<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - [SCCP] Possible reference invalidation"

   href="https://bugs.llvm.org/show_bug.cgi?id=45749">45749</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[SCCP] Possible reference invalidation

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>libraries

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Windows NT

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Scalar Optimizations

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>Wolfgang_Pieb@playstation.sony.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>In SCCP.cpp, in SCCPSolver::handleCallResult() there are 4 calls to

mergeInValue() of the form

mergeInValue(ValueState[&CB], &CB, getValueState(CopyOf));

ValueState is a DenseMap. The subscript operator returns a reference to an

entry in ValueState, which is held across the call to getValueState() and

passed on to mergeInValue(). However, getValueState() itself makes insertions

into ValueState, thereby possibly invalidating the reference.

Unfortunately I have no test case to demonstrate this, but at Sony we have

encountered a crash with a previous version of this code (based on llvm 10.0)

in an LTO scenario. The cause was exactly such a reference invalidated by a

call to getValueState(). I am unable to share the code that caused the crash

since it was made available by one of our licensees.

I noticed that a similar problem was fixed by a previous commit

(<a href="https://github.sie.sony.com/SIE-Private/cpu-toolchain-orbis/commit/487780678fcaf2662aa820bd50364addb935dfe8">https://github.sie.sony.com/SIE-Private/cpu-toolchain-orbis/commit/487780678fcaf2662aa820bd50364addb935dfe8</a>).

I am unable to construct a small test case that demonstrates the issue, as my

understanding of SCCP is not particularly deep, but I think this code could

cause more crashes in the future, especially in large programs.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>