<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Use after free in CodeGenPrepare::optimizeInst()"
   href="https://bugs.llvm.org/show_bug.cgi?id=43021">43021</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Use after free in CodeGenPrepare::optimizeInst()
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>libraries
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>trunk
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>release blocker
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Common Code Generator Code
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>broyalgordon@apple.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>The OptimizeExtractBits() helper function in CodeGenPrepare.cpp is meant to
replace certain uses of "lshr" and "ashr" instructions, then erase the original
instruction if it is no longer used anywhere. It returns a flag indicating
whether it made a change. However, it only sets that flag to "true" when it
replaces an instruction. If it is passed an instruction that does not have any
users to begin with, it will erase it and still return "false".

This behavior was previously harmless, but rL363511 changed
OptimizeExtractBits()'s call site in CodeGenPrepare::optimizeInst() to allow
processing of the instruction to continue if OptimizeExtractBits() returns
false. The result is that CodeGenPrepare::optimizeInst() continues working on
the instruction even though it has been freed. This can cause occasional,
unpredictable crashes in normal builds, but it crashes reliably under ASAN.

I've prepared a test case and fix for this issue at
<a href="https://reviews.llvm.org/D66330">https://reviews.llvm.org/D66330</a>.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>