[Mlir-commits] [mlir] [mlir] Fix use-after-free bugs in {RankedTensorType|VectorType}::Builder (PR #68969)
Mehdi Amini
llvmlistbot at llvm.org
Mon Oct 16 01:40:51 PDT 2023
================
@@ -277,7 +277,7 @@ class RankedTensorType::Builder {
if (storage.empty())
storage.append(shape.begin(), shape.end());
storage.erase(storage.begin() + pos);
- shape = {storage.data(), storage.size()};
+ shape = {};
----------------
joker-eph wrote:
I get that, but I'm not sure how that answers my question right now?
You're setting `shape` to an empty array, but `dropDim` starts with `assert(pos < shape.size() && "overflow");`
So how would `auto newType = VectorType::Builder(type).dropDim(0).dropDim(1);` work?
Seems to me like the second `dropDim(1)` would have `shape.size() == 0` and the assert firing?
https://github.com/llvm/llvm-project/pull/68969
More information about the Mlir-commits
mailing list