[llvm] r326668 - [CallSiteSplitting] fix use after-free
Fedor Indutny via llvm-commits
llvm-commits at lists.llvm.org
Sat Mar 3 14:34:38 PST 2018
Author: indutny
Date: Sat Mar 3 14:34:38 2018
New Revision: 326668
URL: http://llvm.org/viewvc/llvm-project?rev=326668&view=rev
Log:
[CallSiteSplitting] fix use after-free
Iterating through predecessors of `TailBB` while removing their
terminators leads to use after-free, because the predecessor list is
changing on each removal.
Modified:
llvm/trunk/lib/Transforms/Scalar/CallSiteSplitting.cpp
Modified: llvm/trunk/lib/Transforms/Scalar/CallSiteSplitting.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Transforms/Scalar/CallSiteSplitting.cpp?rev=326668&r1=326667&r2=326668&view=diff
==============================================================================
--- llvm/trunk/lib/Transforms/Scalar/CallSiteSplitting.cpp (original)
+++ llvm/trunk/lib/Transforms/Scalar/CallSiteSplitting.cpp Sat Mar 3 14:34:38 2018
@@ -347,8 +347,13 @@ static void splitCallSite(
// FIXME: remove TI in `copyMustTailReturn`
if (IsMustTailCall) {
// Remove superfluous `br` terminators from the end of the Split blocks
- for (BasicBlock *SplitBlock : predecessors(TailBB))
- SplitBlock->getTerminator()->eraseFromParent();
+ // NOTE: Removing terminator removes the SplitBlock from the TailBB's
+ // predecessors. Therefore we must get complete list of Splits before
+ // attempting removal.
+ SmallVector<BasicBlock *, 2> Splits(predecessors((TailBB)));
+ assert(Splits.size() == 2 && "Expected exactly 2 splits!");
+ for (unsigned i = 0; i < Splits.size(); i++)
+ Splits[i]->getTerminator()->eraseFromParent();
// Erase the tail block once done with musttail patching
TailBB->eraseFromParent();
More information about the llvm-commits
mailing list