[llvm] 66ed8fb - [InstCombine] Fix use after free

Wed Dec 4 08:20:52 PST 2024

Author: Nikita Popov
Date: 2024-12-04T17:20:04+01:00
New Revision: 66ed8fb9739402ae51b790a3541a07dfa85ff174

URL: https://github.com/llvm/llvm-project/commit/66ed8fb9739402ae51b790a3541a07dfa85ff174
DIFF: https://github.com/llvm/llvm-project/commit/66ed8fb9739402ae51b790a3541a07dfa85ff174.diff

LOG: [InstCombine] Fix use after free

Make sure we only access cached nowrap flags.

Added: 
    

Modified: 
    llvm/lib/Transforms/InstCombine/InstCombineAddSub.cpp

Removed: 
    


################################################################################
diff  --git a/llvm/lib/Transforms/InstCombine/InstCombineAddSub.cpp b/llvm/lib/Transforms/InstCombine/InstCombineAddSub.cpp
index b9f847d4d66406..ea7942ef978110 100644

--- a/llvm/lib/Transforms/InstCombine/InstCombineAddSub.cpp
+++ b/llvm/lib/Transforms/InstCombine/InstCombineAddSub.cpp
@@ -2092,18 +2092,18 @@ Value *InstCombinerImpl::OptimizePointerDifference(Value *LHS, Value *RHS,
 
   // To avoid duplicating the offset arithmetic, rewrite the GEP to use the
   // computed offset. This may erase the original GEP, so be sure to cache the
-  // inbounds flag before emitting the offset.
+  // nowrap flags before emitting the offset.
   // TODO: We should probably do this even if there is only one GEP.
   bool RewriteGEPs = GEP2 != nullptr;
 
   // Emit the offset of the GEP and an intptr_t.
-  bool GEP1IsInBounds = GEP1->isInBounds();
+  GEPNoWrapFlags GEP1NW = GEP1->getNoWrapFlags();
   Value *Result = EmitGEPOffset(GEP1, RewriteGEPs);
 
   // If this is a single inbounds GEP and the original sub was nuw,
   // then the final multiplication is also nuw.
   if (auto *I = dyn_cast<Instruction>(Result))
-    if (IsNUW && !GEP2 && !Swapped && GEP1IsInBounds &&
+    if (IsNUW && !GEP2 && !Swapped && GEP1NW.isInBounds() &&
         I->getOpcode() == Instruction::Mul)
       I->setHasNoUnsignedWrap();
 
@@ -2111,11 +2111,12 @@ Value *InstCombinerImpl::OptimizePointerDifference(Value *LHS, Value *RHS,
   // If both GEPs are inbounds, then the subtract does not have signed overflow.
   // If both GEPs are nuw and the original sub is nuw, the new sub is also nuw.
   if (GEP2) {
+    GEPNoWrapFlags GEP2NW = GEP2->getNoWrapFlags();
     Value *Offset = EmitGEPOffset(GEP2, RewriteGEPs);
     Result = Builder.CreateSub(Result, Offset, "gep
diff ",
-                               IsNUW && GEP1->hasNoUnsignedWrap() &&
-                                   GEP2->hasNoUnsignedWrap(),
-                               GEP1IsInBounds && GEP2->isInBounds());
+                               IsNUW && GEP1NW.hasNoUnsignedWrap() &&
+                                   GEP2NW.hasNoUnsignedWrap(),
+                               GEP1NW.isInBounds() && GEP2NW.isInBounds());
   }
 
   // If we have p - gep(p, ...)  then we have to negate the result.


        
