[all-commits] [llvm/llvm-project] 7b4cc0: [LowerConstantIntrinsics] Fix heap-use-after-free ...
David via All-commits
all-commits at lists.llvm.org
Tue Sep 21 02:33:23 PDT 2021
Branch: refs/heads/main
Home: https://github.com/llvm/llvm-project
Commit: 7b4cc09b1424c7f53051f971347c00d5f27fbb4e
https://github.com/llvm/llvm-project/commit/7b4cc09b1424c7f53051f971347c00d5f27fbb4e
Author: David Stenberg <david.stenberg at ericsson.com>
Date: 2021-09-21 (Tue, 21 Sep 2021)
Changed paths:
M llvm/lib/Transforms/Scalar/LowerConstantIntrinsics.cpp
A llvm/test/Transforms/LowerConstantIntrinsics/stale-worklist-phi.ll
Log Message:
-----------
[LowerConstantIntrinsics] Fix heap-use-after-free bug in worklist
This fixes PR51730, a heap-use-after-free bug in
replaceConditionalBranchesOnConstant().
With the attached reproducer we were left with a function looking
something like this after replaceAndRecursivelySimplify():
[...]
cont2.i:
br i1 %.not1.i, label %handler.type_mismatch3.i, label %cont4.i
handler.type_mismatch3.i:
%3 = phi i1 [ %2, %cont2.thread.i ], [ false, %cont2.i ]
unreachable
cont4.i:
unreachable
[...]
with both the branch instruction and PHI node being in the worklist. As
a result of replacing the branch instruction with an unconditional
branch, the PHI node in %handler.type_mismatch3.i would be removed. This
then resulted in a heap-use-after-free bug due to accessing that removed
PHI node in the next worklist iteration.
This is solved by using a value handle worklist. I am a unsure if this
is the most idiomatic solution. Another solution could have been to
produce a worklist just containing the interesting branch instructions,
but I thought that it perhaps was a bit cleaner to keep all worklist
filtering in the loop that does the rewrites.
Reviewed By: lebedev.ri
Differential Revision: https://reviews.llvm.org/D109221
More information about the All-commits
mailing list