[llvm-branch-commits] [llvm-branch] r369355 - Merging r369168:

Hans Wennborg via llvm-branch-commits llvm-branch-commits at lists.llvm.org
Tue Aug 20 02:45:09 PDT 2019 

Author: hans
Date: Tue Aug 20 02:45:09 2019
New Revision: 369355

URL: http://llvm.org/viewvc/llvm-project?rev=369355&view=rev
Log:
Merging r369168:
------------------------------------------------------------------------
r369168 | spatel | 2019-08-17 01:10:34 +0200 (Sat, 17 Aug 2019) | 16 lines

[CodeGenPrepare] Fix use-after-free

If OptimizeExtractBits() encountered a shift instruction with no operands at all,
it would erase the instruction, but still return false.

This previously didn’t matter because its caller would always return after
processing the instruction, but https://reviews.llvm.org/D63233 changed the
function’s caller to fall through if it returned false, which would then cause
a use-after-free detectable by ASAN.

This change makes OptimizeExtractBits return true if it removes a shift
instruction with no users, terminating processing of the instruction.

Patch by: @brentdax (Brent Royal-Gordon)

Differential Revision: https://reviews.llvm.org/D66330
------------------------------------------------------------------------

Modified:
    llvm/branches/release_90/   (props changed)
    llvm/branches/release_90/lib/CodeGen/CodeGenPrepare.cpp
    llvm/branches/release_90/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll

Propchange: llvm/branches/release_90/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Aug 20 02:45:09 2019
@@ -1,3 +1,3 @@
 /llvm/branches/Apple/Pertwee:110850,110961
 /llvm/branches/type-system-rewrite:133420-134817
-/llvm/trunk:155241,366431,366481,366487,366527,366570,366660,366868,366925,367019,367030,367062,367084,367124,367215,367292,367304,367306,367314,367340-367341,367394,367396,367398,367403,367417,367662,367750,367753,367846-367847,367898,367941,368004,368230,368300,368315,368324,368477-368478,368517-368519,368554,368572,368873,369011,369026,369097
+/llvm/trunk:155241,366431,366481,366487,366527,366570,366660,366868,366925,367019,367030,367062,367084,367124,367215,367292,367304,367306,367314,367340-367341,367394,367396,367398,367403,367417,367662,367750,367753,367846-367847,367898,367941,368004,368230,368300,368315,368324,368477-368478,368517-368519,368554,368572,368873,369011,369026,369097,369168

Modified: llvm/branches/release_90/lib/CodeGen/CodeGenPrepare.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/branches/release_90/lib/CodeGen/CodeGenPrepare.cpp?rev=369355&r1=369354&r2=369355&view=diff
==============================================================================
--- llvm/branches/release_90/lib/CodeGen/CodeGenPrepare.cpp (original)
+++ llvm/branches/release_90/lib/CodeGen/CodeGenPrepare.cpp Tue Aug 20 02:45:09 2019
@@ -1682,10 +1682,11 @@ static bool OptimizeExtractBits(BinaryOp
     TheUse = InsertedShift;
   }
 
-  // If we removed all uses, nuke the shift.
+  // If we removed all uses, or there are none, nuke the shift.
   if (ShiftI->use_empty()) {
     salvageDebugInfo(*ShiftI);
     ShiftI->eraseFromParent();
+    MadeChange = true;
   }
 
   return MadeChange;

Modified: llvm/branches/release_90/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll
URL: http://llvm.org/viewvc/llvm-project/llvm/branches/release_90/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll?rev=369355&r1=369354&r2=369355&view=diff
==============================================================================
--- llvm/branches/release_90/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll (original)
+++ llvm/branches/release_90/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll Tue Aug 20 02:45:09 2019
@@ -58,6 +58,23 @@ return:
   ret i32 %retval.0, !dbg !63
 }
 
+; CodeGenPrepare was erasing the unused lshr instruction, but then further
+; processing the instruction after it was freed. If this bug is still present,
+; this test will always crash in an LLVM built with ASAN enabled, and may
+; crash even if ASAN is not enabled.
+
+define i32 @shift_unused(i32 %a) {
+; CHECK-LABEL: @shift_unused(
+; CHECK-NEXT:  BB2:
+; CHECK-NEXT:    ret i32 [[A:%.*]]
+;
+  %as = lshr i32 %a, 3
+  br label %BB2
+
+BB2:
+  ret i32 %a
+}
+
 ; CHECK: [[shift1_loc]] = !DILocation(line: 1
 ; CHECK: [[trunc1_loc]] = !DILocation(line: 2
 ; CHECK: [[shift2_loc]] = !DILocation(line: 3

More information about the llvm-branch-commits mailing list