From owner-svn-src-all@freebsd.org Sun May 29 20:54:17 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 993D0B54A5B; Sun, 29 May 2016 20:54:17 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 51A631B6F; Sun, 29 May 2016 20:54:17 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u4TKsG1X027895; Sun, 29 May 2016 20:54:16 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u4TKsGHU027894; Sun, 29 May 2016 20:54:16 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201605292054.u4TKsGHU027894@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Sun, 29 May 2016 20:54:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r300974 - head/contrib/llvm/lib/Transforms/Vectorize X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 May 2016 20:54:17 -0000 Author: dim Date: Sun May 29 20:54:16 2016 New Revision: 300974 URL: https://svnweb.freebsd.org/changeset/base/300974 Log: Pull in r269908 from upstream llvm trunk (by James Molloy): [VectorUtils] Fix nasty use-after-free In truncateToMinimalBitwidths() we were RAUW'ing an instruction then erasing it. However, that intruction could be cached in the map we're iterating over. The first check is "I->use_empty()" which in most cases would return true, as the (deleted) object was RAUW'd first so would have zero use count. However in some cases the object could have been polluted or written over and this wouldn't be the case. Also it makes valgrind, asan and traditionalists who don't like their compiler to crash sad. No testcase as there are no externally visible symptoms apart from a crash if the stars align. Fixes PR26509. This should fix crashes when building a number of ports on arm64. Reported by: andrew Modified: head/contrib/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp Modified: head/contrib/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp ============================================================================== --- head/contrib/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp Sun May 29 20:28:01 2016 (r300973) +++ head/contrib/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp Sun May 29 20:54:16 2016 (r300974) @@ -3161,10 +3161,11 @@ void InnerLoopVectorizer::truncateToMini // truncated version of `I` and reextend its result. InstCombine runs // later and will remove any ext/trunc pairs. // + SmallPtrSet Erased; for (auto &KV : MinBWs) { VectorParts &Parts = WidenMap.get(KV.first); for (Value *&I : Parts) { - if (I->use_empty()) + if (Erased.count(I) || I->use_empty()) continue; Type *OriginalTy = I->getType(); Type *ScalarTruncatedTy = IntegerType::get(OriginalTy->getContext(), @@ -3238,6 +3239,7 @@ void InnerLoopVectorizer::truncateToMini Value *Res = B.CreateZExtOrTrunc(NewI, OriginalTy); I->replaceAllUsesWith(Res); cast(I)->eraseFromParent(); + Erased.insert(I); I = Res; } }