[Mlir-commits] [mlir] [mlir] Fix use-after-free bugs in {RankedTensorType|VectorType}::Builder (PR #68969)
Andrzej WarzyĆski
llvmlistbot at llvm.org
Tue Oct 17 03:29:16 PDT 2023
https://github.com/banach-space commented:
Overall makes sense - thanks for the fix! `
CopyOnWriteArrayRef` feels like something that should be moved elsewhere in LLVM/MLIR (i.e. I see it being used/needed more widely). So not sure.
I think that this deserves some space in the summary:
> Bug not triggered here:
> ```
> // One builder is constructed. Updated by reference via the dropDim calls.
> // Then converted to a vector type.
> VectorType newType = VectorType::Builder(type).dropDim(0).dropDim(1);
> ```
> Bug triggered here:
> ```
> // One builder is constructed, updated by reference, then assigned
> // to auto, which ends up copying the builder. The original temporary
> // builder is destroyed, and `shape` now points to junk.
> auto newType = VectorType::Builder(type).dropDim(0).dropDim(1);
> VectorType newVectorType = VectorType(newType);
> ```
>
https://github.com/llvm/llvm-project/pull/68969
More information about the Mlir-commits
mailing list