[PATCH] D39979: [Polly][SI] Fix a potential use-after-free
Philip Pfaffe via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Mon Nov 13 13:46:26 PST 2017
philip.pfaffe created this revision.
There is a potential use-after-free bug in Scop::buildSchedule(Region *,
LoopStackTy &, LoopInfo &). Before, we took a reference to LoopStack.back()
which is a use after free, since back is popped off further below. This didn't
crash before by pure chance, since LoopStack is actually a vector, and the
memory isn't freed upon pop. I turned this into an iterator-based algorithm.
https://reviews.llvm.org/D39979
Files:
lib/Analysis/ScopInfo.cpp
Index: lib/Analysis/ScopInfo.cpp
===================================================================
--- lib/Analysis/ScopInfo.cpp
+++ lib/Analysis/ScopInfo.cpp
@@ -4840,13 +4840,13 @@
}
}
- auto &LoopData = LoopStack.back();
- LoopData.NumBlocksProcessed += getNumBlocksInRegionNode(RN);
+ auto LoopData = LoopStack.rbegin();
+ LoopData->NumBlocksProcessed += getNumBlocksInRegionNode(RN);
for (auto *Stmt : getStmtListFor(RN)) {
auto *UDomain = isl_union_set_from_set(Stmt->getDomain().release());
auto *StmtSchedule = isl_schedule_from_domain(UDomain);
- LoopData.Schedule = combineInSequence(LoopData.Schedule, StmtSchedule);
+ LoopData->Schedule = combineInSequence(LoopData->Schedule, StmtSchedule);
}
// Check if we just processed the last node in this loop. If we did, finalize
@@ -4858,25 +4858,26 @@
//
// Then continue to check surrounding loops, which might also have been
// completed by this node.
- while (LoopData.L &&
- LoopData.NumBlocksProcessed == getNumBlocksInLoop(LoopData.L)) {
- auto *Schedule = LoopData.Schedule;
- auto NumBlocksProcessed = LoopData.NumBlocksProcessed;
+ auto Dimension = LoopStack.size();
+ while (LoopData->L &&
+ LoopData->NumBlocksProcessed == getNumBlocksInLoop(LoopData->L)) {
+ auto *Schedule = LoopData->Schedule;
+ auto NumBlocksProcessed = LoopData->NumBlocksProcessed;
- LoopStack.pop_back();
- auto &NextLoopData = LoopStack.back();
+ assert(std::next(LoopData) != LoopStack.rend());
+ ++LoopData;
+ --Dimension;
if (Schedule) {
isl::union_set Domain = give(isl_schedule_get_domain(Schedule));
- isl::multi_union_pw_aff MUPA = mapToDimension(Domain, LoopStack.size());
+ isl::multi_union_pw_aff MUPA = mapToDimension(Domain, Dimension);
Schedule = isl_schedule_insert_partial_schedule(Schedule, MUPA.release());
- NextLoopData.Schedule =
- combineInSequence(NextLoopData.Schedule, Schedule);
+ LoopData->Schedule = combineInSequence(LoopData->Schedule, Schedule);
}
- NextLoopData.NumBlocksProcessed += NumBlocksProcessed;
- LoopData = NextLoopData;
+ LoopData->NumBlocksProcessed += NumBlocksProcessed;
}
+ LoopStack.erase(LoopStack.begin() + Dimension, LoopStack.end());
}
ArrayRef<ScopStmt *> Scop::getStmtListFor(BasicBlock *BB) const {
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D39979.122721.patch
Type: text/x-patch
Size: 2371 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20171113/d267543f/attachment.bin>
More information about the llvm-commits
mailing list