From 6ef6945c9cbb0ab43f3b04e97f0a2285494a9c87 Mon Sep 17 00:00:00 2001
From: Trevor Saunders <tsaunders@mozilla.com>
Date: Tue, 5 Aug 2014 19:52:08 +0000
Subject: [PATCH] fix pr62009 use after free in redirect_edge_var_map_dup

The change to get the entry for the old edge before inserting the new
one was incorrect because if inserting the new one resized the table
then the pointer to the entry for the old one would become invalid.

gcc/

	* tree-ssa.c (redirect_edge_var_map_dup): insert newe before
	getting olde.

From-SVN: r213644
---
 gcc/ChangeLog  | 5 +++++
 gcc/tree-ssa.c | 7 ++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index f199fed57aa..17a0f2d93c4 100644
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,3 +1,8 @@
+2014-08-05  Trevor Saunders  <tsaunders@mozilla.com>
+
+	* tree-ssa.c (redirect_edge_var_map_dup): insert newe before
+	getting olde.
+
 2014-08-05  Richard Biener  <rguenther@suse.de>
 
 	PR rtl-optimization/61672
diff --git a/gcc/tree-ssa.c b/gcc/tree-ssa.c
index 217b9fc769e..e6842969304 100644
--- a/gcc/tree-ssa.c
+++ b/gcc/tree-ssa.c
@@ -106,11 +106,12 @@ redirect_edge_var_map_dup (edge newe, edge olde)
   if (!edge_var_maps)
     return;
 
-  auto_vec<edge_var_map> *head = edge_var_maps->get (olde);
-  if (!head)
+  auto_vec<edge_var_map> *new_head = &edge_var_maps->get_or_insert (newe);
+  auto_vec<edge_var_map> *old_head = edge_var_maps->get (olde);
+  if (!old_head)
     return;
 
-  edge_var_maps->get_or_insert (newe).safe_splice (*head);
+  new_head->safe_splice (*old_head);
 }