<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Dereferenceable attribute incorrectly applied to reference that may be deleted; leads to use-after-free after LICM hoist"
   href="https://bugs.llvm.org/show_bug.cgi?id=43387">43387</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Dereferenceable attribute incorrectly applied to reference that may be deleted; leads to use-after-free after LICM hoist
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>clang
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>trunk
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>LLVM Codegen
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedclangbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>mstaveleytaylor@gmail.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org, neeilans@live.com, richard-llvm@metafoo.co.uk
          </td>
        </tr></table>
      <p>
        <div>
        <pre>In the following code:

int *obj;
void foo(int& c, int * __restrict a, int * __restrict b) {
    delete obj;
    for (int i = 0; i < 3; ++i) {
        if (a[i] > 999) {
            a[i] = c * b[i];
        }
    }
}

the generated IR defines foo as (-O2):

define dso_local void @_Z3fooRiPiS0_(i32* nocapture readonly dereferenceable(4)
%0, i32* noalias nocapture %1, i32* noalias nocapture readonly %2)

However the 'dereferenceable' attribute is incorrect, as in the case that obj
and c alias, and the branch is never taken, LICM *unconditionally* hoists the
load out of the loop after the delete, leading to a use-after-free.

The crux of the issue is that clang applies dereferenceable for references,
even if it is possible that the memory backing the reference is freed during
the function.

This leads to a miscompilation as can be seen in the following x86 output:

foo(int&, int*, int*):
        push    r15
        push    r14
        push    rbx
        mov     r14, rdx
        mov     rbx, rsi
        mov     r15, rdi
        mov     rdi, qword ptr [rip + obj]
        test    rdi, rdi
        je      .LBB0_2
        call    operator delete(void*)
.LBB0_2:
        mov     eax, dword ptr [r15] ; use-after-free if obj and c alias
        ...

Godbolt showcase: <a href="https://gcc.godbolt.org/z/FwwMMn">https://gcc.godbolt.org/z/FwwMMn</a>

This seems to be a well-known issue
(<a href="https://lists.llvm.org/pipermail/llvm-dev/2018-July/124555.html">https://lists.llvm.org/pipermail/llvm-dev/2018-July/124555.html</a>), but I cannot
find an existing bugzilla report for it.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>