From: tbsaunde <tbsaunde@138bc75d-0d04-0410-961f-82ee72b054a4>
Date: Tue, 5 Aug 2014 19:52:08 +0000 (+0000)
Subject: fix pr62009 use after free in redirect_edge_var_map_dup
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e4b3cdcb44dcacf7bfed9036fa9725f321945b52;p=thirdparty%2Fgcc.git

fix pr62009 use after free in redirect_edge_var_map_dup

The change to get the entry for the old edge before inserting the new
one was incorrect because if inserting the new one resized the table
then the pointer to the entry for the old one would become invalid.

gcc/

	* tree-ssa.c (redirect_edge_var_map_dup): insert newe before
	getting olde.

git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@213644 138bc75d-0d04-0410-961f-82ee72b054a4
---

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index f199fed57aa6..17a0f2d93c4a 100644
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,3 +1,8 @@
+2014-08-05  Trevor Saunders  <tsaunders@mozilla.com>
+
+	* tree-ssa.c (redirect_edge_var_map_dup): insert newe before
+	getting olde.
+
 2014-08-05  Richard Biener  <rguenther@suse.de>
 
 	PR rtl-optimization/61672
diff --git a/gcc/tree-ssa.c b/gcc/tree-ssa.c
index 217b9fc769ee..e6842969304b 100644
--- a/gcc/tree-ssa.c
+++ b/gcc/tree-ssa.c
@@ -106,11 +106,12 @@ redirect_edge_var_map_dup (edge newe, edge olde)
   if (!edge_var_maps)
     return;
 
-  auto_vec<edge_var_map> *head = edge_var_maps->get (olde);
-  if (!head)
+  auto_vec<edge_var_map> *new_head = &edge_var_maps->get_or_insert (newe);
+  auto_vec<edge_var_map> *old_head = edge_var_maps->get (olde);
+  if (!old_head)
     return;
 
-  edge_var_maps->get_or_insert (newe).safe_splice (*head);
+  new_head->safe_splice (*old_head);
 }