[PATCH] D66330: Fix use-after-free in CodeGenPrepare

Sanjay Patel via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Fri Aug 16 16:13:42 PDT 2019 

This revision was automatically updated to reflect the committed changes.
Closed by commit rL369168: [CodeGenPrepare] Fix use-after-free (authored by spatel, committed by ).

Changed prior to commit:
  https://reviews.llvm.org/D66330?vs=215530&id=215706#toc

Repository:
  rL LLVM

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D66330/new/

https://reviews.llvm.org/D66330

Files:
  llvm/trunk/lib/CodeGen/CodeGenPrepare.cpp
  llvm/trunk/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll


Index: llvm/trunk/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll
===================================================================
--- llvm/trunk/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll
+++ llvm/trunk/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll
@@ -58,6 +58,23 @@
   ret i32 %retval.0, !dbg !63
 }
 
+; CodeGenPrepare was erasing the unused lshr instruction, but then further
+; processing the instruction after it was freed. If this bug is still present,
+; this test will always crash in an LLVM built with ASAN enabled, and may
+; crash even if ASAN is not enabled.
+
+define i32 @shift_unused(i32 %a) {
+; CHECK-LABEL: @shift_unused(
+; CHECK-NEXT:  BB2:
+; CHECK-NEXT:    ret i32 [[A:%.*]]
+;
+  %as = lshr i32 %a, 3
+  br label %BB2
+
+BB2:
+  ret i32 %a
+}
+
 ; CHECK: [[shift1_loc]] = !DILocation(line: 1
 ; CHECK: [[trunc1_loc]] = !DILocation(line: 2
 ; CHECK: [[shift2_loc]] = !DILocation(line: 3
Index: llvm/trunk/lib/CodeGen/CodeGenPrepare.cpp
===================================================================
--- llvm/trunk/lib/CodeGen/CodeGenPrepare.cpp
+++ llvm/trunk/lib/CodeGen/CodeGenPrepare.cpp
@@ -1682,10 +1682,11 @@
     TheUse = InsertedShift;
   }
 
-  // If we removed all uses, nuke the shift.
+  // If we removed all uses, or there are none, nuke the shift.
   if (ShiftI->use_empty()) {
     salvageDebugInfo(*ShiftI);
     ShiftI->eraseFromParent();
+    MadeChange = true;
   }
 
   return MadeChange;


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D66330.215706.patch
Type: text/x-patch
Size: 1470 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20190816/e64d7998/attachment.bin>

More information about the llvm-commits mailing list