[PATCH] D118591: [Function Specialisation] Fix use after free

Alexandros Lamprineas via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Mon Jan 31 02:52:54 PST 2022 

labrinea created this revision.
labrinea added reviewers: SjoerdMeijer, llvm-commits.
Herald added a subscriber: hiraditya.
labrinea requested review of this revision.
Herald added a project: LLVM.

This is a fix for a use-after-free found by the address sanitizer when compiling GCC: https://github.com/llvm/llvm-project/issues/52821

The `Function Specialization` pass may remove instructions, cached inside the `PredicateBase` class, which are later being dereferenced from the `SCCPInstVisitor` class. To prevent the dangling references I have replaced the raw pointers to such objects with weak value handles. I have not added a testcase since the reproducer is derived from GCC sources.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D118591

Files:
  llvm/include/llvm/Transforms/Utils/PredicateInfo.h
  llvm/lib/Transforms/Utils/PredicateInfo.cpp


Index: llvm/lib/Transforms/Utils/PredicateInfo.cpp
===================================================================
--- llvm/lib/Transforms/Utils/PredicateInfo.cpp
+++ llvm/lib/Transforms/Utils/PredicateInfo.cpp
@@ -792,6 +792,9 @@
 }
 
 Optional<PredicateConstraint> PredicateBase::getConstraint() const {
+  if (!OriginalOp || !RenamedOp || !Condition)
+    return None;
+
   switch (Type) {
   case PT_Assume:
   case PT_Branch: {
@@ -909,6 +912,8 @@
   void emitInstructionAnnot(const Instruction *I,
                             formatted_raw_ostream &OS) override {
     if (const auto *PI = PredInfo->getPredicateInfoFor(I)) {
+      if (!PI->OriginalOp || !PI->RenamedOp || !PI->Condition)
+        return;
       OS << "; Has predicate info\n";
       if (const auto *PB = dyn_cast<PredicateBranch>(PI)) {
         OS << "; branch predicate info { TrueEdge: " << PB->TrueEdge
Index: llvm/include/llvm/Transforms/Utils/PredicateInfo.h
===================================================================
--- llvm/include/llvm/Transforms/Utils/PredicateInfo.h
+++ llvm/include/llvm/Transforms/Utils/PredicateInfo.h
@@ -85,13 +85,13 @@
   // The original operand before we renamed it.
   // This can be use by passes, when destroying predicateinfo, to know
   // whether they can just drop the intrinsic, or have to merge metadata.
-  Value *OriginalOp;
+  WeakVH OriginalOp;
   // The renamed operand in the condition used for this predicate. For nested
   // predicates, this is different to OriginalOp which refers to the initial
   // operand.
-  Value *RenamedOp;
+  WeakVH RenamedOp;
   // The condition associated with this predicate.
-  Value *Condition;
+  WeakVH Condition;
 
   PredicateBase(const PredicateBase &) = delete;
   PredicateBase &operator=(const PredicateBase &) = delete;


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D118591.404457.patch
Type: text/x-patch
Size: 1805 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20220131/06da1f32/attachment.bin>

More information about the llvm-commits mailing list