[PATCH] D118591: [Function Specialisation] Fix use after free
Alexandros Lamprineas via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Mon Jan 31 06:20:57 PST 2022
labrinea added a comment.
In D118591#3283559 <https://reviews.llvm.org/D118591#3283559>, @nikic wrote:
> Can you please explain in more detail where exactly an instruction referenced by PredicateInfo gets removed, and why other passes using PredicateInfo (IPSCCP and NewGVN) do not encounter this issue?
Hi. If you follow the github link there's a dump from the address sanitizer and some explanation on the description of the issue. The instruction is removed by the function specialization pass inside `tryToReplaceWithConstant` after all its uses have been replaced. As far as I understand, the dangling pointer is then being dereferenced inside `PredicateBase::getConstraint()` (the function I've patched), which is being called from `SCCPInstVisitor::handleCallResult`. Both FunctionSpecialization and IPSCCP are using the SCCPSolver, which in turn is using the SCCPInstVisitor. The bug was exposed with ASAN when compilig GCC, so if the NewGVN is using the same machinery as the other passes, then it is potentially affected. I made a bootstrap build of clang with ASAN and FunctionSpecialization enabled and it succeeded. Also the reproducer is not triggering the use-after-free anymore.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D118591/new/
https://reviews.llvm.org/D118591
More information about the llvm-commits
mailing list