[Mlir-commits] [mlir] [mlir] Fix use-after-free bugs in {RankedTensorType|VectorType}::Builder (PR #68969)
Benjamin Maxwell
llvmlistbot at llvm.org
Mon Oct 16 01:32:55 PDT 2023
================
@@ -277,7 +277,7 @@ class RankedTensorType::Builder {
if (storage.empty())
storage.append(shape.begin(), shape.end());
storage.erase(storage.begin() + pos);
- shape = {storage.data(), storage.size()};
+ shape = {};
----------------
MacDue wrote:
The bug is relying on an `ArrayRef` that when the builder is copied (via the default C++ copy constructor), points to the original builder's storage, rather than the new builder's. `dropDim()` returns a reference to the builder, so there's no copy done for a chain of them (which makes this bug subtle).
Bug not triggered here:
```
// One builder is constructed. Updated by reference via the dropDim calls.
// Then converted to a vector type.
VectorType newType = VectorType::Builder(type).dropDim(0).dropDim(1);
```
Bug triggered here:
```
// One a builder is constructed, updated by reference, then assigned
// to auto, which ends up copying the builder. The original temporary
// builder is destroyed, and `shape` now points to junk.
auto newType = VectorType::Builder(type).dropDim(0).dropDim(1);
VectorType newVectorType = VectorType(newType);
```
(which is why the CI fix was just: https://github.com/llvm/llvm-project/commit/b44b3494f60296db6aca38a14cab061d9b747a0a)
https://github.com/llvm/llvm-project/pull/68969
More information about the Mlir-commits
mailing list