[llvm] 438a81a - [Function Specialisation] Fix use after free

Alexandros Lamprineas via llvm-commits llvm-commits at lists.llvm.org
Wed Feb 2 08:32:49 PST 2022 

Author: Alexandros Lamprineas
Date: 2022-02-02T16:32:10Z
New Revision: 438a81a2847f615c8c6236b59096393c9d285e00

URL: https://github.com/llvm/llvm-project/commit/438a81a2847f615c8c6236b59096393c9d285e00
DIFF: https://github.com/llvm/llvm-project/commit/438a81a2847f615c8c6236b59096393c9d285e00.diff

LOG: [Function Specialisation] Fix use after free

This is a fix for a use-after-free found by the address sanitizer when
compiling GCC: https://github.com/llvm/llvm-project/issues/52821

The Function Specialization pass may remove instructions, cached
inside the PredicateBase class, which are later being dereferenced
from the SCCPInstVisitor class. To prevent the dangling references
I am lazily deleting the dead instructions after the Solver has run.

Differential Revision: https://reviews.llvm.org/D118591

Added: 
    llvm/test/Transforms/FunctionSpecialization/bug52821-use-after-free.ll

Modified: 
    llvm/lib/Transforms/IPO/FunctionSpecialization.cpp

Removed: 
    


################################################################################
diff  --git a/llvm/lib/Transforms/IPO/FunctionSpecialization.cpp b/llvm/lib/Transforms/IPO/FunctionSpecialization.cpp
index 6c3cc3914337..9b6246b380bf 100644
--- a/llvm/lib/Transforms/IPO/FunctionSpecialization.cpp
+++ b/llvm/lib/Transforms/IPO/FunctionSpecialization.cpp
@@ -276,6 +276,7 @@ class FunctionSpecializer {
   std::function<TargetLibraryInfo &(Function &)> GetTLI;
 
   SmallPtrSet<Function *, 2> SpecializedFuncs;
+  SmallVector<Instruction *> ReplacedWithConstant;
 
 public:
   FunctionSpecializer(SCCPSolver &Solver,
@@ -320,6 +321,15 @@ class FunctionSpecializer {
     return Changed;
   }
 
+  void removeDeadInstructions() {
+    for (auto *I : ReplacedWithConstant) {
+      LLVM_DEBUG(dbgs() << "FnSpecialization: Removing dead instruction "
+                        << *I << "\n");
+      I->eraseFromParent();
+    }
+    ReplacedWithConstant.clear();
+  }
+
   bool tryToReplaceWithConstant(Value *V) {
     if (!V->getType()->isSingleValueType() || isa<CallBase>(V) ||
         V->user_empty())
@@ -330,6 +340,10 @@ class FunctionSpecializer {
       return false;
     auto *Const =
         isConstant(IV) ? Solver.getConstant(IV) : UndefValue::get(V->getType());
+
+    LLVM_DEBUG(dbgs() << "FnSpecialization: Replacing " << *V
+                      << "\nFnSpecialization: with " << *Const << "\n");
+
     V->replaceAllUsesWith(Const);
 
     for (auto *U : Const->users())
@@ -340,7 +354,7 @@ class FunctionSpecializer {
     // Remove the instruction from Block and Solver.
     if (auto *I = dyn_cast<Instruction>(V)) {
       if (I->isSafeToRemove()) {
-        I->eraseFromParent();
+        ReplacedWithConstant.push_back(I);
         Solver.removeLatticeValueFor(I);
       }
     }
@@ -886,7 +900,8 @@ bool llvm::runFunctionSpecialization(
     Changed = true;
   }
 
-  // Clean up the IR by removing ssa_copy intrinsics.
+  // Clean up the IR by removing dead instructions and ssa_copy intrinsics.
+  FS.removeDeadInstructions();
   removeSSACopy(M);
   return Changed;
 }

diff  --git a/llvm/test/Transforms/FunctionSpecialization/bug52821-use-after-free.ll b/llvm/test/Transforms/FunctionSpecialization/bug52821-use-after-free.ll
new file mode 100644
index 000000000000..55af373652d0
--- /dev/null
+++ b/llvm/test/Transforms/FunctionSpecialization/bug52821-use-after-free.ll
@@ -0,0 +1,58 @@
+; NOTE: Assertions have been autogenerated by utils/update_test_checks.py
+; RUN: opt -function-specialization -S < %s | FileCheck %s
+
+%mystruct = type { i32, [2 x i64] }
+
+define internal %mystruct* @myfunc(%mystruct* %arg) {
+; CHECK-LABEL: @myfunc(
+; CHECK-NEXT:  entry:
+; CHECK-NEXT:    br label [[FOR_COND:%.*]]
+; CHECK:       for.cond:
+; CHECK-NEXT:    br i1 true, label [[FOR_COND2:%.*]], label [[FOR_BODY:%.*]]
+; CHECK:       for.body:
+; CHECK-NEXT:    call void @callee(%mystruct* nonnull null)
+; CHECK-NEXT:    br label [[FOR_COND]]
+; CHECK:       for.cond2:
+; CHECK-NEXT:    br i1 false, label [[FOR_END:%.*]], label [[FOR_BODY2:%.*]]
+; CHECK:       for.body2:
+; CHECK-NEXT:    [[ARRAYIDX:%.*]] = getelementptr inbounds [[MYSTRUCT:%.*]], %mystruct* null, i64 0, i32 1, i64 3
+; CHECK-NEXT:    br label [[FOR_COND2]]
+; CHECK:       for.end:
+; CHECK-NEXT:    ret %mystruct* [[ARG:%.*]]
+;
+entry:
+  br label %for.cond
+
+for.cond:                                     ; preds = %for.body, %entry
+  %phi = phi %mystruct* [ undef, %for.body ], [ null, %entry ]
+  %cond = icmp eq %mystruct* %phi, null
+  br i1 %cond, label %for.cond2, label %for.body
+
+for.body:                                     ; preds = %for.cond
+  call void @callee(%mystruct* nonnull %phi)
+  br label %for.cond
+
+for.cond2:                                     ; preds = %for.body2, %for.cond
+  %phi2 = phi %mystruct* [ undef, %for.body2 ], [ null, %for.cond ]
+  br i1 undef, label %for.end, label %for.body2
+
+for.body2:                                     ; preds = %for.cond2
+  %arrayidx = getelementptr inbounds %mystruct, %mystruct* %phi2, i64 0, i32 1, i64 3
+  br label %for.cond2
+
+for.end:                                      ; preds = %for.cond2
+  ret %mystruct* %arg
+}
+
+define %mystruct* @caller() {
+; CHECK-LABEL: @caller(
+; CHECK-NEXT:  entry:
+; CHECK-NEXT:    [[CALL:%.*]] = call %mystruct* @myfunc(%mystruct* undef)
+; CHECK-NEXT:    ret %mystruct* [[CALL]]
+;
+entry:
+  %call = call %mystruct* @myfunc(%mystruct* undef)
+  ret %mystruct* %call
+}
+
+declare void @callee(%mystruct*)

More information about the llvm-commits mailing list