Fix a dangling stack pointer in SILCombine.

The bug was introduced recently:
commit ac8a48b
Date:   Fri Oct 6 12:34:14 2017 -0700

Fixes <rdar://35800315> (crash using freed OpenedArchetypesTracker).

Author: atrick

lib/SILOptimizer/SILCombiner/SILCombinerApplyVisitors.cpp

@@ -943,6 +943,29 @@ static bool isAddressInitializedAtCall(SILValue addr, SILInstruction *AI,
   return true;
 }
 
+/// Scoped registration of opened archetypes.
+class RAIIOpenedArchetypesTracker {
+  SILBuilder &B;
+  // The original tracker may be null.
+  SILOpenedArchetypesTracker *OldOpenedArchetypesTracker;
+  SILOpenedArchetypesTracker OpenedArchetypesTracker;
+
+public:
+  RAIIOpenedArchetypesTracker(SILBuilder &B)
+    : B(B), OldOpenedArchetypesTracker(B.getOpenedArchetypesTracker()),
+    OpenedArchetypesTracker(&B.getFunction()) {
+    B.setOpenedArchetypesTracker(&OpenedArchetypesTracker);
+  }
+
+  SILOpenedArchetypesTracker &getTracker() {
+    return OpenedArchetypesTracker;
+  }
+
+  ~RAIIOpenedArchetypesTracker() {
+    B.setOpenedArchetypesTracker(OldOpenedArchetypesTracker);
+  }
+};
+
 /// Propagate information about a concrete type from init_existential_addr
 /// or init_existential_ref into witness_method conformances and into
 /// apply instructions.
@@ -974,19 +997,14 @@ SILInstruction *SILCombiner::propagateConcreteTypeOfInitExistential(
   if (!CCT.isValid())
     return nullptr;
 
-  SILOpenedArchetypesTracker *OldOpenedArchetypesTracker =
-      Builder.getOpenedArchetypesTracker();
-
-  SILOpenedArchetypesTracker OpenedArchetypesTracker(Apply.getFunction());
-
+  RAIIOpenedArchetypesTracker tempTracker(Builder);
   if (CCT.ConcreteType->isOpenedExistential()) {
     // Temporarily record this opened existential def. Don't permanently record
     // in the Builder's tracker because this opened existential's original
     // dominating def may not have been recorded yet.
     // FIXME: Redesign the tracker. This is not robust.
-    OpenedArchetypesTracker.addOpenedArchetypeDef(
+    tempTracker.getTracker().addOpenedArchetypeDef(
         cast<ArchetypeType>(CCT.ConcreteType), CCT.ConcreteTypeDef);
-    Builder.setOpenedArchetypesTracker(&OpenedArchetypesTracker);
   }
 
   // Propagate the concrete type into the callee-operand if required.
@@ -1006,8 +1024,6 @@ SILInstruction *SILCombiner::propagateConcreteTypeOfInitExistential(
         cast<InitExistentialAddrInst>(InitExistential)->getOperand();
     return isAddressInitializedAtCall(existentialAddr, AI, DT);
   };
-
-  // FIXME: Intentionally preserve this bug to avoid changing functionality.
   if (isCopied && !canReplaceCopiedSelf())
     return nullptr;
 
@@ -1017,9 +1033,6 @@ SILInstruction *SILCombiner::propagateConcreteTypeOfInitExistential(
       Apply, CCT.NewSelf, Self, CCT.ConcreteType, CCT.ConcreteTypeDef,
       CCT.getConformance(), OpenedArchetype);
 
-  if (CCT.ConcreteType->isOpenedExistential())
-    Builder.setOpenedArchetypesTracker(OldOpenedArchetypesTracker);
-
   return NewAI;
 }
 

test/SILOptimizer/existential_type_propagation.sil

@@ -293,6 +293,51 @@ bb0(%0 : $XXX):
   return %11 : $()
 }
 
+@objc protocol Q : class {
+  @objc func bar()
+}
+
+// rdar://35800315: crash in SILBuilder::addOpenedArchetypeOperands.
+//
+// When SILCombineApply propagates concrete types it temporarily installed an
+// opened archetype tracker to rewrite witness_method. It may then fail because
+// the copied existential is destroyed before the method is applied leaving a
+// dangling stack pointer. If silcombine continues iterating it may hit an
+// objc_method, which does a lookup in the archetype tracker.
+sil @silcombine_apply_opened_archetype : $@convention(thin) (@in P, Q) -> () {
+bb0(%0 : $*P, %1 : $Q):
+  // A single operand instruction that uses an opened existential.
+  // For some reason this is handled specialy in
+  // SILBuilder::addOpenedArchetypeOperands.
+  %ref = open_existential_ref %1 : $Q to $@opened("D66B9398-D800-11E7-8432-0A0000BBF6C0") Q
+  %om = objc_method %ref : $@opened("D66B9398-D800-11E7-8432-0A0000BBF6C0") Q, #Q.bar!1.foreign : <Self where Self : Q> (Self) -> () -> (), $@convention(objc_method) <τ_0_0 where τ_0_0 : Q> (τ_0_0) -> ()
+  %call1 = apply %om<@opened("D66B9398-D800-11E7-8432-0A0000BBF6C0") Q>(%ref) : $@convention(objc_method) <τ_0_0 where τ_0_0 : Q> (τ_0_0) -> ()
+
+  // Some code to simplify in iteration #1
+  %ptr = address_to_pointer %0 : $*P to $Builtin.RawPointer
+  %adr = pointer_to_address %ptr : $Builtin.RawPointer to $*P
+
+  // Some code to confuse SILCombineApply.
+  %p0 = alloc_stack $P
+  %opened = open_existential_addr immutable_access %adr : $*P to $*@opened("A66B9398-D800-11E7-8432-0A0000BBF6C0") P
+  %p1 = alloc_stack $P
+  %v1 = init_existential_addr %p1 : $*P, $@opened("A66B9398-D800-11E7-8432-0A0000BBF6C0") P
+  copy_addr %opened to [initialization] %v1 : $*@opened("A66B9398-D800-11E7-8432-0A0000BBF6C0") P
+  copy_addr [take] %p1 to [initialization] %p0 : $*P
+  destroy_addr %0 : $*P
+  %v0 = open_existential_addr immutable_access %p0 : $*P to $*@opened("B66B9398-D800-11E7-8432-0A0000BBF6C0") P
+  %p2 = alloc_stack $@opened("B66B9398-D800-11E7-8432-0A0000BBF6C0") P
+  copy_addr %v0 to [initialization] %p2 : $*@opened("B66B9398-D800-11E7-8432-0A0000BBF6C0") P
+  %wm = witness_method $@opened("B66B9398-D800-11E7-8432-0A0000BBF6C0") P, #P.foo : <T where T : P> (T) -> () -> Int64, %opened : $*@opened("A66B9398-D800-11E7-8432-0A0000BBF6C0") P : $@convention(witness_method: P) <τ_0_0 where τ_0_0 : P> (@in_guaranteed τ_0_0) -> Int64
+  %call2 = apply %wm<@opened("B66B9398-D800-11E7-8432-0A0000BBF6C0") P>(%p2) : $@convention(witness_method: P) <τ_0_0 where τ_0_0 : P> (@in_guaranteed τ_0_0) -> Int64
+  destroy_addr %p2 : $*@opened("B66B9398-D800-11E7-8432-0A0000BBF6C0") P
+  dealloc_stack %p2 : $*@opened("B66B9398-D800-11E7-8432-0A0000BBF6C0") P
+  dealloc_stack %p1 : $*P
+  dealloc_stack %p0 : $*P
+  %r = tuple ()
+  return %r : $()
+}
+
 sil @_TTWC4nix23XXXS_3PPPS_FS1_3foofT_T_ : $@convention(witness_method: PPP) (@guaranteed XXX) -> ()
 
 sil_witness_table XXX: PPP module nix2 {