From: Tamar Christina Date: Wed, 24 Feb 2021 15:16:23 +0000 (+0000) Subject: slp: fix accidental resource re-use of slp_tree (PR99220) X-Git-Tag: basepoints/gcc-12~898 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6c35e79b47ab582e18d851f6c5df776bac766eaf;p=thirdparty%2Fgcc.git slp: fix accidental resource re-use of slp_tree (PR99220) The attached testcase shows a bug where two nodes end up with the same pointer. During the loop that analyzes all the instances in optimize_load_redistribution_1 we do if (value) { SLP_TREE_REF_COUNT (value)++; SLP_TREE_CHILDREN (root)[i] = value; vect_free_slp_tree (node); } when doing a replacement. When this is done and the refcount for the node reaches 0, the node is removed, which allows the libc to return the pointer again in the next call to new, which it does.. First instance note: node 0x5325f48 (max_nunits=1, refcnt=2) note: op: VEC_PERM_EXPR note: { } note: lane permutation { 0[0] 1[1] 0[2] 1[3] } note: children 0x5325db0 0x5325200 Second instance note: node 0x5325f48 (max_nunits=1, refcnt=1) note: op: VEC_PERM_EXPR note: { } note: lane permutation { 0[0] 1[1] } note: children 0x53255b8 0x5325530 This will end up with the illegal construction of note: node 0x53258e8 (max_nunits=2, refcnt=2) note: op template: slp_patt_57 = .COMPLEX_MUL (_16, _16); note: stmt 0 _16 = _14 - _15; note: stmt 1 _23 = _17 + _22; note: children 0x53257d8 0x5325d28 note: node 0x53257d8 (max_nunits=2, refcnt=3) note: op template: l$b_4 = MEM[(const struct a &)_3].b; note: stmt 0 l$b_4 = MEM[(const struct a &)_3].b; note: stmt 1 l$c_5 = MEM[(const struct a &)_3].c; note: load permutation { 0 1 } note: node 0x5325d28 (max_nunits=2, refcnt=8) note: op template: l$b_4 = MEM[(const struct a &)_3].b; note: stmt 0 l$b_4 = MEM[(const struct a &)_3].b; note: stmt 1 l$c_5 = MEM[(const struct a &)_3].c; note: stmt 2 l$b_4 = MEM[(const struct a &)_3].b; note: stmt 3 l$c_5 = MEM[(const struct a &)_3].c; note: load permutation { 0 1 0 1 } To prevent this we remove the node from the load_map if it's about to be deleted. gcc/ChangeLog: PR tree-optimization/99220 * tree-vect-slp.c (optimize_load_redistribution_1): Remove node from cache when it's about to be deleted. gcc/testsuite/ChangeLog: PR tree-optimization/99220 * g++.dg/vect/pr99220.cc: New test. --- diff --git a/gcc/testsuite/g++.dg/vect/pr99220.cc b/gcc/testsuite/g++.dg/vect/pr99220.cc new file mode 100755 index 000000000000..b41b2d4f0ee4 --- /dev/null +++ b/gcc/testsuite/g++.dg/vect/pr99220.cc @@ -0,0 +1,29 @@ +/* { dg-do compile { target { aarch64*-*-* } } } */ +/* { dg-additional-options "-w -O3 -march=armv8.3-a" } */ + +class a { + float b; + float c; + +public: + a(float d, float e) : b(d), c(e) {} + a operator+(a d) { return a(b + d.b, c + d.c); } + a operator-(a d) { return a(b - d.b, c - d.c); } + a operator*(a d) { return a(b * b - c * c, b * c + c * d.b); } +}; +long f; +a *g; +class { + a *h; + long i; + a *j; + +public: + void k() { + a l = h[0], m = g[i], n = l * g[1], o = l * j[8]; + g[i] = m + n; + g[i + 1] = m - n; + j[f] = o; + } +} p; +main() { p.k(); } diff --git a/gcc/tree-vect-slp.c b/gcc/tree-vect-slp.c index 091e727bbc3e..c55c01a4a94d 100644 --- a/gcc/tree-vect-slp.c +++ b/gcc/tree-vect-slp.c @@ -2351,6 +2351,12 @@ next: { SLP_TREE_REF_COUNT (value)++; SLP_TREE_CHILDREN (root)[i] = value; + /* ??? We know the original leafs of the replaced nodes will + be referenced by bst_map, only the permutes created by + pattern matching are not. */ + if (SLP_TREE_REF_COUNT (node) == 1) + load_map->remove (node); + vect_free_slp_tree (node); } } @@ -2383,6 +2389,12 @@ optimize_load_redistribution (scalar_stmts_to_slp_tree_map_t *bst_map, { SLP_TREE_REF_COUNT (value)++; SLP_TREE_CHILDREN (root)[i] = value; + /* ??? We know the original leafs of the replaced nodes will + be referenced by bst_map, only the permutes created by + pattern matching are not. */ + if (SLP_TREE_REF_COUNT (node) == 1) + load_map->remove (node); + vect_free_slp_tree (node); } }