[llvm-bugs] [Bug 43021] New: Use after free in CodeGenPrepare::optimizeInst()
via llvm-bugs
llvm-bugs at lists.llvm.org
Fri Aug 16 11:30:02 PDT 2019
https://bugs.llvm.org/show_bug.cgi?id=43021
Bug ID: 43021
Summary: Use after free in CodeGenPrepare::optimizeInst()
Product: libraries
Version: trunk
Hardware: PC
OS: All
Status: NEW
Severity: release blocker
Priority: P
Component: Common Code Generator Code
Assignee: unassignedbugs at nondot.org
Reporter: broyalgordon at apple.com
CC: llvm-bugs at lists.llvm.org
The OptimizeExtractBits() helper function in CodeGenPrepare.cpp is meant to
replace certain uses of "lshr" and "ashr" instructions, then erase the original
instruction if it is no longer used anywhere. It returns a flag indicating
whether it made a change. However, it only sets that flag to "true" when it
replaces an instruction. If it is passed an instruction that does not have any
users to begin with, it will erase it and still return "false".
This behavior was previously harmless, but rL363511 changed
OptimizeExtractBits()'s call site in CodeGenPrepare::optimizeInst() to allow
processing of the instruction to continue if OptimizeExtractBits() returns
false. The result is that CodeGenPrepare::optimizeInst() continues working on
the instruction even though it has been freed. This can cause occasional,
unpredictable crashes in normal builds, but it crashes reliably under ASAN.
I've prepared a test case and fix for this issue at
https://reviews.llvm.org/D66330.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20190816/997514fd/attachment.html>
More information about the llvm-bugs
mailing list