projects / gcc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 10bce48)
Fix use after free in vector_size change
authorRichard Sandiford <richard.sandiford@arm.com>
Tue, 22 Oct 2019 08:43:01 +0000 (08:43 +0000)
committerRichard Sandiford <rsandifo@gcc.gnu.org>
Tue, 22 Oct 2019 08:43:01 +0000 (08:43 +0000)
r277235 was a bit too mechanical and ended up introducing use
after free bugs in both loop and SLP vectorisation.

2019-10-22  Richard Sandiford  <richard.sandiford@arm.com>

gcc/
* tree-vect-slp.c (vect_slp_bb_region): Check whether
autodetected_vector_size rather than vector_size is zero.
* tree-vect-loop.c (vect_analyze_loop): Likewise.
Set autodetected_vector_size immediately after calling
vect_analyze_loop_2.  Check for a fatal error before advancing
next_size.

From-SVN: r277282

gcc/ChangeLog patch | blob | history
gcc/tree-vect-loop.c patch | blob | history
gcc/tree-vect-slp.c patch | blob | history

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index 5e6c6620d17364cb468f08463d3cbd770c0a2ad6..65baf0c21643e99f5f077b80a439b81f357ed240 100644 (file)
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,3 +1,12 @@
+2019-10-22  Richard Sandiford  <richard.sandiford@arm.com>
+
+       * tree-vect-slp.c (vect_slp_bb_region): Check whether
+       autodetected_vector_size rather than vector_size is zero.
+       * tree-vect-loop.c (vect_analyze_loop): Likewise.
+       Set autodetected_vector_size immediately after calling
+       vect_analyze_loop_2.  Check for a fatal error before advancing
+       next_size.
+
 2019-10-21  Jason Merrill  <jason@redhat.com>
 
        * lock-and-run.sh: Check for process existence rather than timeout.
diff --git a/gcc/tree-vect-loop.c b/gcc/tree-vect-loop.c
index a4c9f2f4138432ef87c6269e8386ace3313a7d90..07ddc2ecb3e7b4a90ff6d20831245f57e23ff49f 100644 (file)
--- a/gcc/tree-vect-loop.c
+++ b/gcc/tree-vect-loop.c
@@ -2365,6 +2365,9 @@ vect_analyze_loop (class loop *loop, loop_vec_info orig_loop_vinfo,
        LOOP_VINFO_ORIG_LOOP_INFO (loop_vinfo) = orig_loop_vinfo;
 
       opt_result res = vect_analyze_loop_2 (loop_vinfo, fatal, &n_stmts);
+      if (next_size == 0)
+       autodetected_vector_size = loop_vinfo->vector_size;
+
       if (res)
        {
          LOOP_VINFO_VECTORIZABLE_P (loop_vinfo) = 1;
@@ -2390,21 +2393,18 @@ vect_analyze_loop (class loop *loop, loop_vec_info orig_loop_vinfo,
       else
        delete loop_vinfo;
 
-      if (next_size == 0)
-       autodetected_vector_size = loop_vinfo->vector_size;
-
-      if (next_size < vector_sizes.length ()
-         && known_eq (vector_sizes[next_size], autodetected_vector_size))
-       next_size += 1;
-
       if (fatal)
        {
          gcc_checking_assert (first_loop_vinfo == NULL);
          return opt_loop_vec_info::propagate_failure (res);
        }
 
+      if (next_size < vector_sizes.length ()
+         && known_eq (vector_sizes[next_size], autodetected_vector_size))
+       next_size += 1;
+
       if (next_size == vector_sizes.length ()
-         || known_eq (loop_vinfo->vector_size, 0U))
+         || known_eq (autodetected_vector_size, 0U))
        {
          if (first_loop_vinfo)
            {
diff --git a/gcc/tree-vect-slp.c b/gcc/tree-vect-slp.c
index d482aa133d70787d33a3796f43789599b7302f0d..20ea1059a2d1ae177795ede8870ba64017749e44 100644 (file)
--- a/gcc/tree-vect-slp.c
+++ b/gcc/tree-vect-slp.c
@@ -3102,7 +3102,7 @@ vect_slp_bb_region (gimple_stmt_iterator region_begin,
 
       if (vectorized
          || next_size == vector_sizes.length ()
-         || known_eq (bb_vinfo->vector_size, 0U)
+         || known_eq (autodetected_vector_size, 0U)
          /* If vect_slp_analyze_bb_1 signaled that analysis for all
             vector sizes will fail do not bother iterating.  */
          || fatal)