This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Fix use after free in vector_size change

From: Richard Biener <richard dot guenther at gmail dot com>
To: Richard Sandiford <richard dot sandiford at arm dot com>
Cc: GCC Patches <gcc-patches at gcc dot gnu dot org>
Date: Tue, 22 Oct 2019 10:07:43 +0200
Subject: Re: Fix use after free in vector_size change
References: <mptsgnli6ni.fsf@arm.com>

On Tue, Oct 22, 2019 at 9:25 AM Richard Sandiford
<richard.sandiford@arm.com> wrote:
>
> I noticed yesterday that r277235 was a bit too mechanical and ended up
> introducing use after free bugs in both loop and SLP vectorisation.
> Sorry for the stupid mistake. :-(
>
> Moving "next_size += 1" down isn't part of the fix, but it seemed odd
> to keep it where it was after moving the "next_size == 0" stuff up.
>
> Tested on aarch64-linux-gnu and x86_64-linux-gnu.  OK to install?

OK.

Richard.

> Richard
>
>
> 2019-10-22  Richard Sandiford  <richard.sandiford@arm.com>
>
> gcc/
>         * tree-vect-slp.c (vect_slp_bb_region): Check whether
>         autodetected_vector_size rather than vector_size is zero.
>         * tree-vect-loop.c (vect_analyze_loop): Likewise.
>         Set autodetected_vector_size immediately after calling
>         vect_analyze_loop_2.  Check for a fatal error before advancing
>         next_size.
>
> Index: gcc/tree-vect-slp.c
> ===================================================================
> --- gcc/tree-vect-slp.c 2019-10-22 08:21:31.000000000 +0100
> +++ gcc/tree-vect-slp.c 2019-10-22 08:21:31.474357917 +0100
> @@ -3043,7 +3043,7 @@ vect_slp_bb_region (gimple_stmt_iterator
>
>        if (vectorized
>           || next_size == vector_sizes.length ()
> -         || known_eq (bb_vinfo->vector_size, 0U)
> +         || known_eq (autodetected_vector_size, 0U)
>           /* If vect_slp_analyze_bb_1 signaled that analysis for all
>              vector sizes will fail do not bother iterating.  */
>           || fatal)
> Index: gcc/tree-vect-loop.c
> ===================================================================
> --- gcc/tree-vect-loop.c        2019-10-22 08:21:31.000000000 +0100
> +++ gcc/tree-vect-loop.c        2019-10-22 08:21:31.474357917 +0100
> @@ -2354,6 +2354,9 @@ vect_analyze_loop (class loop *loop, loo
>         LOOP_VINFO_ORIG_LOOP_INFO (loop_vinfo) = orig_loop_vinfo;
>
>        opt_result res = vect_analyze_loop_2 (loop_vinfo, fatal, &n_stmts);
> +      if (next_size == 0)
> +       autodetected_vector_size = loop_vinfo->vector_size;
> +
>        if (res)
>         {
>           LOOP_VINFO_VECTORIZABLE_P (loop_vinfo) = 1;
> @@ -2379,21 +2382,18 @@ vect_analyze_loop (class loop *loop, loo
>        else
>         delete loop_vinfo;
>
> -      if (next_size == 0)
> -       autodetected_vector_size = loop_vinfo->vector_size;
> -
> -      if (next_size < vector_sizes.length ()
> -         && known_eq (vector_sizes[next_size], autodetected_vector_size))
> -       next_size += 1;
> -
>        if (fatal)
>         {
>           gcc_checking_assert (first_loop_vinfo == NULL);
>           return opt_loop_vec_info::propagate_failure (res);
>         }
>
> +      if (next_size < vector_sizes.length ()
> +         && known_eq (vector_sizes[next_size], autodetected_vector_size))
> +       next_size += 1;
> +
>        if (next_size == vector_sizes.length ()
> -         || known_eq (loop_vinfo->vector_size, 0U))
> +         || known_eq (autodetected_vector_size, 0U))
>         {
>           if (first_loop_vinfo)
>             {

References:
- Fix use after free in vector_size change
  - From: Richard Sandiford

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]