Fix possible double-free and leak in BB SLP discovery

vect_build_slp_instance always releases the scalar stmts vector, so make sure
to mark it as released and actually release it.

	* tree-vect-slp.cc (vect_analyze_slp): Mark stmts in BB roots
	as released after vect_build_slp_instance.
	(vect_build_slp_instance): Release scalar_stmts when exiting
	early.

diff --git a/gcc/tree-vect-slp.cc b/gcc/tree-vect-slp.cc
index e02b3379bb4622c3631e1718e635f5707e3bf0e7..66c45185892f9a07f12329654470ea8bd695be3f 100644 (file)
--- a/gcc/tree-vect-slp.cc
+++ b/gcc/tree-vect-slp.cc
@@ -4045,7 +4045,9 @@ vect_build_slp_store_interleaving (vec<slp_tree> &rhs_nodes,
 }
 
 /* Analyze an SLP instance starting from SCALAR_STMTS which are a group
-   of KIND.  Return true if successful.  */
+   of KIND.  Return true if successful.  SCALAR_STMTS is owned by this
+   function, REMAIN and ROOT_STMT_INFOS ownership is transfered back to
+   the caller upon failure.  */
 
 static bool
 vect_build_slp_instance (vec_info *vinfo,
@@ -4059,7 +4061,10 @@ vect_build_slp_instance (vec_info *vinfo,
 {
   /* If there's no budget left bail out early.  */
   if (*limit == 0)
-    return false;
+    {
+      scalar_stmts.release ();
+      return false;
+    }
 
   if (kind == slp_inst_kind_ctor)
     {
@@ -5564,10 +5569,10 @@ vect_analyze_slp (vec_info *vinfo, unsigned max_tree_size,
                                       bb_vinfo->roots[i].remain,
                                       max_tree_size, &limit, bst_map, false))
            {
-             bb_vinfo->roots[i].stmts = vNULL;
              bb_vinfo->roots[i].roots = vNULL;
              bb_vinfo->roots[i].remain = vNULL;
            }
+         bb_vinfo->roots[i].stmts = vNULL;
        }
     }