From 19cdbc5a0ced3b02cddf6bba227c7901d9fbbf99 Mon Sep 17 00:00:00 2001
From: George Rennie <georgerennie@gmail.com>
Date: Wed, 4 Jun 2025 21:02:21 +0100
Subject: [PATCH 1/3] opt_dff: don't remove cells until all have been visited
 to prevent UAF

---
 passes/opt/opt_dff.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/passes/opt/opt_dff.cc b/passes/opt/opt_dff.cc
index 8539432c0..726516fea 100644
--- a/passes/opt/opt_dff.cc
+++ b/passes/opt/opt_dff.cc
@@ -737,6 +737,7 @@ struct OptDffWorker
 	bool run_constbits() {
 		ModWalker modwalker(module->design, module);
 		QuickConeSat qcsat(modwalker);
+		std::vector<RTLIL::Cell*> cells_to_remove;
 
 		// Run as a separate sub-pass, so that we don't mutate (non-FF) cells under ModWalker.
 		bool did_something = false;
@@ -830,7 +831,7 @@ struct OptDffWorker
 					if (!removed_sigbits.count(i))
 						keep_bits.push_back(i);
 				if (keep_bits.empty()) {
-					module->remove(cell);
+					cells_to_remove.emplace_back(cell);
 					did_something = true;
 					continue;
 				}
@@ -840,6 +841,8 @@ struct OptDffWorker
 				did_something = true;
 			}
 		}
+		for (auto* cell : cells_to_remove)
+			module->remove(cell);
 		return did_something;
 	}
 };

From 8c38e2081d3171ba6b374d6421b8a5a66f190697 Mon Sep 17 00:00:00 2001
From: George Rennie <georgerennie@gmail.com>
Date: Fri, 6 Jun 2025 23:46:07 +0100
Subject: [PATCH 2/3] opt_dff: don't emit cells until all have been visited to
 prevent UAF

---
 passes/opt/opt_dff.cc | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/passes/opt/opt_dff.cc b/passes/opt/opt_dff.cc
index 726516fea..4ed4b0cb6 100644
--- a/passes/opt/opt_dff.cc
+++ b/passes/opt/opt_dff.cc
@@ -737,9 +737,12 @@ struct OptDffWorker
 	bool run_constbits() {
 		ModWalker modwalker(module->design, module);
 		QuickConeSat qcsat(modwalker);
-		std::vector<RTLIL::Cell*> cells_to_remove;
 
-		// Run as a separate sub-pass, so that we don't mutate (non-FF) cells under ModWalker.
+		// Defer mutating cells by removing them/emiting new flip flops so that
+		// cell references in modwalker are not invalidated
+		std::vector<RTLIL::Cell*> cells_to_remove;
+		std::vector<FfData> ffs_to_emit;
+
 		bool did_something = false;
 		for (auto cell : module->selected_cells()) {
 			if (!RTLIL::builtin_ff_cell_types().count(cell->type))
@@ -837,12 +840,14 @@ struct OptDffWorker
 				}
 				ff = ff.slice(keep_bits);
 				ff.cell = cell;
-				ff.emit();
+				ffs_to_emit.emplace_back(ff);
 				did_something = true;
 			}
 		}
 		for (auto* cell : cells_to_remove)
 			module->remove(cell);
+		for (auto& ff : ffs_to_emit)
+			ff.emit();
 		return did_something;
 	}
 };

From 7160c9180051b49b5a5a9c0559c3d6cb469f089a Mon Sep 17 00:00:00 2001
From: George Rennie <georgerennie@gmail.com>
Date: Fri, 6 Jun 2025 23:46:23 +0100
Subject: [PATCH 3/3] tests: add test for #5164 opt_dff -sat UAF

---
 tests/opt/bug5164.ys | 60 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 tests/opt/bug5164.ys

diff --git a/tests/opt/bug5164.ys b/tests/opt/bug5164.ys
new file mode 100644
index 000000000..4ee71fe45
--- /dev/null
+++ b/tests/opt/bug5164.ys
@@ -0,0 +1,60 @@
+read_rtlil <<EOT
+module \module137
+  wire input 1 \clk
+  wire width 1 output 1 \qa
+  wire width 1 \qb
+  cell $dff \dffa
+    parameter \CLK_POLARITY 1
+    parameter \WIDTH 1
+    connect \CLK \clk
+    connect \D \qb
+    connect \Q \qa
+  end
+  cell $dff \dffb
+    parameter \CLK_POLARITY 1
+    parameter \WIDTH 1
+    connect \CLK \clk
+    connect \D 1'x
+    connect \Q \qb
+  end
+end
+EOT
+equiv_opt -assert opt_dff -sat
+
+design -reset
+
+read_rtlil <<EOT
+module \module137
+  wire output 1 width 9 $2\reg204[8:0]
+  wire input 1 \clk
+  wire width 9 $auto$wreduce.cc:514:run$19340
+  wire width 9 $auto$wreduce.cc:514:run$19341
+  wire width 15 \dffout
+  attribute \init 9'000000000
+  wire width 9 \reg204
+  cell $dff $auto$ff.cc:266:slice$26225
+    parameter \CLK_POLARITY 1
+    parameter \WIDTH 15
+    connect \CLK \clk
+    connect \D { 9'x \reg204 [8:3] }
+    connect \Q \dffout
+  end
+  cell $dff $auto$ff.cc:266:slice$26292
+    parameter \CLK_POLARITY 1
+    parameter \WIDTH 9
+    connect \CLK \clk
+    connect \D $2\reg204[8:0]
+    connect \Q \reg204
+  end
+  cell $mux $procmux$4510
+    parameter \WIDTH 9
+    connect \A 9'x
+    connect \B 9'x
+    connect \S 1'x
+    connect \Y $auto$wreduce.cc:514:run$19340
+  end
+  connect $2\reg204[8:0] $auto$wreduce.cc:514:run$19340
+  connect $auto$wreduce.cc:514:run$19341 [8:3] 6'000000
+end
+EOT
+equiv_opt -assert opt_dff -sat