From 9396678db4f0e32192e73697c012d25432d602ca Mon Sep 17 00:00:00 2001 From: StefanBruens Date: Tue, 22 Dec 2020 03:23:42 +0100 Subject: [PATCH] Fix use-after-free in LUT opt pass RTLIL::Module::remove(Cell* cell) calls `delete cell`. Any subsequent accesses of `cell` then causes undefined behavior. --- passes/opt/opt_lut.cc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/passes/opt/opt_lut.cc b/passes/opt/opt_lut.cc index 07a91af8a..623101016 100644 --- a/passes/opt/opt_lut.cc +++ b/passes/opt/opt_lut.cc @@ -277,12 +277,13 @@ struct OptLutWorker module->connect(lut_output, value); sigmap.add(lut_output, value); - module->remove(lut); luts.erase(lut); luts_arity.erase(lut); luts_dlogics.erase(lut); luts_dlogic_inputs.erase(lut); + module->remove(lut); + eliminated_count++; if (limit > 0) limit--; @@ -493,11 +494,12 @@ struct OptLutWorker luts_arity[lutM] = lutM_arity; luts.erase(lutR); luts_arity.erase(lutR); - lutR->module->remove(lutR); worklist.insert(lutM); worklist.erase(lutR); + lutR->module->remove(lutR); + combined_count++; if (limit > 0) limit--;