Pull in r269908 from upstream llvm trunk (by James Molloy):

[VectorUtils] Fix nasty use-after-free In truncateToMinimalBitwidths() we were RAUW'ing an instruction then erasing it. However, that intruction could be cached in the map we're iterating over. The first check is "I->use_empty()" which in most cases would return true, as the (deleted) object was RAUW'd first so would have zero use count. However in some cases the object could have been polluted or written over and this wouldn't be the case. Also it makes valgrind, asan and traditionalists who don't like their compiler to crash sad. No testcase as there are no externally visible symptoms apart from a crash if the stars align. Fixes PR26509. This should fix crashes when building a number of ports on arm64. Reported by: andrew
2016-05-29 20:54:16 +00:00 · 2016-05-29 20:54:16 +00:00 · f8789c6b84
commit f8789c6b84
parent 98a7b0ba5c
1 changed files with 3 additions and 1 deletions
--- a/contrib/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp
+++ b/contrib/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp
@ -3161,10 +3161,11 @@ void InnerLoopVectorizer::truncateToMinimalBitwidths() {
  // truncated version of `I` and reextend its result. InstCombine runs
  // later and will remove any ext/trunc pairs.
  //
+  SmallPtrSet<Value *, 4> Erased;
  for (auto &KV : MinBWs) {
    VectorParts &Parts = WidenMap.get(KV.first);
    for (Value *&I : Parts) {
-      if (I->use_empty())
+      if (Erased.count(I) || I->use_empty())
        continue;
      Type *OriginalTy = I->getType();
      Type *ScalarTruncatedTy = IntegerType::get(OriginalTy->getContext(),
@ -3238,6 +3239,7 @@ void InnerLoopVectorizer::truncateToMinimalBitwidths() {
      Value *Res = B.CreateZExtOrTrunc(NewI, OriginalTy);
      I->replaceAllUsesWith(Res);
      cast<Instruction>(I)->eraseFromParent();
+      Erased.insert(I);
      I = Res;
    }
  }