fix pr62009 use after free in redirect_edge_var_map_dup

The change to get the entry for the old edge before inserting the new
one was incorrect because if inserting the new one resized the table
then the pointer to the entry for the old one would become invalid.

gcc/

	* tree-ssa.c (redirect_edge_var_map_dup): insert newe before
	getting olde.

git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@213644 138bc75d-0d04-0410-961f-82ee72b054a4

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index f199fed57aa6704f82286944b1f5aaf2d7a1d24f..17a0f2d93c4adf2e7c4cc777d9a6db39f878fa6a 100644 (file)
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,3 +1,8 @@
+2014-08-05  Trevor Saunders  <tsaunders@mozilla.com>
+
+       * tree-ssa.c (redirect_edge_var_map_dup): insert newe before
+       getting olde.
+
 2014-08-05  Richard Biener  <rguenther@suse.de>
 
        PR rtl-optimization/61672

diff --git a/gcc/tree-ssa.c b/gcc/tree-ssa.c
index 217b9fc769ee1730058db0e739e8d2663097e737..e6842969304b181b7e0f0edd8224b341b5f779f9 100644 (file)
--- a/gcc/tree-ssa.c
+++ b/gcc/tree-ssa.c
@@ -106,11 +106,12 @@ redirect_edge_var_map_dup (edge newe, edge olde)
   if (!edge_var_maps)
     return;
 
-  auto_vec<edge_var_map> *head = edge_var_maps->get (olde);
-  if (!head)
+  auto_vec<edge_var_map> *new_head = &edge_var_maps->get_or_insert (newe);
+  auto_vec<edge_var_map> *old_head = edge_var_maps->get (olde);
+  if (!old_head)
     return;
 
-  edge_var_maps->get_or_insert (newe).safe_splice (*head);
+  new_head->safe_splice (*old_head);
 }