Fix use after free in vector_size change

Tue, 22 Oct 2019 00:25:39 -0700 

I noticed yesterday that r277235 was a bit too mechanical and ended up
introducing use after free bugs in both loop and SLP vectorisation.
Sorry for the stupid mistake. :-(

Moving "next_size += 1" down isn't part of the fix, but it seemed odd
to keep it where it was after moving the "next_size == 0" stuff up.

Tested on aarch64-linux-gnu and x86_64-linux-gnu.  OK to install?

Richard


2019-10-22  Richard Sandiford  <richard.sandif...@arm.com>

gcc/
        * tree-vect-slp.c (vect_slp_bb_region): Check whether
        autodetected_vector_size rather than vector_size is zero.
        * tree-vect-loop.c (vect_analyze_loop): Likewise.
        Set autodetected_vector_size immediately after calling
        vect_analyze_loop_2.  Check for a fatal error before advancing
        next_size.

Index: gcc/tree-vect-slp.c
===================================================================
--- gcc/tree-vect-slp.c 2019-10-22 08:21:31.000000000 +0100
+++ gcc/tree-vect-slp.c 2019-10-22 08:21:31.474357917 +0100
@@ -3043,7 +3043,7 @@ vect_slp_bb_region (gimple_stmt_iterator
 
       if (vectorized
          || next_size == vector_sizes.length ()
-         || known_eq (bb_vinfo->vector_size, 0U)
+         || known_eq (autodetected_vector_size, 0U)
          /* If vect_slp_analyze_bb_1 signaled that analysis for all
             vector sizes will fail do not bother iterating.  */
          || fatal)
Index: gcc/tree-vect-loop.c
===================================================================
--- gcc/tree-vect-loop.c        2019-10-22 08:21:31.000000000 +0100
+++ gcc/tree-vect-loop.c        2019-10-22 08:21:31.474357917 +0100
@@ -2354,6 +2354,9 @@ vect_analyze_loop (class loop *loop, loo
        LOOP_VINFO_ORIG_LOOP_INFO (loop_vinfo) = orig_loop_vinfo;
 
       opt_result res = vect_analyze_loop_2 (loop_vinfo, fatal, &n_stmts);
+      if (next_size == 0)
+       autodetected_vector_size = loop_vinfo->vector_size;
+
       if (res)
        {
          LOOP_VINFO_VECTORIZABLE_P (loop_vinfo) = 1;
@@ -2379,21 +2382,18 @@ vect_analyze_loop (class loop *loop, loo
       else
        delete loop_vinfo;
 
-      if (next_size == 0)
-       autodetected_vector_size = loop_vinfo->vector_size;
-
-      if (next_size < vector_sizes.length ()
-         && known_eq (vector_sizes[next_size], autodetected_vector_size))
-       next_size += 1;
-
       if (fatal)
        {
          gcc_checking_assert (first_loop_vinfo == NULL);
          return opt_loop_vec_info::propagate_failure (res);
        }
 
+      if (next_size < vector_sizes.length ()
+         && known_eq (vector_sizes[next_size], autodetected_vector_size))
+       next_size += 1;
+
       if (next_size == vector_sizes.length ()
-         || known_eq (loop_vinfo->vector_size, 0U))
+         || known_eq (autodetected_vector_size, 0U))
        {
          if (first_loop_vinfo)
            {

Reply via email to