[PATCH] D111112: [SCCPSolver] Fix use-after-free in markArgInFuncSpecialization.
Sjoerd Meijer via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Tue Oct 5 01:18:39 PDT 2021
SjoerdMeijer added a comment.
Thanks for looking into this!
I think I may have been bitten by this before (or something similar), but it's easy to forget the details here.... So perhaps you can help me a bit by expanding a on this:
> In SCCPSolver::markArgInFuncSpecialization, the ValueState map may be reallocated *after* the initial ValueLatticeElement reference is grabbed, but *before* its use in copy initialization.
I know the `operator[]` is kind of considered harmful for maps, but in this case that seemed fine and doesn't seem the cause of the problem, is that right? So perhaps you can expand on the reallocation (of the map?) that I don't quite get.
================
Comment at: llvm/lib/Transforms/Utils/SCCPSolver.cpp:543
if (J != A && ValueState.count(I)) {
- ValueState[J] = ValueState[I];
- pushToWorkList(ValueState[J], J);
+ auto &NewValue = ValueState[J];
+ NewValue = ValueState[I];
----------------
This is probably non-obvious enough that a little comment would be useful why we are doing this.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D111112/new/
https://reviews.llvm.org/D111112
More information about the llvm-commits
mailing list