[llvm] r223858 - IR: Fix memory corruption in MDNode new/delete

David Blaikie dblaikie at gmail.com
Tue Dec 9 17:38:03 PST 2014 

On Tue, Dec 9, 2014 at 5:33 PM, Duncan P. N. Exon Smith <
dexonsmith at apple.com> wrote:

>
> > On 2014 Dec 9, at 17:31, David Blaikie <dblaikie at gmail.com> wrote:
> >
> >
> >
> > On Tue, Dec 9, 2014 at 3:56 PM, Duncan P. N. Exon Smith <
> dexonsmith at apple.com> wrote:
> > Author: dexonsmith
> > Date: Tue Dec  9 17:56:39 2014
> > New Revision: 223858
> >
> > URL: http://llvm.org/viewvc/llvm-project?rev=223858&view=rev
> > Log:
> > IR: Fix memory corruption in MDNode new/delete
> >
> > There were two major problems with `MDNode` memory management.
> >
> >  1. `MDNode::operator new()` called a placement array constructor for
> >     `MDOperand`.  What?  Each operand needs to be placed individually.
> >
> > Why do they need to be placed individually?
> >
>
> I'm not sure, but I think the implementation is allowed to place a cookie
> with the size.
>

Pretty sure that's not the case - how would user code know how big to make
the buffer if that were the case?

But I could be wrong.


> If you think I'm wrong, maybe problem #2 was the only real problem?
>

I guess so - though I haven't looked to see what important things the dtor
is doing, so I don't really know what badness could occur by not calling it.

- David


>
> >
> >  2. `MDNode::operator delete()` failed to destruct the `MDOperand`s at
> >     all.
> >
> > Frankly it's hard to understand how this worked locally, how this
> > survived an LTO bootstrap, or how it worked on most of the bots.
> >
> > Modified:
> >     llvm/trunk/lib/IR/Metadata.cpp
> >
> > Modified: llvm/trunk/lib/IR/Metadata.cpp
> > URL:
> http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/IR/Metadata.cpp?rev=223858&r1=223857&r2=223858&view=diff
> >
> ==============================================================================
> > --- llvm/trunk/lib/IR/Metadata.cpp (original)
> > +++ llvm/trunk/lib/IR/Metadata.cpp Tue Dec  9 17:56:39 2014
> > @@ -378,14 +378,18 @@ StringRef MDString::getString() const {
> >
> >  void *MDNode::operator new(size_t Size, unsigned NumOps) {
> >    void *Ptr = ::operator new(Size + NumOps * sizeof(MDOperand));
> > -  MDOperand *First = new (Ptr) MDOperand[NumOps];
> > -  return First + NumOps;
> > +  MDOperand *O = static_cast<MDOperand *>(Ptr);
> > +  for (MDOperand *E = O + NumOps; O != E; ++O)
> > +    (void)new (O) MDOperand;
> > +  return O;
> >  }
> >
> >  void MDNode::operator delete(void *Mem) {
> >    MDNode *N = static_cast<MDNode *>(Mem);
> > -  MDOperand *Last = static_cast<MDOperand *>(Mem);
> > -  ::operator delete(Last - N->NumOperands);
> > +  MDOperand *O = static_cast<MDOperand *>(Mem);
> > +  for (MDOperand *E = O - N->NumOperands; O != E; --O)
> > +    (O - 1)->~MDOperand();
> > +  ::operator delete(O);
> >  }
> >
> >  MDNode::MDNode(LLVMContext &Context, unsigned ID, ArrayRef<Metadata *>
> MDs)
> >
> >
> > _______________________________________________
> > llvm-commits mailing list
> > llvm-commits at cs.uiuc.edu
> > http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20141209/2bb2627d/attachment.html>

More information about the llvm-commits mailing list