[PATCH] D148427: [BOLT][NFC] Fix use-after-free in RewriteInstance::mapCodeSections

Job Noorman via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Sat Apr 15 05:36:58 PDT 2023

jobnoorman created this revision.
jobnoorman added reviewers: rafauler, maksfb, yota9, Amir.
Herald added subscribers: asb, treapster, pmatos, ayermolo.
Herald added a project: All.
jobnoorman requested review of this revision.
Herald added a project: LLVM.
Herald added a subscriber: llvm-commits.

When a cold function is too large, its section gets deregistered.
However, the section is still dereferenced later to get its RuntimeDyld
ID. This patch moves the deregistration to after the last dereference.

Note that this came up in D147544 <https://reviews.llvm.org/D147544> and I haven't found a way to actually
trigger this bug (i.e., I'm not sure how to create a cold function
that's considered "too large"). I tried to resolve the issue without
affecting BOLT's behavior but there might be better ways to solve it
(e.g., not deregistering, not mapping the deregistered section in

  rG LLVM Github Monorepo



Index: bolt/lib/Rewrite/RewriteInstance.cpp
--- bolt/lib/Rewrite/RewriteInstance.cpp
+++ bolt/lib/Rewrite/RewriteInstance.cpp
@@ -4097,7 +4097,6 @@
-      BC->deregisterSection(*ColdSection);
     } else {
@@ -4112,6 +4111,9 @@
             FF.getImageAddress(), FF.getAddress(), FF.getImageSize()));
     RTDyld.reassignSectionAddress(ColdSection->getSectionID(), FF.getAddress());
+    if (TooLarge)
+      BC->deregisterSection(*ColdSection);
     NextAvailableAddress += FF.getImageSize();

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D148427.513894.patch
Type: text/x-patch
Size: 761 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20230415/06849506/attachment.bin>

More information about the llvm-commits mailing list