[llvm] [PPCMergeStringPool] Only replace constant once (PR #92996)

Tue May 21 23:48:22 PDT 2024

https://github.com/nikic updated https://github.com/llvm/llvm-project/pull/92996

>From aedd3c80794c16dff3eae0ca7575e1e897654492 Mon Sep 17 00:00:00 2001
From: Nikita Popov <npopov at redhat.com>
Date: Wed, 22 May 2024 08:39:50 +0200
Subject: [PATCH 1/2] [PPCMergeStringPool] Only replace constant once

In #88846 I changed this code to use RAUW to perform the replacement
instead of manual updates -- but kept the outer loop, which means
we try to perform RAUW once per user. However, some of the users
might be freed by the RAUW operation, resulting in use-after-free.

I think the case where this happens is constant users where the
replacement might result in the destruction of the original
constant. I wasn't able to come up with a test case though.

This is intended to fix https://github.com/llvm/llvm-project/issues/92991.
---
 .../lib/Target/PowerPC/PPCMergeStringPool.cpp | 37 ++++---------------
 1 file changed, 7 insertions(+), 30 deletions(-)

diff --git a/llvm/lib/Target/PowerPC/PPCMergeStringPool.cpp b/llvm/lib/Target/PowerPC/PPCMergeStringPool.cpp
index abc5353e4a5e9..b73e25d37f8f5 100644
--- a/llvm/lib/Target/PowerPC/PPCMergeStringPool.cpp
+++ b/llvm/lib/Target/PowerPC/PPCMergeStringPool.cpp
@@ -302,13 +302,6 @@ bool PPCMergeStringPool::mergeModuleStringPool(Module &M) {
   return true;
 }
 
-static bool userHasOperand(User *TheUser, GlobalVariable *GVOperand) {
-  for (Value *Op : TheUser->operands())
-    if (Op == GVOperand)
-      return true;
-  return false;
-}
-
 // For pooled strings we need to add the offset into the pool for each string.
 // This is done by adding a Get Element Pointer (GEP) before each user. This
 // function adds the GEP.
@@ -319,29 +312,13 @@ void PPCMergeStringPool::replaceUsesWithGEP(GlobalVariable *GlobalToReplace,
   Indices.push_back(ConstantInt::get(Type::getInt32Ty(*Context), 0));
   Indices.push_back(ConstantInt::get(Type::getInt32Ty(*Context), ElementIndex));
 
-  // Need to save a temporary copy of each user list because we remove uses
-  // as we replace them.
-  SmallVector<User *> Users;
-  for (User *CurrentUser : GlobalToReplace->users())
-    Users.push_back(CurrentUser);
-
-  for (User *CurrentUser : Users) {
-    // The user was not found so it must have been replaced earlier.
-    if (!userHasOperand(CurrentUser, GlobalToReplace))
-      continue;
-
-    // We cannot replace operands in globals so we ignore those.
-    if (isa<GlobalValue>(CurrentUser))
-      continue;
-
-    Constant *ConstGEP = ConstantExpr::getInBoundsGetElementPtr(
-        PooledStructType, GPool, Indices);
-    LLVM_DEBUG(dbgs() << "Replacing this global:\n");
-    LLVM_DEBUG(GlobalToReplace->dump());
-    LLVM_DEBUG(dbgs() << "with this:\n");
-    LLVM_DEBUG(ConstGEP->dump());
-    GlobalToReplace->replaceAllUsesWith(ConstGEP);
-  }
+  Constant *ConstGEP = ConstantExpr::getInBoundsGetElementPtr(
+      PooledStructType, GPool, Indices);
+  LLVM_DEBUG(dbgs() << "Replacing this global:\n");
+  LLVM_DEBUG(GlobalToReplace->dump());
+  LLVM_DEBUG(dbgs() << "with this:\n");
+  LLVM_DEBUG(ConstGEP->dump());
+  GlobalToReplace->replaceAllUsesWith(ConstGEP);
 }
 
 } // namespace

>From 3a5f9167ab42b9f48ac51ed3b43a64479ccae413 Mon Sep 17 00:00:00 2001
From: Nikita Popov <npopov at redhat.com>
Date: Wed, 22 May 2024 08:48:05 +0200
Subject: [PATCH 2/2] clang-format

---
 llvm/lib/Target/PowerPC/PPCMergeStringPool.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/llvm/lib/Target/PowerPC/PPCMergeStringPool.cpp b/llvm/lib/Target/PowerPC/PPCMergeStringPool.cpp
index b73e25d37f8f5..309938accdf4c 100644
--- a/llvm/lib/Target/PowerPC/PPCMergeStringPool.cpp
+++ b/llvm/lib/Target/PowerPC/PPCMergeStringPool.cpp
@@ -312,8 +312,8 @@ void PPCMergeStringPool::replaceUsesWithGEP(GlobalVariable *GlobalToReplace,
   Indices.push_back(ConstantInt::get(Type::getInt32Ty(*Context), 0));
   Indices.push_back(ConstantInt::get(Type::getInt32Ty(*Context), ElementIndex));
 
-  Constant *ConstGEP = ConstantExpr::getInBoundsGetElementPtr(
-      PooledStructType, GPool, Indices);
+  Constant *ConstGEP =
+      ConstantExpr::getInBoundsGetElementPtr(PooledStructType, GPool, Indices);
   LLVM_DEBUG(dbgs() << "Replacing this global:\n");
   LLVM_DEBUG(GlobalToReplace->dump());
   LLVM_DEBUG(dbgs() << "with this:\n");

