[PATCH] D154844: [JITLink][RISCV] Fix use-after-free in relax

Job Noorman via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Mon Jul 10 07:01:52 PDT 2023 

jobnoorman created this revision.
jobnoorman added reviewers: lhames, StephenFan.
Herald added subscribers: asb, luke, pmatos, VincentWu, vkmr, frasercrmck, luismarques, apazos, sameer.abuasal, s.egerton, Jim, benna, psnobl, jocewei, PkmX, the_o, brucehoult, MartinMosbeck, rogfer01, edward-jones, zzheng, jrtc27, shiva0217, kito-cheng, niosHD, sabuasal, simoncook, johnrusso, rbar, hiraditya, arichardson.
Herald added a project: All.
jobnoorman requested review of this revision.
Herald added subscribers: llvm-commits, wangpc, eopXD.
Herald added a project: LLVM.

Finalization of relaxation calls `finalizeBlockRelax` for every block in
the graph. This function, however, would iterate over //all// blocks in
the graph to remove `AlignRelaxable` edges. Since pointers to those
edges would still be stored in `RelaxEdges`, this caused a
use-after-free for graphs with multiple blocks.

This patch fixes this by only iterating over the edges of the current
block in `finalizeBlockRelax`.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D154844

Files:
  llvm/lib/ExecutionEngine/JITLink/ELF_riscv.cpp


Index: llvm/lib/ExecutionEngine/JITLink/ELF_riscv.cpp
===================================================================
--- llvm/lib/ExecutionEngine/JITLink/ELF_riscv.cpp
+++ llvm/lib/ExecutionEngine/JITLink/ELF_riscv.cpp
@@ -744,13 +744,11 @@
   // Remove AlignRelaxable edges: all other relaxable edges got modified and
   // will be used later while linking. Alignment is entirely handled here so we
   // don't need these edges anymore.
-  for (auto *B : G.blocks()) {
-    for (auto IE = B->edges().begin(); IE != B->edges().end();) {
-      if (IE->getKind() == AlignRelaxable)
-        IE = B->removeEdge(IE);
-      else
-        ++IE;
-    }
+  for (auto IE = Block.edges().begin(); IE != Block.edges().end();) {
+    if (IE->getKind() == AlignRelaxable)
+      IE = Block.removeEdge(IE);
+    else
+      ++IE;
   }
 }
 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D154844.538628.patch
Type: text/x-patch
Size: 833 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20230710/eba9502c/attachment.bin>

More information about the llvm-commits mailing list