Remove freed InvalidDomains from InvalidDomainMap.

Summary:
Since r306667, propagateInvalidStmtDomains gets a reference to an
InvalidDomainMap. As part of the branch leading to return false, the respective
domain is freed. It is, however, not removed from the InvalidDomainMap, leaking
a pointer to a freed object which results in a use-after-free. Fix this be
removing the domain from the map before returning.

We tried to derive a test case that reliably failes, but did not succeed in
producing one. Hence, for now the failures in our LNT bots must be sufficient
to keep this issue tested.

Reviewers: grosser, Meinersbur, bollu

Subscribers: bollu, nandini12396, pollydev, llvm-commits

Differential Revision: https://reviews.llvm.org/D34971

llvm-svn: 307499

diff --git a/polly/lib/Analysis/ScopInfo.cpp b/polly/lib/Analysis/ScopInfo.cpp
index 18e8a89..5a32c86 100644 (file)
--- a/polly/lib/Analysis/ScopInfo.cpp
+++ b/polly/lib/Analysis/ScopInfo.cpp
@@ -2825,6 +2825,7 @@ bool Scop::propagateInvalidStmtDomains(
         continue;
 
       isl_set_free(InvalidDomain);
+      InvalidDomainMap.erase(BB);
       invalidate(COMPLEXITY, TI->getDebugLoc());
       return false;
     }