diff options
author | Duncan Sands <baldrick@free.fr> | 2011-01-26 10:08:38 +0000 |
---|---|---|
committer | Duncan Sands <baldrick@free.fr> | 2011-01-26 10:08:38 +0000 |
commit | 37f87c7aa914fba1362bb187ce5a386abfe94e39 (patch) | |
tree | b51c37ad037c9dd56ef135199408281a8803b7b3 /lib/Transforms/Scalar/Reassociate.cpp | |
parent | f6c63c23203ca4c4aa89efa2bff722bb479cfe3c (diff) | |
download | external_llvm-37f87c7aa914fba1362bb187ce5a386abfe94e39.zip external_llvm-37f87c7aa914fba1362bb187ce5a386abfe94e39.tar.gz external_llvm-37f87c7aa914fba1362bb187ce5a386abfe94e39.tar.bz2 |
Fix PR9039, a use-after-free in reassociate. The issue was that the
operand being factorized (and erased) could occur several times in Ops,
resulting in freed memory being used when the next occurrence in Ops was
analyzed.
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@124287 91177308-0d34-0410-b5e6-96231b3b80d8
Diffstat (limited to 'lib/Transforms/Scalar/Reassociate.cpp')
-rw-r--r-- | lib/Transforms/Scalar/Reassociate.cpp | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/lib/Transforms/Scalar/Reassociate.cpp b/lib/Transforms/Scalar/Reassociate.cpp index 46b7f95..396b329 100644 --- a/lib/Transforms/Scalar/Reassociate.cpp +++ b/lib/Transforms/Scalar/Reassociate.cpp @@ -811,16 +811,23 @@ Value *Reassociate::OptimizeAdd(Instruction *I, // RemoveFactorFromExpression on successive values to behave differently. Instruction *DummyInst = BinaryOperator::CreateAdd(MaxOccVal, MaxOccVal); SmallVector<Value*, 4> NewMulOps; - for (unsigned i = 0, e = Ops.size(); i != e; ++i) { + for (unsigned i = 0; i != Ops.size(); ++i) { // Only try to remove factors from expressions we're allowed to. BinaryOperator *BOp = dyn_cast<BinaryOperator>(Ops[i].Op); if (BOp == 0 || BOp->getOpcode() != Instruction::Mul || !BOp->use_empty()) continue; if (Value *V = RemoveFactorFromExpression(Ops[i].Op, MaxOccVal)) { - NewMulOps.push_back(V); - Ops.erase(Ops.begin()+i); - --i; --e; + // The factorized operand may occur several times. Convert them all in + // one fell swoop. + for (unsigned j = Ops.size(); j != i;) { + --j; + if (Ops[j].Op == Ops[i].Op) { + NewMulOps.push_back(V); + Ops.erase(Ops.begin()+j); + } + } + --i; } } |