[all-commits] [llvm/llvm-project] f2fd41: X86: Fix use-after-realloc in X86AsmParser::ParseI...
Duncan P. N. Exon Smith via All-commits
all-commits at lists.llvm.org
Thu Jan 21 11:25:00 PST 2021
Branch: refs/heads/main
Home: https://github.com/llvm/llvm-project
Commit: f2fd41d7897e1cc8fc6e9fb2ea46e5b6527852e4
https://github.com/llvm/llvm-project/commit/f2fd41d7897e1cc8fc6e9fb2ea46e5b6527852e4
Author: Duncan P. N. Exon Smith <dexonsmith at apple.com>
Date: 2021-01-21 (Thu, 21 Jan 2021)
Changed paths:
M llvm/lib/Target/X86/AsmParser/X86AsmParser.cpp
Log Message:
-----------
X86: Fix use-after-realloc in X86AsmParser::ParseIntelExpression
`X86AsmParser::ParseIntelExpression` has a while loop. In the body,
calls to MCAsmLexer::UnLex can force a reallocation in the MCAsmLexer's
`CurToken` SmallVector, invalidating saved references to
`MCAsmLexer::getTok()`.
`const MCAsmToken &Tok` is such a saved reference, and this moves it
from outside the while loop to inside the body, fixing a
use-after-realloc.
`Tok` will still be reused across calls to `Lex()`, each of which
effectively destroys and constructs the pointed-to token. I'm a bit
skeptical of this usage pattern, but it seems broadly used in the
X86AsmParser (and others) so I'm leaving it alone (for now).
Somehow this bug was exposed by https://reviews.llvm.org/D94739,
resulting in test failures in dot-operator related tests in
llvm/test/tools/llvm-ml. I suspect the exposure path is related to
optimizer changes from splitting up the grow operation, but I haven't
dug all the way in. Regardless, there are already tests in tree that
cover this; they might fail consistently if we added ASan
instrumentation to SmallVector.
Differential Revision: https://reviews.llvm.org/D95112
More information about the All-commits
mailing list