From 87121696fb2ddbec5f33daa359234850f7fd306d Mon Sep 17 00:00:00 2001
From: Richard Sandiford <richard.sandiford@arm.com>
Date: Tue, 22 Oct 2019 08:43:01 +0000
Subject: [PATCH] Fix use after free in vector_size change

r277235 was a bit too mechanical and ended up introducing use
after free bugs in both loop and SLP vectorisation.

2019-10-22  Richard Sandiford  <richard.sandiford@arm.com>

gcc/
	* tree-vect-slp.c (vect_slp_bb_region): Check whether
	autodetected_vector_size rather than vector_size is zero.
	* tree-vect-loop.c (vect_analyze_loop): Likewise.
	Set autodetected_vector_size immediately after calling
	vect_analyze_loop_2.  Check for a fatal error before advancing
	next_size.

From-SVN: r277282
---
 gcc/ChangeLog        |  9 +++++++++
 gcc/tree-vect-loop.c | 16 ++++++++--------
 gcc/tree-vect-slp.c  |  2 +-
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index 5e6c662..65baf0c 100644
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,3 +1,12 @@
+2019-10-22  Richard Sandiford  <richard.sandiford@arm.com>
+
+	* tree-vect-slp.c (vect_slp_bb_region): Check whether
+	autodetected_vector_size rather than vector_size is zero.
+	* tree-vect-loop.c (vect_analyze_loop): Likewise.
+	Set autodetected_vector_size immediately after calling
+	vect_analyze_loop_2.  Check for a fatal error before advancing
+	next_size.
+
 2019-10-21  Jason Merrill  <jason@redhat.com>
 
 	* lock-and-run.sh: Check for process existence rather than timeout.
diff --git a/gcc/tree-vect-loop.c b/gcc/tree-vect-loop.c
index a4c9f2f..07ddc2e 100644
--- a/gcc/tree-vect-loop.c
+++ b/gcc/tree-vect-loop.c
@@ -2365,6 +2365,9 @@ vect_analyze_loop (class loop *loop, loop_vec_info orig_loop_vinfo,
 	LOOP_VINFO_ORIG_LOOP_INFO (loop_vinfo) = orig_loop_vinfo;
 
       opt_result res = vect_analyze_loop_2 (loop_vinfo, fatal, &n_stmts);
+      if (next_size == 0)
+	autodetected_vector_size = loop_vinfo->vector_size;
+
       if (res)
 	{
 	  LOOP_VINFO_VECTORIZABLE_P (loop_vinfo) = 1;
@@ -2390,21 +2393,18 @@ vect_analyze_loop (class loop *loop, loop_vec_info orig_loop_vinfo,
       else
 	delete loop_vinfo;
 
-      if (next_size == 0)
-	autodetected_vector_size = loop_vinfo->vector_size;
-
-      if (next_size < vector_sizes.length ()
-	  && known_eq (vector_sizes[next_size], autodetected_vector_size))
-	next_size += 1;
-
       if (fatal)
 	{
 	  gcc_checking_assert (first_loop_vinfo == NULL);
 	  return opt_loop_vec_info::propagate_failure (res);
 	}
 
+      if (next_size < vector_sizes.length ()
+	  && known_eq (vector_sizes[next_size], autodetected_vector_size))
+	next_size += 1;
+
       if (next_size == vector_sizes.length ()
-	  || known_eq (loop_vinfo->vector_size, 0U))
+	  || known_eq (autodetected_vector_size, 0U))
 	{
 	  if (first_loop_vinfo)
 	    {
diff --git a/gcc/tree-vect-slp.c b/gcc/tree-vect-slp.c
index d482aa1..20ea105 100644
--- a/gcc/tree-vect-slp.c
+++ b/gcc/tree-vect-slp.c
@@ -3102,7 +3102,7 @@ vect_slp_bb_region (gimple_stmt_iterator region_begin,
 
       if (vectorized
 	  || next_size == vector_sizes.length ()
-	  || known_eq (bb_vinfo->vector_size, 0U)
+	  || known_eq (autodetected_vector_size, 0U)
 	  /* If vect_slp_analyze_bb_1 signaled that analysis for all
 	     vector sizes will fail do not bother iterating.  */
 	  || fatal)
-- 
2.7.4