[PATCH] D111112: [SCCPSolver] Fix use-after-free in markArgInFuncSpecialization.
duk via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Mon Oct 4 21:09:09 PDT 2021
duck-37 created this revision.
duck-37 added a reviewer: SjoerdMeijer.
Herald added a subscriber: hiraditya.
duck-37 requested review of this revision.
Herald added a project: LLVM.
Herald added a subscriber: llvm-commits.
In SCCPSolver::markArgInFuncSpecialization, the ValueState map may be reallocated *after* the initial ValueLatticeElement reference is grabbed, but *before* its use in copy initialization. This causes a use-after-free.
To fix this, this commit changes the behavior to create the new ValueLatticeElement before assigning the old one to it.
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D111112
Files:
llvm/lib/Transforms/Utils/SCCPSolver.cpp
Index: llvm/lib/Transforms/Utils/SCCPSolver.cpp
===================================================================
--- llvm/lib/Transforms/Utils/SCCPSolver.cpp
+++ llvm/lib/Transforms/Utils/SCCPSolver.cpp
@@ -540,8 +540,9 @@
E = F->arg_end();
I != E; ++I, ++J)
if (J != A && ValueState.count(I)) {
- ValueState[J] = ValueState[I];
- pushToWorkList(ValueState[J], J);
+ auto &NewValue = ValueState[J];
+ NewValue = ValueState[I];
+ pushToWorkList(NewValue, J);
}
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D111112.377079.patch
Type: text/x-patch
Size: 524 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20211005/1e10a0c7/attachment-0001.bin>
More information about the llvm-commits
mailing list