[llvm-commits] [llvm] r124287 - in /llvm/trunk: lib/Transforms/Scalar/Reassociate.cpp test/Transforms/Reassociate/2011-01-26-UseAfterFree.ll
Duncan Sands
baldrick at free.fr
Wed Jan 26 02:08:38 PST 2011
Author: baldrick
Date: Wed Jan 26 04:08:38 2011
New Revision: 124287
URL: http://llvm.org/viewvc/llvm-project?rev=124287&view=rev
Log:
Fix PR9039, a use-after-free in reassociate. The issue was that the
operand being factorized (and erased) could occur several times in Ops,
resulting in freed memory being used when the next occurrence in Ops was
analyzed.
Added:
llvm/trunk/test/Transforms/Reassociate/2011-01-26-UseAfterFree.ll
Modified:
llvm/trunk/lib/Transforms/Scalar/Reassociate.cpp
Modified: llvm/trunk/lib/Transforms/Scalar/Reassociate.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Transforms/Scalar/Reassociate.cpp?rev=124287&r1=124286&r2=124287&view=diff
==============================================================================
--- llvm/trunk/lib/Transforms/Scalar/Reassociate.cpp (original)
+++ llvm/trunk/lib/Transforms/Scalar/Reassociate.cpp Wed Jan 26 04:08:38 2011
@@ -811,16 +811,23 @@
// RemoveFactorFromExpression on successive values to behave differently.
Instruction *DummyInst = BinaryOperator::CreateAdd(MaxOccVal, MaxOccVal);
SmallVector<Value*, 4> NewMulOps;
- for (unsigned i = 0, e = Ops.size(); i != e; ++i) {
+ for (unsigned i = 0; i != Ops.size(); ++i) {
// Only try to remove factors from expressions we're allowed to.
BinaryOperator *BOp = dyn_cast<BinaryOperator>(Ops[i].Op);
if (BOp == 0 || BOp->getOpcode() != Instruction::Mul || !BOp->use_empty())
continue;
if (Value *V = RemoveFactorFromExpression(Ops[i].Op, MaxOccVal)) {
- NewMulOps.push_back(V);
- Ops.erase(Ops.begin()+i);
- --i; --e;
+ // The factorized operand may occur several times. Convert them all in
+ // one fell swoop.
+ for (unsigned j = Ops.size(); j != i;) {
+ --j;
+ if (Ops[j].Op == Ops[i].Op) {
+ NewMulOps.push_back(V);
+ Ops.erase(Ops.begin()+j);
+ }
+ }
+ --i;
}
}
Added: llvm/trunk/test/Transforms/Reassociate/2011-01-26-UseAfterFree.ll
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Transforms/Reassociate/2011-01-26-UseAfterFree.ll?rev=124287&view=auto
==============================================================================
--- llvm/trunk/test/Transforms/Reassociate/2011-01-26-UseAfterFree.ll (added)
+++ llvm/trunk/test/Transforms/Reassociate/2011-01-26-UseAfterFree.ll Wed Jan 26 04:08:38 2011
@@ -0,0 +1,35 @@
+; RUN: opt < %s -reassociate
+; PR9039
+target datalayout = "e-p:32:32:32-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:32:64-f32:32:32-f64:32:64-v64:64:64-v128:128:128-a0:0:64-f80:32:32-n8:16:32"
+target triple = "i386-gnu-linux"
+
+%ada__tags__T15s = type void ()
+
+define void @exp_averages_intraday__deviation() {
+entry:
+ %0 = load i32* undef, align 4
+ %1 = shl i32 %0, 2
+ %2 = add nsw i32 undef, %1
+ %3 = add nsw i32 %2, undef
+ %4 = mul nsw i32 %0, 12
+ %5 = add nsw i32 %3, %4
+ %6 = add nsw i32 %5, %4
+ %7 = add nsw i32 %6, undef
+ br i1 false, label %"4", label %"12"
+
+"4": ; preds = %entry
+ br i1 undef, label %"5", label %"8"
+
+"5": ; preds = %"4"
+ unreachable
+
+"8": ; preds = %"4"
+ %8 = getelementptr inbounds i8* undef, i32 %6
+ br i1 undef, label %"13", label %"12"
+
+"12": ; preds = %"8", %entry
+ ret void
+
+"13": ; preds = %"8"
+ ret void
+}
More information about the llvm-commits
mailing list