projects / platform / upstream / gcc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 96c5a85) | patch
slp: fix accidental resource re-use of slp_tree (PR99220)
authorTamar Christina <tamar.christina@arm.com>
Wed, 24 Feb 2021 15:16:23 +0000 (15:16 +0000)
committerTamar Christina <tamar.christina@arm.com>
Wed, 24 Feb 2021 15:16:23 +0000 (15:16 +0000)
commit6c35e79b47ab582e18d851f6c5df776bac766eaf
treeda2dfd4ef7eefdae3ad54ac60d77ed616d9ee263tree | snapshot
parent96c5a8589e0dd22819bae34cac3381ad381d3989commit | diff
slp: fix accidental resource re-use of slp_tree (PR99220)

The attached testcase shows a bug where two nodes end up with the same pointer.
During the loop that analyzes all the instances
in optimize_load_redistribution_1 we do

      if (value)
        {
          SLP_TREE_REF_COUNT (value)++;
          SLP_TREE_CHILDREN (root)[i] = value;
          vect_free_slp_tree (node);
        }

when doing a replacement.  When this is done and the refcount for the node
reaches 0, the node is removed, which allows the libc to return the pointer
again in the next call to new, which it does..

First instance

note:   node 0x5325f48 (max_nunits=1, refcnt=2)
note:   op: VEC_PERM_EXPR
note:           { }
note:           lane permutation { 0[0] 1[1] 0[2] 1[3] }
note:           children 0x5325db0 0x5325200

Second instance

note:   node 0x5325f48 (max_nunits=1, refcnt=1)
note:   op: VEC_PERM_EXPR
note:           { }
note:           lane permutation { 0[0] 1[1] }
note:           children 0x53255b8 0x5325530

This will end up with the illegal construction of

note:   node 0x53258e8 (max_nunits=2, refcnt=2)
note:   op template: slp_patt_57 = .COMPLEX_MUL (_16, _16);
note:           stmt 0 _16 = _14 - _15;
note:           stmt 1 _23 = _17 + _22;
note:           children 0x53257d8 0x5325d28
note:   node 0x53257d8 (max_nunits=2, refcnt=3)
note:   op template: l$b_4 = MEM[(const struct a &)_3].b;
note:           stmt 0 l$b_4 = MEM[(const struct a &)_3].b;
note:           stmt 1 l$c_5 = MEM[(const struct a &)_3].c;
note:           load permutation { 0 1 }
note:   node 0x5325d28 (max_nunits=2, refcnt=8)
note:   op template: l$b_4 = MEM[(const struct a &)_3].b;
note:           stmt 0 l$b_4 = MEM[(const struct a &)_3].b;
note:           stmt 1 l$c_5 = MEM[(const struct a &)_3].c;
note:           stmt 2 l$b_4 = MEM[(const struct a &)_3].b;
note:           stmt 3 l$c_5 = MEM[(const struct a &)_3].c;
note:           load permutation { 0 1 0 1 }

To prevent this we remove the node from the load_map if it's
about to be deleted.

gcc/ChangeLog:

PR tree-optimization/99220
* tree-vect-slp.c (optimize_load_redistribution_1): Remove
node from cache when it's about to be deleted.

gcc/testsuite/ChangeLog:

PR tree-optimization/99220
* g++.dg/vect/pr99220.cc: New test.
gcc/testsuite/g++.dg/vect/pr99220.cc [new file with mode: 0755] blob
gcc/tree-vect-slp.c diff | blob | history
Domain: System / Toolchain;