[llvm] r221401 - Fix heap-use-after-free bug in expandSDiv when the operands are

Michael Ilseman milseman at apple.com
Wed Nov 5 13:28:24 PST 2014 

Author: milseman
Date: Wed Nov  5 15:28:24 2014
New Revision: 221401

URL: http://llvm.org/viewvc/llvm-project?rev=221401&view=rev
Log:
Fix heap-use-after-free bug in expandSDiv when the operands are
constants, as discovered by ASAN.

Patch by Mehdi Amini!


Modified:
    llvm/trunk/lib/Transforms/Utils/IntegerDivision.cpp

Modified: llvm/trunk/lib/Transforms/Utils/IntegerDivision.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Transforms/Utils/IntegerDivision.cpp?rev=221401&r1=221400&r2=221401&view=diff
==============================================================================
--- llvm/trunk/lib/Transforms/Utils/IntegerDivision.cpp (original)
+++ llvm/trunk/lib/Transforms/Utils/IntegerDivision.cpp Wed Nov  5 15:28:24 2014
@@ -398,11 +398,13 @@ bool llvm::expandRemainder(BinaryOperato
     Rem->dropAllReferences();
     Rem->eraseFromParent();
 
-    // If we didn't actually generate a udiv instruction, we're done
-    BinaryOperator *BO = dyn_cast<BinaryOperator>(Builder.GetInsertPoint());
-    if (!BO || BO->getOpcode() != Instruction::URem)
+    // If we didn't actually generate an urem instruction, we're done
+    // This happens for example if the input were constant. In this case the
+    // Builder insertion point was unchanged
+    if (Rem == Builder.GetInsertPoint())
       return true;
 
+    BinaryOperator *BO = dyn_cast<BinaryOperator>(Builder.GetInsertPoint());
     Rem = BO;
   }
 
@@ -456,11 +458,13 @@ bool llvm::expandDivision(BinaryOperator
     Div->dropAllReferences();
     Div->eraseFromParent();
 
-    // If we didn't actually generate a udiv instruction, we're done
-    BinaryOperator *BO = dyn_cast<BinaryOperator>(Builder.GetInsertPoint());
-    if (!BO || BO->getOpcode() != Instruction::UDiv)
+    // If we didn't actually generate an udiv instruction, we're done
+    // This happens for example if the input were constant. In this case the
+    // Builder insertion point was unchanged
+    if (Div == Builder.GetInsertPoint())
       return true;
 
+    BinaryOperator *BO = dyn_cast<BinaryOperator>(Builder.GetInsertPoint());
     Div = BO;
   }

More information about the llvm-commits mailing list