[llvm] r292133 - Fix use-after-free bug in AffectedValueCallbackVH::allUsesReplacedWith

Dimitry Andric via llvm-commits llvm-commits at lists.llvm.org
Mon Jan 16 13:03:15 PST 2017

On 16 Jan 2017, at 19:03, Dimitry Andric <dimitry at andric.com> wrote:
> On 16 Jan 2017, at 16:22, Hal Finkel via llvm-commits <llvm-commits at lists.llvm.org> wrote:
>> Author: hfinkel
>> Date: Mon Jan 16 09:22:01 2017
>> New Revision: 292133
>> URL: http://llvm.org/viewvc/llvm-project?rev=292133&view=rev
>> Log:
>> Fix use-after-free bug in AffectedValueCallbackVH::allUsesReplacedWith
>> When transferring affected values in the cache from an old value, identified by
>> the value of the current callback, to the specified new value we might need to
>> insert a new entry into the DenseMap which constitutes the cache. Doing so
>> might delete the current callback object. Move the copying logic into a new
>> function, a member of the assumption cache itself, so that we don't run into UB
>> should the callback handle itself be removed mid-copy.
>> Differential Revision: https://reviews.llvm.org/D28749
> Please merge this to release_40, when it's baked a little.

FWIW, shortest test case I now have:

// clang -cc1 -triple i386 -S -O2 -w -std=c++11 -vectorize-loops -vectorize-slp testcase.cpp
typedef struct {
  operator int() { __builtin_assume_aligned(buffer, 2); }
  void operator=(int) { __builtin_assume_aligned(buffer, 2); }
  char buffer[4];
} Elf_Addr;
struct Out {
  static Elf_Addr *A;
  static Elf_Addr *B;
  static Elf_Addr *C;
void DynamicSectionwriteTo(void) {
  Elf_Addr *P = 0;
  auto WritePtr = [&](int Val) { *P = Val; };


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20170116/4a05d688/attachment.sig>

More information about the llvm-commits mailing list