From 263f314ba77c381f0fb9e4d3a867a863b7a78687 Mon Sep 17 00:00:00 2001
From: Justin Bogner <mail@justinbogner.com>
Date: Tue, 12 Apr 2016 23:21:53 +0000
Subject: [PATCH] CodeGen: Clear the MFI's save and restore point after
 PrologEpilogInserter

This state is no longer useful and not guaranteed to be valid in later
codegen passes. For example, see the added test, which would print a
savepoint of %bb.-1 without this change, and crashes with a
use-after-free error under ASan if you apply the recycling allocator
patch from llvm.org/PR26808.

llvm-svn: 266150
---
 llvm/lib/CodeGen/PrologEpilogInserter.cpp       |  2 ++
 llvm/test/CodeGen/ARM/invalidated-save-point.ll | 27 +++++++++++++++++++++++++
 llvm/test/CodeGen/MIR/ARM/ARMLoadStoreDBG.mir   |  2 --
 3 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 llvm/test/CodeGen/ARM/invalidated-save-point.ll

diff --git a/llvm/lib/CodeGen/PrologEpilogInserter.cpp b/llvm/lib/CodeGen/PrologEpilogInserter.cpp
index 7c3fe33..2c3ea31 100644
--- a/llvm/lib/CodeGen/PrologEpilogInserter.cpp
+++ b/llvm/lib/CodeGen/PrologEpilogInserter.cpp
@@ -238,6 +238,8 @@ bool PEI::runOnMachineFunction(MachineFunction &Fn) {
   delete RS;
   SaveBlocks.clear();
   RestoreBlocks.clear();
+  MFI->setSavePoint(nullptr);
+  MFI->setRestorePoint(nullptr);
   return true;
 }
 
diff --git a/llvm/test/CodeGen/ARM/invalidated-save-point.ll b/llvm/test/CodeGen/ARM/invalidated-save-point.ll
new file mode 100644
index 0000000..0ff153b
--- /dev/null
+++ b/llvm/test/CodeGen/ARM/invalidated-save-point.ll
@@ -0,0 +1,27 @@
+; RUN: llc -mtriple thumbv7 -stop-after=if-converter < %s 2>&1 | FileCheck %s
+
+; Make sure the save point and restore point are dropped from MFI at
+; this point. Notably, if it isn't is will be invalid and reference a
+; deleted block (%bb.-1.if.end)
+
+; CHECK-NOT: savePoint:
+; CHECK-NOT: restorePoint:
+
+target datalayout = "e-m:e-p:32:32-i64:64-v128:64:128-a:0:32-n32-S64"
+target triple = "thumbv7"
+
+define i32 @f(i32 %n) {
+entry:
+  %cmp = icmp ult i32 %n, 4
+  br i1 %cmp, label %return, label %if.end
+
+if.end:
+  tail call void @g(i32 %n)
+  br label %return
+
+return:
+  %retval.0 = phi i32 [ 0, %if.end ], [ -1, %entry ]
+  ret i32 %retval.0
+}
+
+declare void @g(i32)
diff --git a/llvm/test/CodeGen/MIR/ARM/ARMLoadStoreDBG.mir b/llvm/test/CodeGen/MIR/ARM/ARMLoadStoreDBG.mir
index be7e9ea..6ec3659 100644
--- a/llvm/test/CodeGen/MIR/ARM/ARMLoadStoreDBG.mir
+++ b/llvm/test/CodeGen/MIR/ARM/ARMLoadStoreDBG.mir
@@ -117,8 +117,6 @@ frameInfo:
   hasOpaqueSPAdjustment: false
   hasVAStart:      false
   hasMustTailInVarArgFunc: false
-  savePoint:       '%bb.2.if.end'
-  restorePoint:    '%bb.2.if.end'
 stack:           
   - { id: 0, type: spill-slot, offset: -4, size: 4, alignment: 4, callee-saved-register: '%lr' }
   - { id: 1, type: spill-slot, offset: -8, size: 4, alignment: 4, callee-saved-register: '%r7' }
-- 
2.7.4