[all-commits] [llvm/llvm-project] 7d03c8: [mlir][Parser] Fix use-after-free when parsing inv...

Matthias Springer via All-commits all-commits at lists.llvm.org
Wed Feb 19 23:42:50 PST 2025 

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 7d03c8e256a78b67a645b78e3ca93287bee0cd37
      https://github.com/llvm/llvm-project/commit/7d03c8e256a78b67a645b78e3ca93287bee0cd37
  Author: Matthias Springer <me at m-sp.org>
  Date:   2025-02-20 (Thu, 20 Feb 2025)

  Changed paths:
    M mlir/lib/AsmParser/Parser.cpp
    M mlir/lib/Dialect/SCF/IR/SCF.cpp
    M mlir/test/Dialect/SCF/invalid.mlir

  Log Message:
  -----------
  [mlir][Parser] Fix use-after-free when parsing invalid reference to nested definition (#127778)

This commit fixes a use-after-free crash when parsing the following
invalid IR:
```mlir
scf.for ... iter_args(%var = %foo) -> tensor<?xf32> {
  %foo = "test.inner"() : () -> (tensor<?xf32>)
  scf.yield %arg0 : tensor<?xf32>
}
```

The `scf.for` parser was implemented as follows:
1. Resolve operands (including `%foo`).
2. Parse the region.

During operand resolution, a forward reference
(`unrealized_conversion_cast`) is added by the parser because `%foo` has
not been defined yet. During region parsing, the definition of `%foo` is
found and the forward reference is replaced with the actual definition.
(And the forward reference is deleted.) However, the operand of the
`scf.for` op is not updated because the `scf.for` op has not been
created yet; all we have is an `OperationState` object.

All parsers should be written in such a way that they first parse the
region and then resolve the operands. That way, no forward reference is
inserted in the first place. Before parsing the region, it may be
necessary to set the argument types if they are defined as part of the
assembly format of the op (as is the case with `scf.for`). Note: Ops in
generic format are parsed in the same way.

To make the parsing infrastructure more robust, this commit also delays
the erase of forward references until the end of the lifetime of the
parser. Instead of a use-after-free crash, users will then see more
descriptive error messages such as:
```
error: operation's operand is unlinked
```

Note: The proper way to fix the parser is to first parse the region,
then resolve the operands. The change to `Parser.cpp` is merely to help
users finding the root cause of the problem.



To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications

More information about the All-commits mailing list