<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 9, 2014 at 3:56 PM, Duncan P. N. Exon Smith <span dir="ltr"><<a href="mailto:dexonsmith@apple.com" target="_blank">dexonsmith@apple.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Author: dexonsmith<br>
Date: Tue Dec  9 17:56:39 2014<br>
New Revision: 223858<br>
<br>
URL: <a href="http://llvm.org/viewvc/llvm-project?rev=223858&view=rev" target="_blank">http://llvm.org/viewvc/llvm-project?rev=223858&view=rev</a><br>
Log:<br>
IR: Fix memory corruption in MDNode new/delete<br>
<br>
There were two major problems with `MDNode` memory management.<br>
<br>
 1. `MDNode::operator new()` called a placement array constructor for<br>
    `MDOperand`.  What?  Each operand needs to be placed individually.<br></blockquote><div><br>Why do they need to be placed individually?<br> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
 2. `MDNode::operator delete()` failed to destruct the `MDOperand`s at<br>
    all.<br>
<br>
Frankly it's hard to understand how this worked locally, how this<br>
survived an LTO bootstrap, or how it worked on most of the bots.<br>
<br>
Modified:<br>
    llvm/trunk/lib/IR/Metadata.cpp<br>
<br>
Modified: llvm/trunk/lib/IR/Metadata.cpp<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/IR/Metadata.cpp?rev=223858&r1=223857&r2=223858&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/IR/Metadata.cpp?rev=223858&r1=223857&r2=223858&view=diff</a><br>
==============================================================================<br>
--- llvm/trunk/lib/IR/Metadata.cpp (original)<br>
+++ llvm/trunk/lib/IR/Metadata.cpp Tue Dec  9 17:56:39 2014<br>
@@ -378,14 +378,18 @@ StringRef MDString::getString() const {<br>
<br>
 void *MDNode::operator new(size_t Size, unsigned NumOps) {<br>
   void *Ptr = ::operator new(Size + NumOps * sizeof(MDOperand));<br>
-  MDOperand *First = new (Ptr) MDOperand[NumOps];<br>
-  return First + NumOps;<br>
+  MDOperand *O = static_cast<MDOperand *>(Ptr);<br>
+  for (MDOperand *E = O + NumOps; O != E; ++O)<br>
+    (void)new (O) MDOperand;<br>
+  return O;<br>
 }<br>
<br>
 void MDNode::operator delete(void *Mem) {<br>
   MDNode *N = static_cast<MDNode *>(Mem);<br>
-  MDOperand *Last = static_cast<MDOperand *>(Mem);<br>
-  ::operator delete(Last - N->NumOperands);<br>
+  MDOperand *O = static_cast<MDOperand *>(Mem);<br>
+  for (MDOperand *E = O - N->NumOperands; O != E; --O)<br>
+    (O - 1)->~MDOperand();<br>
+  ::operator delete(O);<br>
 }<br>
<br>
 MDNode::MDNode(LLVMContext &Context, unsigned ID, ArrayRef<Metadata *> MDs)<br>
<br>
<br>
_______________________________________________<br>
llvm-commits mailing list<br>
<a href="mailto:llvm-commits@cs.uiuc.edu">llvm-commits@cs.uiuc.edu</a><br>
<a href="http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits</a><br>
</blockquote></div><br></div></div>