[llvm] r369168 - [CodeGenPrepare] Fix use-after-free

Hans Wennborg via llvm-commits llvm-commits at lists.llvm.org
Tue Aug 20 02:43:54 PDT 2019 

Merged to release_90 in r369355.

On Sat, Aug 17, 2019 at 1:09 AM Sanjay Patel via llvm-commits
<llvm-commits at lists.llvm.org> wrote:
>
> Author: spatel
> Date: Fri Aug 16 16:10:34 2019
> New Revision: 369168
>
> URL: http://llvm.org/viewvc/llvm-project?rev=369168&view=rev
> Log:
> [CodeGenPrepare] Fix use-after-free
>
> If OptimizeExtractBits() encountered a shift instruction with no operands at all,
> it would erase the instruction, but still return false.
>
> This previously didn’t matter because its caller would always return after
> processing the instruction, but https://reviews.llvm.org/D63233 changed the
> function’s caller to fall through if it returned false, which would then cause
> a use-after-free detectable by ASAN.
>
> This change makes OptimizeExtractBits return true if it removes a shift
> instruction with no users, terminating processing of the instruction.
>
> Patch by: @brentdax (Brent Royal-Gordon)
>
> Differential Revision: https://reviews.llvm.org/D66330
>
> Modified:
>     llvm/trunk/lib/CodeGen/CodeGenPrepare.cpp
>     llvm/trunk/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll
>
> Modified: llvm/trunk/lib/CodeGen/CodeGenPrepare.cpp
> URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/CodeGen/CodeGenPrepare.cpp?rev=369168&r1=369167&r2=369168&view=diff
> ==============================================================================
> --- llvm/trunk/lib/CodeGen/CodeGenPrepare.cpp (original)
> +++ llvm/trunk/lib/CodeGen/CodeGenPrepare.cpp Fri Aug 16 16:10:34 2019
> @@ -1682,10 +1682,11 @@ static bool OptimizeExtractBits(BinaryOp
>      TheUse = InsertedShift;
>    }
>
> -  // If we removed all uses, nuke the shift.
> +  // If we removed all uses, or there are none, nuke the shift.
>    if (ShiftI->use_empty()) {
>      salvageDebugInfo(*ShiftI);
>      ShiftI->eraseFromParent();
> +    MadeChange = true;
>    }
>
>    return MadeChange;
>
> Modified: llvm/trunk/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll
> URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll?rev=369168&r1=369167&r2=369168&view=diff
> ==============================================================================
> --- llvm/trunk/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll (original)
> +++ llvm/trunk/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll Fri Aug 16 16:10:34 2019
> @@ -58,6 +58,23 @@ return:
>    ret i32 %retval.0, !dbg !63
>  }
>
> +; CodeGenPrepare was erasing the unused lshr instruction, but then further
> +; processing the instruction after it was freed. If this bug is still present,
> +; this test will always crash in an LLVM built with ASAN enabled, and may
> +; crash even if ASAN is not enabled.
> +
> +define i32 @shift_unused(i32 %a) {
> +; CHECK-LABEL: @shift_unused(
> +; CHECK-NEXT:  BB2:
> +; CHECK-NEXT:    ret i32 [[A:%.*]]
> +;
> +  %as = lshr i32 %a, 3
> +  br label %BB2
> +
> +BB2:
> +  ret i32 %a
> +}
> +
>  ; CHECK: [[shift1_loc]] = !DILocation(line: 1
>  ; CHECK: [[trunc1_loc]] = !DILocation(line: 2
>  ; CHECK: [[shift2_loc]] = !DILocation(line: 3
>
>
> _______________________________________________
> llvm-commits mailing list
> llvm-commits at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits

More information about the llvm-commits mailing list