[all-commits] [llvm/llvm-project] 104b63: [CIR] Fix heap-use-after-free in IndirectBrOp lowe...
Bruno Cardoso Lopes via All-commits
all-commits at lists.llvm.org
Tue Apr 14 14:41:04 PDT 2026
Branch: refs/heads/main
Home: https://github.com/llvm/llvm-project
Commit: 104b63b3705d672333294aa551e8381285030262
https://github.com/llvm/llvm-project/commit/104b63b3705d672333294aa551e8381285030262
Author: Bruno Cardoso Lopes <bruno.cardoso at gmail.com>
Date: 2026-04-14 (Tue, 14 Apr 2026)
Changed paths:
M clang/lib/CIR/Lowering/DirectToLLVM/LowerToLLVM.cpp
Log Message:
-----------
[CIR] Fix heap-use-after-free in IndirectBrOp lowering (#191949)
The previous code called op->getBlock()->eraseArgument(0) to remove a
block argument when the poison attribute was set (unreachable block with
no predecessors). This directly mutated the IR, freeing the
BlockArgument while the MLIR dialect conversion framework still held
references to it. When the framework later replayed changes in
applyRewrites(), it dereferenced the freed BlockArgument, causing a
heap-use-after-free detected by ASAN.
Found by running check-clang-cir under ASAN
(test: clang/test/CIR/CodeGen/label-values.c).
The fix removes the eraseArgument call entirely. The MLIR conversion
framework tracks block arguments and handles their lifecycle. A block
with no predecessors naturally produces no PHI node in LLVM IR, so
manual removal was unnecessary.
Additional cleanup:
- Use adaptor.getAddr() directly instead of creating an unnecessary
BitcastOp (CIR ptr already converts to LLVM ptr).
- Use adaptor.getSuccOperands() instead of op.getSuccOperands() to
ensure successor operands go through type conversion.
- Use replaceOpWithNewOp instead of separate create + replaceOp.
To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications
More information about the All-commits
mailing list