Fix a use-after-free bug introduced in r262636

llvm-svn: 262679
2024-10-21 03:53:04 +02:00 · 2016-03-04 00:44:01 +00:00 · 2016-03-04 00:44:01 +00:00 · 587391856c
commit 587391856c
parent be253c0570
3 changed files with 16 additions and 7 deletions
--- a/include/llvm/Transforms/Utils/Cloning.h
+++ b/include/llvm/Transforms/Utils/Cloning.h
@ -189,7 +189,7 @@ public:
  explicit InlineFunctionInfo(CallGraph *cg = nullptr,
                              AssumptionCacheTracker *ACT = nullptr,
                              BlockCloningFunctor Ftor = nullptr)
-      : CG(cg), ACT(ACT), Ftor(Ftor) {}
+      : CG(cg), ACT(ACT), Ftor(Ftor), CallSuccessorBlockDeleted(false) {}

  /// CG - If non-null, InlineFunction will update the callgraph to reflect the
  /// changes it makes.
@ -198,6 +198,10 @@ public:
  // Functor that is invoked when a block is cloned into the new function.
  BlockCloningFunctor Ftor;

+  /// CallSuccessorBlockDeleted - whether the block immediately following the
+  /// call has been deleted during inlining
+  bool CallSuccessorBlockDeleted;
+
  /// StaticAllocas - InlineFunction fills this in with all static allocas that
  /// get copied into the caller.
  SmallVector<AllocaInst *, 4> StaticAllocas;
--- a/lib/Transforms/IPO/Inliner.cpp
+++ b/lib/Transforms/IPO/Inliner.cpp
@ -580,11 +580,13 @@ bool Inliner::runOnSCC(CallGraphSCC &SCC) {
          continue;
        }
        updateEntryCount(CallSiteBlock, Callee);
-        // The instruction following the call is part of a new basic block
-        // created during the inlining process. This does not have an entry in
-        // the BFI. We create an entry by copying the frequency of the original
-        // block containing the call.
-        copyBlockFrequency(CallSiteBlock, CallSuccessor->getParent());
+        if (!InlineInfo.CallSuccessorBlockDeleted) {
+          // The instruction following the call is part of a new basic block
+          // created during the inlining process. This does not have an entry in
+          // the BFI. We create an entry by copying the frequency of the
+          // original block containing the call.
+          copyBlockFrequency(CallSiteBlock, CallSuccessor->getParent());
+        }

        ++NumInlined;

--- a/lib/Transforms/Utils/InlineFunction.cpp
+++ b/lib/Transforms/Utils/InlineFunction.cpp
@ -1994,8 +1994,11 @@ bool llvm::InlineFunction(CallSite CS, InlineFunctionInfo &IFI,

  // If we inlined any musttail calls and the original return is now
  // unreachable, delete it.  It can only contain a bitcast and ret.
-  if (InlinedMustTailCalls && pred_begin(AfterCallBB) == pred_end(AfterCallBB))
+  if (InlinedMustTailCalls &&
+      pred_begin(AfterCallBB) == pred_end(AfterCallBB)) {
+    IFI.CallSuccessorBlockDeleted = true;
    AfterCallBB->eraseFromParent();
+  }

  // We should always be able to fold the entry block of the function into the
  // single predecessor of the block...