[llvm-bugs] [Bug 43387] New: Dereferenceable attribute incorrectly applied to reference that may be deleted; leads to use-after-free after LICM hoist

via llvm-bugs llvm-bugs at lists.llvm.org
Fri Sep 20 12:39:41 PDT 2019 

https://bugs.llvm.org/show_bug.cgi?id=43387

            Bug ID: 43387
           Summary: Dereferenceable attribute incorrectly applied to
                    reference that may be deleted; leads to use-after-free
                    after LICM hoist
           Product: clang
           Version: trunk
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: LLVM Codegen
          Assignee: unassignedclangbugs at nondot.org
          Reporter: mstaveleytaylor at gmail.com
                CC: llvm-bugs at lists.llvm.org, neeilans at live.com,
                    richard-llvm at metafoo.co.uk

In the following code:

int *obj;
void foo(int& c, int * __restrict a, int * __restrict b) {
    delete obj;
    for (int i = 0; i < 3; ++i) {
        if (a[i] > 999) {
            a[i] = c * b[i];
        }
    }
}

the generated IR defines foo as (-O2):

define dso_local void @_Z3fooRiPiS0_(i32* nocapture readonly dereferenceable(4)
%0, i32* noalias nocapture %1, i32* noalias nocapture readonly %2)

However the 'dereferenceable' attribute is incorrect, as in the case that obj
and c alias, and the branch is never taken, LICM *unconditionally* hoists the
load out of the loop after the delete, leading to a use-after-free.

The crux of the issue is that clang applies dereferenceable for references,
even if it is possible that the memory backing the reference is freed during
the function.

This leads to a miscompilation as can be seen in the following x86 output:

foo(int&, int*, int*):
        push    r15
        push    r14
        push    rbx
        mov     r14, rdx
        mov     rbx, rsi
        mov     r15, rdi
        mov     rdi, qword ptr [rip + obj]
        test    rdi, rdi
        je      .LBB0_2
        call    operator delete(void*)
.LBB0_2:
        mov     eax, dword ptr [r15] ; use-after-free if obj and c alias
        ...

Godbolt showcase: https://gcc.godbolt.org/z/FwwMMn

This seems to be a well-known issue
(https://lists.llvm.org/pipermail/llvm-dev/2018-July/124555.html), but I cannot
find an existing bugzilla report for it.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20190920/de97fc61/attachment.html>

More information about the llvm-bugs mailing list