<div dir="ltr">Theoretically ASan can catch this, right? Any idea what we weren't tripping ASan? It seems like this use-after-free would be consistent.<div><br></div><div>-- Sean Silva</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 4, 2015 at 3:00 PM, Justin Bogner via llvm-commits <span dir="ltr"><<a href="mailto:llvm-commits@lists.llvm.org" target="_blank">llvm-commits@lists.llvm.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Author: bogner<br>
Date: Fri Dec 4 17:00:54 2015<br>
New Revision: 254794<br>
<br>
URL: <a href="http://llvm.org/viewvc/llvm-project?rev=254794&view=rev" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project?rev=254794&view=rev</a><br>
Log:<br>
CodeGen: Move the SlotIndexes BumpPtrAllocator before the list it allocates<br>
<br>
When a `SlotIndexes` is destroyed, `ileAllocator` will currently be<br>
destructed before `IndexList`, but all of `IndexList`'s storage has<br>
been allocated by `ileAllocator`. This means we'll call destructors on<br>
garbage data, which is very bad. This can be avoided by putting the<br>
BumpPtrAllocator earlier in the class than anything it allocates.<br>
<br>
Unfortunately, I don't know how to test this. It depends very much on<br>
memory layout, and the only evidence I have that this is actually<br>
happening in practice are backtraces that might be explained by this.<br>
By inspection though, the code is obviously dangerous/wrong, and this<br>
is the right thing to do.<br>
<br>
I'll follow up later with a patch that calls clearAndLeakNodesUnsafely<br>
on the list, since there isn't much point in destructing them when<br>
they're allocated in a BPA anyway, but I figured it makes sense to<br>
commit the correctness fix separately from that optimization.<br>
<br>
Modified:<br>
llvm/trunk/include/llvm/CodeGen/SlotIndexes.h<br>
<br>
Modified: llvm/trunk/include/llvm/CodeGen/SlotIndexes.h<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/include/llvm/CodeGen/SlotIndexes.h?rev=254794&r1=254793&r2=254794&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/include/llvm/CodeGen/SlotIndexes.h?rev=254794&r1=254793&r2=254794&view=diff</a><br>
==============================================================================<br>
--- llvm/trunk/include/llvm/CodeGen/SlotIndexes.h (original)<br>
+++ llvm/trunk/include/llvm/CodeGen/SlotIndexes.h Fri Dec 4 17:00:54 2015<br>
@@ -333,6 +333,8 @@ namespace llvm {<br>
/// This pass assigns indexes to each instruction.<br>
class SlotIndexes : public MachineFunctionPass {<br>
private:<br>
+ // IndexListEntry allocator.<br>
+ BumpPtrAllocator ileAllocator;<br>
<br>
typedef ilist<IndexListEntry> IndexList;<br>
IndexList indexList;<br>
@@ -353,9 +355,6 @@ namespace llvm {<br>
/// and MBB id.<br>
SmallVector<IdxMBBPair, 8> idx2MBBMap;<br>
<br>
- // IndexListEntry allocator.<br>
- BumpPtrAllocator ileAllocator;<br>
-<br>
IndexListEntry* createEntry(MachineInstr *mi, unsigned index) {<br>
IndexListEntry *entry =<br>
static_cast<IndexListEntry*>(<br>
<br>
<br>
_______________________________________________<br>
llvm-commits mailing list<br>
<a href="mailto:llvm-commits@lists.llvm.org">llvm-commits@lists.llvm.org</a><br>
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits</a><br>
</blockquote></div><br></div>