[llvm] cdfc678 - [SCCPSolver] Fix use-after-free in markArgInFuncSpecialization

[Sjoerd Meijer via llvm-commits]

Author: Sjoerd Meijer
Date: 2021-10-05T12:56:32+01:00
New Revision: cdfc678572d60af414daf56a5f2f5811f7e6ca31

URL: https://github.com/llvm/llvm-project/commit/cdfc678572d60af414daf56a5f2f5811f7e6ca31
DIFF: https://github.com/llvm/llvm-project/commit/cdfc678572d60af414daf56a5f2f5811f7e6ca31.diff

LOG: [SCCPSolver] Fix use-after-free in markArgInFuncSpecialization

In SCCPSolver::markArgInFuncSpecialization, the ValueState map may be
reallocated *after* the initial ValueLatticeElement reference is grabbed, but
*before* its use in copy initialization. This causes a use-after-free.  To fix
this, this commit changes the behavior to create the new ValueLatticeElement
before assigning the old one to it.

Patch by: https://github.com/duck-37/

Differential Revision: https://reviews.llvm.org/D111112

Added: 
    

Modified: 
    llvm/lib/Transforms/Utils/SCCPSolver.cpp

Removed: 
    


################################################################################
diff  --git a/llvm/lib/Transforms/Utils/SCCPSolver.cpp b/llvm/lib/Transforms/Utils/SCCPSolver.cpp
index 4cf99abcc10f4..4475474e6b16f 100644
--- a/llvm/lib/Transforms/Utils/SCCPSolver.cpp
+++ b/llvm/lib/Transforms/Utils/SCCPSolver.cpp
@@ -540,8 +540,14 @@ void SCCPInstVisitor::markArgInFuncSpecialization(Function *F, Argument *A,
             E = F->arg_end();
        I != E; ++I, ++J)
     if (J != A && ValueState.count(I)) {
-      ValueState[J] = ValueState[I];
-      pushToWorkList(ValueState[J], J);
+      // Note: This previously looked like this:
+      // ValueState[J] = ValueState[I];
+      // This is incorrect because the DenseMap class may resize the underlying
+      // memory when inserting `J`, which will invalidate the reference to `I`.
+      // Instead, we make sure `J` exists, then set it to `I` afterwards.
+      auto &NewValue = ValueState[J];
+      NewValue = ValueState[I];
+      pushToWorkList(NewValue, J);
     }
 }