From: Richard Biener <rguenther@suse.de>
Date: Thu, 14 Mar 2019 09:18:07 +0000 (+0000)
Subject: backport: re PR target/84272 (AddressSanitizer: heap-use-after-free ../../gcc/config... 
X-Git-Tag: releases/gcc-7.5.0~541
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7b96091a3d18605d719b01eecb482aa38217f38;p=thirdparty%2Fgcc.git

backport: re PR target/84272 (AddressSanitizer: heap-use-after-free ../../gcc/config/aarch64/cortex-a57-fma-steering.c:519 in fma_node::get_parity())

2019-03-14  Richard Biener  <rguenther@suse.de>

	Backport from mainline
	2018-02-16  Jakub Jelinek  <jakub@redhat.com>

	PR target/84272
	* config/aarch64/cortex-a57-fma-steering.c (fma_forest::merge_forest):
	Use ++iter rather than iter++ for std::list iterators.
	(func_fma_steering::dfs): Likewise.  Don't delete nodes right away,
	defer deleting them until all nodes in the forest are processed.  Do
	free even leaf nodes.  Change to_process into auto_vec.

	* g++.dg/opt/pr84272.C: New test.

From-SVN: r269676
---

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index e520d31f5bf5..d3f9e5b1fd76 100644
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,3 +1,15 @@
+2019-03-14  Richard Biener  <rguenther@suse.de>
+
+	Backport from mainline
+	2018-02-16  Jakub Jelinek  <jakub@redhat.com>
+ 
+	PR target/84272
+	* config/aarch64/cortex-a57-fma-steering.c (fma_forest::merge_forest):
+	Use ++iter rather than iter++ for std::list iterators.
+	(func_fma_steering::dfs): Likewise.  Don't delete nodes right away,
+	defer deleting them until all nodes in the forest are processed.  Do
+	free even leaf nodes.  Change to_process into auto_vec.
+
 2019-03-13  Andre Vieira  <andre.simoesdiasvieira@arm.com>
 
 	Backport from mainline
diff --git a/gcc/config/aarch64/cortex-a57-fma-steering.c b/gcc/config/aarch64/cortex-a57-fma-steering.c
index 30fe85e41c75..c3063dcedb8a 100644
--- a/gcc/config/aarch64/cortex-a57-fma-steering.c
+++ b/gcc/config/aarch64/cortex-a57-fma-steering.c
@@ -404,7 +404,7 @@ fma_forest::merge_forest (fma_forest *other_forest)
 
   /* Update root nodes' pointer to forest.  */
   for (other_root_iter = other_roots->begin ();
-       other_root_iter != other_roots->end (); other_root_iter++)
+       other_root_iter != other_roots->end (); ++other_root_iter)
     (*other_root_iter)->set_forest (this);
 
   /* Remove other_forest from the list of forests and move its tree roots in
@@ -845,14 +845,13 @@ func_fma_steering::dfs (void (*process_forest) (fma_forest *),
 			void (*process_node) (fma_forest *, fma_node *),
 			bool free)
 {
-  vec<fma_node *> to_process;
+  auto_vec<fma_node *> to_process;
+  auto_vec<fma_node *> to_free;
   std::list<fma_forest *>::iterator forest_iter;
 
-  to_process.create (0);
-
   /* For each forest.  */
   for (forest_iter = this->m_fma_forests.begin ();
-       forest_iter != this->m_fma_forests.end (); forest_iter++)
+       forest_iter != this->m_fma_forests.end (); ++forest_iter)
     {
       std::list<fma_root_node *>::iterator root_iter;
 
@@ -861,7 +860,7 @@ func_fma_steering::dfs (void (*process_forest) (fma_forest *),
 
       /* For each tree root in this forest.  */
       for (root_iter = (*forest_iter)->get_roots ()->begin ();
-	   root_iter != (*forest_iter)->get_roots ()->end (); root_iter++)
+	   root_iter != (*forest_iter)->get_roots ()->end (); ++root_iter)
 	{
 	  if (process_root)
 	    process_root (*forest_iter, *root_iter);
@@ -879,28 +878,30 @@ func_fma_steering::dfs (void (*process_forest) (fma_forest *),
 	  if (process_node)
 	    process_node (*forest_iter, node);
 
-	  /* Absence of children might indicate an alternate root of a *chain*.
-	     It's ok to skip it here as the chain will be renamed when
-	     processing the canonical root for that chain.  */
-	  if (node->get_children ()->empty ())
-	    continue;
-
 	  for (child_iter = node->get_children ()->begin ();
-	       child_iter != node->get_children ()->end (); child_iter++)
+	       child_iter != node->get_children ()->end (); ++child_iter)
 	    to_process.safe_push (*child_iter);
+
+	  /* Defer freeing so that the process_node callback can access the
+	     parent and children of the node being processed.  */
 	  if (free)
+	    to_free.safe_push (node);
+	}
+
+      if (free)
+	{
+	  delete *forest_iter;
+
+	  while (!to_free.is_empty ())
 	    {
+	      fma_node *node = to_free.pop ();
 	      if (node->root_p ())
 		delete static_cast<fma_root_node *> (node);
 	      else
 		delete node;
 	    }
 	}
-      if (free)
-	delete *forest_iter;
     }
-
-  to_process.release ();
 }
 
 /* Build the dependency trees of FMUL and FMADD/FMSUB instructions.  */
diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog
index 16636e13182c..6061fba0b365 100644
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@@ -1,3 +1,11 @@
+2019-03-14  Richard Biener  <rguenther@suse.de>
+
+	Backport from mainline
+	2018-02-16  Jakub Jelinek  <jakub@redhat.com>
+ 
+	PR target/84272
+	* g++.dg/opt/pr84272.C: New test.
+
 2019-03-13  Thomas Koenig  <tkoenig@gcc.gnu.org>
 
 	PR fortran/87673
diff --git a/gcc/testsuite/g++.dg/opt/pr84272.C b/gcc/testsuite/g++.dg/opt/pr84272.C
new file mode 100644
index 000000000000..ad4b8a29cd7d
--- /dev/null
+++ b/gcc/testsuite/g++.dg/opt/pr84272.C
@@ -0,0 +1,23 @@
+// PR target/84272
+// { dg-do compile }
+// { dg-options "-O2" }
+// { dg-additional-options "-march=armv8-a -mtune=cortex-a57" { target aarch64-*-* } }
+
+struct A
+{
+  float b, c;
+  A ();
+  A (float, float, float);
+  float operator * (A)
+  {
+    float d = b * b + c * c;
+    return d;
+  }
+};
+
+void
+foo ()
+{
+  A g[1];
+  A h (0, 0, h * g[2]);
+}