/riscv/riscv-target-attr.cc | 6 +-
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/gcc/config/riscv/riscv-target-attr.cc
b/gcc/config/riscv/riscv-target-attr.cc
index 1d968655f95d..8ad3025579b2 100644
--- a/gcc/config/riscv/riscv-target-attr.cc
+++ b/gcc/config/riscv/riscv-target-attr.cc
@@ -257,11 +257,7 @@ riscv_target_attr_parser::update_settings (struct
gcc_options *opts) const
{
std::string local_arch = m_subset_list->to_string (true);
const char* local_arch_str = local_arch.c_str ();
- struct cl_target_option *default_opts
- = TREE_TARGET_OPTION (target_option_default_node);
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
- free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
- opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ opts->x_riscv_arch_string = ggc_strdup (local_arch_str);
riscv_set_arch_by_subset_list (m_subset_list, opts);
}
[gcc(refs/vendors/riscv/heads/gcc-15-with-riscv-opts)] [PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch attribute
https://gcc.gnu.org/g:a0d278141c5a93432f705d93f479ae5cac8e3f6a
commit a0d278141c5a93432f705d93f479ae5cac8e3f6a
Author: 翁愷邑
Date: Thu Apr 17 16:24:20 2025 -0600
[PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch
attribute
The build_target_option_node() function may return a cached node when
fndecl having the same effective global_options. Therefore, freeing
memory used in target nodes can lead to a use-after-free issue, as a
target node may be shared by multiple fndecl.
This issue occurs in gcc.target/riscv/target-attr-16.c, where all
functions have the same march, but the last function tries to free its
old x_riscv_arch_string (which is shared) when processing the second
target attribute.However, the behavior of this issue depends on how the
OS handles malloc. It's very likely that xstrdup returns the old address
just freed, coincidentally hiding the issue. We can verify the issue by
forcing xstrdup to return a new address, e.g.,
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
-free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
+ // Force it to use a new address, NFCI
+ const char *tmp = opts->x_riscv_arch_string;
opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ if (tmp != default_opts->x_riscv_arch_string)
+free (CONST_CAST (void *, (const void *) tmp));
This patch replaces xstrdup with ggc_strdup and let gc to take care of
unused strings.
gcc/ChangeLog:
* config/riscv/riscv-target-attr.cc
(riscv_target_attr_parser::update_settings):
Do not manually free any arch string.
(cherry picked from commit 2d6f1ca17f25b28da8f8d83622f0e029da2340e7)
Diff:
---
gcc/config/riscv/riscv-target-attr.cc | 6 +-
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/gcc/config/riscv/riscv-target-attr.cc
b/gcc/config/riscv/riscv-target-attr.cc
index 1d968655f95d..8ad3025579b2 100644
--- a/gcc/config/riscv/riscv-target-attr.cc
+++ b/gcc/config/riscv/riscv-target-attr.cc
@@ -257,11 +257,7 @@ riscv_target_attr_parser::update_settings (struct
gcc_options *opts) const
{
std::string local_arch = m_subset_list->to_string (true);
const char* local_arch_str = local_arch.c_str ();
- struct cl_target_option *default_opts
- = TREE_TARGET_OPTION (target_option_default_node);
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
- free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
- opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ opts->x_riscv_arch_string = ggc_strdup (local_arch_str);
riscv_set_arch_by_subset_list (m_subset_list, opts);
}
[gcc(refs/vendors/riscv/heads/gcc-15-with-riscv-opts)] [PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch attribute
https://gcc.gnu.org/g:d1f60eb1c607ca48119367e9f47345d769ce8bc4
commit d1f60eb1c607ca48119367e9f47345d769ce8bc4
Author: 翁愷邑
Date: Thu Apr 17 16:24:20 2025 -0600
[PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch
attribute
The build_target_option_node() function may return a cached node when
fndecl having the same effective global_options. Therefore, freeing
memory used in target nodes can lead to a use-after-free issue, as a
target node may be shared by multiple fndecl.
This issue occurs in gcc.target/riscv/target-attr-16.c, where all
functions have the same march, but the last function tries to free its
old x_riscv_arch_string (which is shared) when processing the second
target attribute.However, the behavior of this issue depends on how the
OS handles malloc. It's very likely that xstrdup returns the old address
just freed, coincidentally hiding the issue. We can verify the issue by
forcing xstrdup to return a new address, e.g.,
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
-free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
+ // Force it to use a new address, NFCI
+ const char *tmp = opts->x_riscv_arch_string;
opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ if (tmp != default_opts->x_riscv_arch_string)
+free (CONST_CAST (void *, (const void *) tmp));
This patch replaces xstrdup with ggc_strdup and let gc to take care of
unused strings.
gcc/ChangeLog:
* config/riscv/riscv-target-attr.cc
(riscv_target_attr_parser::update_settings):
Do not manually free any arch string.
(cherry picked from commit 2d6f1ca17f25b28da8f8d83622f0e029da2340e7)
Diff:
---
gcc/config/riscv/riscv-target-attr.cc | 6 +-
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/gcc/config/riscv/riscv-target-attr.cc
b/gcc/config/riscv/riscv-target-attr.cc
index 1d968655f95d..8ad3025579b2 100644
--- a/gcc/config/riscv/riscv-target-attr.cc
+++ b/gcc/config/riscv/riscv-target-attr.cc
@@ -257,11 +257,7 @@ riscv_target_attr_parser::update_settings (struct
gcc_options *opts) const
{
std::string local_arch = m_subset_list->to_string (true);
const char* local_arch_str = local_arch.c_str ();
- struct cl_target_option *default_opts
- = TREE_TARGET_OPTION (target_option_default_node);
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
- free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
- opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ opts->x_riscv_arch_string = ggc_strdup (local_arch_str);
riscv_set_arch_by_subset_list (m_subset_list, opts);
}
[gcc(refs/vendors/riscv/heads/gcc-15-with-riscv-opts)] [PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch attribute
https://gcc.gnu.org/g:d7a046fe3c115a3410fdf4342d6474753fd56d0d
commit d7a046fe3c115a3410fdf4342d6474753fd56d0d
Author: 翁愷邑
Date: Thu Apr 17 16:24:20 2025 -0600
[PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch
attribute
The build_target_option_node() function may return a cached node when
fndecl having the same effective global_options. Therefore, freeing
memory used in target nodes can lead to a use-after-free issue, as a
target node may be shared by multiple fndecl.
This issue occurs in gcc.target/riscv/target-attr-16.c, where all
functions have the same march, but the last function tries to free its
old x_riscv_arch_string (which is shared) when processing the second
target attribute.However, the behavior of this issue depends on how the
OS handles malloc. It's very likely that xstrdup returns the old address
just freed, coincidentally hiding the issue. We can verify the issue by
forcing xstrdup to return a new address, e.g.,
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
-free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
+ // Force it to use a new address, NFCI
+ const char *tmp = opts->x_riscv_arch_string;
opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ if (tmp != default_opts->x_riscv_arch_string)
+free (CONST_CAST (void *, (const void *) tmp));
This patch replaces xstrdup with ggc_strdup and let gc to take care of
unused strings.
gcc/ChangeLog:
* config/riscv/riscv-target-attr.cc
(riscv_target_attr_parser::update_settings):
Do not manually free any arch string.
(cherry picked from commit 2d6f1ca17f25b28da8f8d83622f0e029da2340e7)
Diff:
---
gcc/config/riscv/riscv-target-attr.cc | 6 +-
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/gcc/config/riscv/riscv-target-attr.cc
b/gcc/config/riscv/riscv-target-attr.cc
index 1d968655f95d..8ad3025579b2 100644
--- a/gcc/config/riscv/riscv-target-attr.cc
+++ b/gcc/config/riscv/riscv-target-attr.cc
@@ -257,11 +257,7 @@ riscv_target_attr_parser::update_settings (struct
gcc_options *opts) const
{
std::string local_arch = m_subset_list->to_string (true);
const char* local_arch_str = local_arch.c_str ();
- struct cl_target_option *default_opts
- = TREE_TARGET_OPTION (target_option_default_node);
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
- free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
- opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ opts->x_riscv_arch_string = ggc_strdup (local_arch_str);
riscv_set_arch_by_subset_list (m_subset_list, opts);
}
[gcc(refs/vendors/riscv/heads/gcc-15-with-riscv-opts)] [PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch attribute
https://gcc.gnu.org/g:8db08e9e6391cdb47c7b728e3eae358a4fecbc04
commit 8db08e9e6391cdb47c7b728e3eae358a4fecbc04
Author: 翁愷邑
Date: Thu Apr 17 16:24:20 2025 -0600
[PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch
attribute
The build_target_option_node() function may return a cached node when
fndecl having the same effective global_options. Therefore, freeing
memory used in target nodes can lead to a use-after-free issue, as a
target node may be shared by multiple fndecl.
This issue occurs in gcc.target/riscv/target-attr-16.c, where all
functions have the same march, but the last function tries to free its
old x_riscv_arch_string (which is shared) when processing the second
target attribute.However, the behavior of this issue depends on how the
OS handles malloc. It's very likely that xstrdup returns the old address
just freed, coincidentally hiding the issue. We can verify the issue by
forcing xstrdup to return a new address, e.g.,
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
-free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
+ // Force it to use a new address, NFCI
+ const char *tmp = opts->x_riscv_arch_string;
opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ if (tmp != default_opts->x_riscv_arch_string)
+free (CONST_CAST (void *, (const void *) tmp));
This patch replaces xstrdup with ggc_strdup and let gc to take care of
unused strings.
gcc/ChangeLog:
* config/riscv/riscv-target-attr.cc
(riscv_target_attr_parser::update_settings):
Do not manually free any arch string.
(cherry picked from commit 2d6f1ca17f25b28da8f8d83622f0e029da2340e7)
Diff:
---
gcc/config/riscv/riscv-target-attr.cc | 6 +-
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/gcc/config/riscv/riscv-target-attr.cc
b/gcc/config/riscv/riscv-target-attr.cc
index 1d968655f95d..8ad3025579b2 100644
--- a/gcc/config/riscv/riscv-target-attr.cc
+++ b/gcc/config/riscv/riscv-target-attr.cc
@@ -257,11 +257,7 @@ riscv_target_attr_parser::update_settings (struct
gcc_options *opts) const
{
std::string local_arch = m_subset_list->to_string (true);
const char* local_arch_str = local_arch.c_str ();
- struct cl_target_option *default_opts
- = TREE_TARGET_OPTION (target_option_default_node);
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
- free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
- opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ opts->x_riscv_arch_string = ggc_strdup (local_arch_str);
riscv_set_arch_by_subset_list (m_subset_list, opts);
}
[gcc(refs/vendors/riscv/heads/gcc-15-with-riscv-opts)] [PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch attribute
https://gcc.gnu.org/g:132f778f89881303d69cc73489aefc7bc2d1cd6f
commit 132f778f89881303d69cc73489aefc7bc2d1cd6f
Author: 翁愷邑
Date: Thu Apr 17 16:24:20 2025 -0600
[PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch
attribute
The build_target_option_node() function may return a cached node when
fndecl having the same effective global_options. Therefore, freeing
memory used in target nodes can lead to a use-after-free issue, as a
target node may be shared by multiple fndecl.
This issue occurs in gcc.target/riscv/target-attr-16.c, where all
functions have the same march, but the last function tries to free its
old x_riscv_arch_string (which is shared) when processing the second
target attribute.However, the behavior of this issue depends on how the
OS handles malloc. It's very likely that xstrdup returns the old address
just freed, coincidentally hiding the issue. We can verify the issue by
forcing xstrdup to return a new address, e.g.,
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
-free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
+ // Force it to use a new address, NFCI
+ const char *tmp = opts->x_riscv_arch_string;
opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ if (tmp != default_opts->x_riscv_arch_string)
+free (CONST_CAST (void *, (const void *) tmp));
This patch replaces xstrdup with ggc_strdup and let gc to take care of
unused strings.
gcc/ChangeLog:
* config/riscv/riscv-target-attr.cc
(riscv_target_attr_parser::update_settings):
Do not manually free any arch string.
(cherry picked from commit 2d6f1ca17f25b28da8f8d83622f0e029da2340e7)
Diff:
---
gcc/config/riscv/riscv-target-attr.cc | 6 +-
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/gcc/config/riscv/riscv-target-attr.cc
b/gcc/config/riscv/riscv-target-attr.cc
index 1d968655f95d..8ad3025579b2 100644
--- a/gcc/config/riscv/riscv-target-attr.cc
+++ b/gcc/config/riscv/riscv-target-attr.cc
@@ -257,11 +257,7 @@ riscv_target_attr_parser::update_settings (struct
gcc_options *opts) const
{
std::string local_arch = m_subset_list->to_string (true);
const char* local_arch_str = local_arch.c_str ();
- struct cl_target_option *default_opts
- = TREE_TARGET_OPTION (target_option_default_node);
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
- free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
- opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ opts->x_riscv_arch_string = ggc_strdup (local_arch_str);
riscv_set_arch_by_subset_list (m_subset_list, opts);
}
[gcc(refs/vendors/riscv/heads/gcc-15-with-riscv-opts)] [PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch attribute
https://gcc.gnu.org/g:b8ae77a9d4605c18edcfdd62c026d57e420c421b
commit b8ae77a9d4605c18edcfdd62c026d57e420c421b
Author: 翁愷邑
Date: Thu Apr 17 16:24:20 2025 -0600
[PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch
attribute
The build_target_option_node() function may return a cached node when
fndecl having the same effective global_options. Therefore, freeing
memory used in target nodes can lead to a use-after-free issue, as a
target node may be shared by multiple fndecl.
This issue occurs in gcc.target/riscv/target-attr-16.c, where all
functions have the same march, but the last function tries to free its
old x_riscv_arch_string (which is shared) when processing the second
target attribute.However, the behavior of this issue depends on how the
OS handles malloc. It's very likely that xstrdup returns the old address
just freed, coincidentally hiding the issue. We can verify the issue by
forcing xstrdup to return a new address, e.g.,
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
-free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
+ // Force it to use a new address, NFCI
+ const char *tmp = opts->x_riscv_arch_string;
opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ if (tmp != default_opts->x_riscv_arch_string)
+free (CONST_CAST (void *, (const void *) tmp));
This patch replaces xstrdup with ggc_strdup and let gc to take care of
unused strings.
gcc/ChangeLog:
* config/riscv/riscv-target-attr.cc
(riscv_target_attr_parser::update_settings):
Do not manually free any arch string.
(cherry picked from commit 2d6f1ca17f25b28da8f8d83622f0e029da2340e7)
Diff:
---
gcc/config/riscv/riscv-target-attr.cc | 6 +-
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/gcc/config/riscv/riscv-target-attr.cc
b/gcc/config/riscv/riscv-target-attr.cc
index 1d968655f95d..8ad3025579b2 100644
--- a/gcc/config/riscv/riscv-target-attr.cc
+++ b/gcc/config/riscv/riscv-target-attr.cc
@@ -257,11 +257,7 @@ riscv_target_attr_parser::update_settings (struct
gcc_options *opts) const
{
std::string local_arch = m_subset_list->to_string (true);
const char* local_arch_str = local_arch.c_str ();
- struct cl_target_option *default_opts
- = TREE_TARGET_OPTION (target_option_default_node);
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
- free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
- opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ opts->x_riscv_arch_string = ggc_strdup (local_arch_str);
riscv_set_arch_by_subset_list (m_subset_list, opts);
}
[gcc(refs/vendors/riscv/heads/gcc-15-with-riscv-opts)] [PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch attribute
https://gcc.gnu.org/g:8b34e03a0527699f36e69fff4627ba60abe99cdc
commit 8b34e03a0527699f36e69fff4627ba60abe99cdc
Author: 翁愷邑
Date: Thu Apr 17 16:24:20 2025 -0600
[PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch
attribute
The build_target_option_node() function may return a cached node when
fndecl having the same effective global_options. Therefore, freeing
memory used in target nodes can lead to a use-after-free issue, as a
target node may be shared by multiple fndecl.
This issue occurs in gcc.target/riscv/target-attr-16.c, where all
functions have the same march, but the last function tries to free its
old x_riscv_arch_string (which is shared) when processing the second
target attribute.However, the behavior of this issue depends on how the
OS handles malloc. It's very likely that xstrdup returns the old address
just freed, coincidentally hiding the issue. We can verify the issue by
forcing xstrdup to return a new address, e.g.,
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
-free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
+ // Force it to use a new address, NFCI
+ const char *tmp = opts->x_riscv_arch_string;
opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ if (tmp != default_opts->x_riscv_arch_string)
+free (CONST_CAST (void *, (const void *) tmp));
This patch replaces xstrdup with ggc_strdup and let gc to take care of
unused strings.
gcc/ChangeLog:
* config/riscv/riscv-target-attr.cc
(riscv_target_attr_parser::update_settings):
Do not manually free any arch string.
(cherry picked from commit 2d6f1ca17f25b28da8f8d83622f0e029da2340e7)
Diff:
---
gcc/config/riscv/riscv-target-attr.cc | 6 +-
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/gcc/config/riscv/riscv-target-attr.cc
b/gcc/config/riscv/riscv-target-attr.cc
index 1d968655f95d..8ad3025579b2 100644
--- a/gcc/config/riscv/riscv-target-attr.cc
+++ b/gcc/config/riscv/riscv-target-attr.cc
@@ -257,11 +257,7 @@ riscv_target_attr_parser::update_settings (struct
gcc_options *opts) const
{
std::string local_arch = m_subset_list->to_string (true);
const char* local_arch_str = local_arch.c_str ();
- struct cl_target_option *default_opts
- = TREE_TARGET_OPTION (target_option_default_node);
- if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
- free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
- opts->x_riscv_arch_string = xstrdup (local_arch_str);
+ opts->x_riscv_arch_string = ggc_strdup (local_arch_str);
riscv_set_arch_by_subset_list (m_subset_list, opts);
}
