From 63e4114233d2610ae69e95baca835b7ff946e804 Mon Sep 17 00:00:00 2001 From: Charlotte Date: Wed, 21 Jun 2023 19:05:02 +1000 Subject: [PATCH] proc_prune: avoid using invalidated iterator An `std::vector::reverse_iterator` stores the `std::vector::iterator` which points to the (forwards-ordered) *following* item. Thus while `vec.rbegin()` dereferences to the final item of `vec`, the iterator it wraps (`vec.rbegin().base()`) is equal to `vec.end()`. In the remove case here, we advance `it` (backwards), erasing the item we just advanced past by grabbing its (pre-increment) base forward-iterator and subtracting 1. The iterator maths here is obviously all OK, but the forward-iterator that `it` wraps post-increment actually points to the item we just removed. That iterator was invalidated by the `erase()` call. That this works anyway is (AFAICT) some combination of luck and/or promises that aren't part of the C++ spec, but MSVC's debug iterator support picks this up. `erase()` returns the new iterator that follows the item just erased, which happens to be the exact one we want our reverse-iterator to wrap for the next loop; we get a fresh iterator to the same base, now without the preceding item. --- passes/proc/proc_prune.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/passes/proc/proc_prune.cc b/passes/proc/proc_prune.cc index 9f1080ef6..3433557ee 100644 --- a/passes/proc/proc_prune.cc +++ b/passes/proc/proc_prune.cc @@ -91,7 +91,7 @@ struct PruneWorker if (GetSize(new_lhs) == 0) { if (GetSize(conn_lhs) == 0) removed_count++; - cs->actions.erase((it++).base() - 1); + it = decltype(cs->actions)::reverse_iterator(cs->actions.erase(it.base() - 1)); } else { it->first = new_lhs; it->second = new_rhs;