From 299261714be0b1139ea9c738d03404ddb4e32e21 Mon Sep 17 00:00:00 2001
From: Jevin Sweval <jevinsweval@gmail.com>
Date: Tue, 20 Dec 2022 19:36:04 -0500
Subject: [PATCH] Fix crash in DFT due to width use after free (#3817) (#3820)

---
 src/V3DfgAstToDfg.cpp        |  3 ++-
 test_regress/t/t_dfg_3817.pl | 17 +++++++++++++++++
 test_regress/t/t_dfg_3817.v  | 15 +++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100755 test_regress/t/t_dfg_3817.pl
 create mode 100644 test_regress/t/t_dfg_3817.v

diff --git a/src/V3DfgAstToDfg.cpp b/src/V3DfgAstToDfg.cpp
index a47f7262c..a5801ebb0 100644
--- a/src/V3DfgAstToDfg.cpp
+++ b/src/V3DfgAstToDfg.cpp
@@ -277,9 +277,10 @@ class AstToDfgVisitor final : public VNVisitor {
                    std::vector<Driver>& drivers) const {
         if (DfgConcat* const concatp = vtxp->cast<DfgConcat>()) {
             DfgVertex* const rhsp = concatp->rhsp();
+            auto const rhs_width = rhsp->width();
             addDriver(rhsp->fileline(), lsb, rhsp, drivers);
             DfgVertex* const lhsp = concatp->lhsp();
-            addDriver(lhsp->fileline(), lsb + rhsp->width(), lhsp, drivers);
+            addDriver(lhsp->fileline(), lsb + rhs_width, lhsp, drivers);
             concatp->unlinkDelete(*m_dfgp);
         } else {
             drivers.emplace_back(flp, lsb, vtxp);
diff --git a/test_regress/t/t_dfg_3817.pl b/test_regress/t/t_dfg_3817.pl
new file mode 100755
index 000000000..d7e843ed6
--- /dev/null
+++ b/test_regress/t/t_dfg_3817.pl
@@ -0,0 +1,17 @@
+#!/usr/bin/env perl
+if (!$::Driver) { use FindBin; exec("$FindBin::Bin/bootstrap.pl", @ARGV, $0); die; }
+# DESCRIPTION: Verilator: Verilog Test driver/expect definition
+#
+# Copyright 2022 by Jevin Sweval. This program is free software; you
+# can redistribute it and/or modify it under the terms of either the GNU
+# Lesser General Public License Version 3 or the Perl Artistic License
+# Version 2.0.
+# SPDX-License-Identifier: LGPL-3.0-only OR Artistic-2.0
+
+scenarios(vlt => 1);
+
+# test case was causing use-after-free and segfaulting during verilation
+compile();
+
+ok(1);
+1;
diff --git a/test_regress/t/t_dfg_3817.v b/test_regress/t/t_dfg_3817.v
new file mode 100644
index 000000000..cc2bc2ee2
--- /dev/null
+++ b/test_regress/t/t_dfg_3817.v
@@ -0,0 +1,15 @@
+// DESCRIPTION: Verilator: Verilog Test module for issue #3817
+// addDriver() was causing use-after-free and segfaulting during verilation
+//
+// This file ONLY is placed under the Creative Commons Public Domain, for
+// any use, without warranty, 2022 by Jevin Sweval.
+// SPDX-License-Identifier: CC0-1.0
+
+module t (
+  output [2:0] c_b_a,
+  input a,
+  input b,
+  input c
+);
+  assign c_b_a = {c, {b, a}};
+endmodule