https://gcc.gnu.org/g:dd7dffb02ff5cd3a88654deacad67298ee8ed8fa
commit r16-4707-gdd7dffb02ff5cd3a88654deacad67298ee8ed8fa Author: Richard Biener <[email protected]> Date: Wed Oct 29 09:03:57 2025 +0100 Fix possible double-free and leak in BB SLP discovery vect_build_slp_instance always releases the scalar stmts vector, so make sure to mark it as released and actually release it. * tree-vect-slp.cc (vect_analyze_slp): Mark stmts in BB roots as released after vect_build_slp_instance. (vect_build_slp_instance): Release scalar_stmts when exiting early. Diff: --- gcc/tree-vect-slp.cc | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/gcc/tree-vect-slp.cc b/gcc/tree-vect-slp.cc index e02b3379bb46..66c45185892f 100644 --- a/gcc/tree-vect-slp.cc +++ b/gcc/tree-vect-slp.cc @@ -4045,7 +4045,9 @@ vect_build_slp_store_interleaving (vec<slp_tree> &rhs_nodes, } /* Analyze an SLP instance starting from SCALAR_STMTS which are a group - of KIND. Return true if successful. */ + of KIND. Return true if successful. SCALAR_STMTS is owned by this + function, REMAIN and ROOT_STMT_INFOS ownership is transfered back to + the caller upon failure. */ static bool vect_build_slp_instance (vec_info *vinfo, @@ -4059,7 +4061,10 @@ vect_build_slp_instance (vec_info *vinfo, { /* If there's no budget left bail out early. */ if (*limit == 0) - return false; + { + scalar_stmts.release (); + return false; + } if (kind == slp_inst_kind_ctor) { @@ -5564,10 +5569,10 @@ vect_analyze_slp (vec_info *vinfo, unsigned max_tree_size, bb_vinfo->roots[i].remain, max_tree_size, &limit, bst_map, false)) { - bb_vinfo->roots[i].stmts = vNULL; bb_vinfo->roots[i].roots = vNULL; bb_vinfo->roots[i].remain = vNULL; } + bb_vinfo->roots[i].stmts = vNULL; } }
