From 19cdbc5a0ced3b02cddf6bba227c7901d9fbbf99 Mon Sep 17 00:00:00 2001
From: George Rennie <georgerennie@gmail.com>
Date: Wed, 4 Jun 2025 21:02:21 +0100
Subject: [PATCH] opt_dff: don't remove cells until all have been visited to
 prevent UAF

---
 passes/opt/opt_dff.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/passes/opt/opt_dff.cc b/passes/opt/opt_dff.cc
index 8539432c0..726516fea 100644
--- a/passes/opt/opt_dff.cc
+++ b/passes/opt/opt_dff.cc
@@ -737,6 +737,7 @@ struct OptDffWorker
 	bool run_constbits() {
 		ModWalker modwalker(module->design, module);
 		QuickConeSat qcsat(modwalker);
+		std::vector<RTLIL::Cell*> cells_to_remove;
 
 		// Run as a separate sub-pass, so that we don't mutate (non-FF) cells under ModWalker.
 		bool did_something = false;
@@ -830,7 +831,7 @@ struct OptDffWorker
 					if (!removed_sigbits.count(i))
 						keep_bits.push_back(i);
 				if (keep_bits.empty()) {
-					module->remove(cell);
+					cells_to_remove.emplace_back(cell);
 					did_something = true;
 					continue;
 				}
@@ -840,6 +841,8 @@ struct OptDffWorker
 				did_something = true;
 			}
 		}
+		for (auto* cell : cells_to_remove)
+			module->remove(cell);
 		return did_something;
 	}
 };