[Mlir-commits] [mlir] Fix null pointer dereference in logging in mlir TransformOps (PR #92237)
Daniel Kuts
llvmlistbot at llvm.org
Wed May 15 03:07:07 PDT 2024
https://github.com/apach301 created https://github.com/llvm/llvm-project/pull/92237
Hi,
I found with static analysis a possible null pointer overflow during error logging at mlir IR/TransformOps.cpp:
https://github.com/llvm/llvm-project/blob/b2c5e9b9bf2a1cb4a8d4fc67f3201db55ae2cae1/mlir/lib/Dialect/Transform/IR/TransformOps.cpp#L653-L657
A variable `typeConverterOp` may be nullptr after dynamic cast. There is a security guard for this, but during logging error message the variable getting dereferenced.
>From e61de2c74bfdecfad9ca543670494676bfe9f8ec Mon Sep 17 00:00:00 2001
From: Daniil Kutz <kutz at ispras.ru>
Date: Wed, 15 May 2024 12:21:19 +0300
Subject: [PATCH] Fix null pointer dereference in logging in mlir TransformOps
---
mlir/lib/Dialect/Transform/IR/TransformOps.cpp | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/mlir/lib/Dialect/Transform/IR/TransformOps.cpp b/mlir/lib/Dialect/Transform/IR/TransformOps.cpp
index eb09f007fbca8..5a9996dde48f7 100644
--- a/mlir/lib/Dialect/Transform/IR/TransformOps.cpp
+++ b/mlir/lib/Dialect/Transform/IR/TransformOps.cpp
@@ -648,13 +648,14 @@ LogicalResult transform::ApplyConversionPatternsOp::verify() {
if (!llvm::hasSingleElement(typeConverterRegion.front()))
return emitOpError()
<< "expected exactly one op in default type converter region";
- auto typeConverterOp = dyn_cast<transform::TypeConverterBuilderOpInterface>(
- &typeConverterRegion.front().front());
+
+ Operation *maybeTypeConverter = &typeConverterRegion.front().front();
+ auto typeConverterOp = dyn_cast<transform::TypeConverterBuilderOpInterface>(maybeTypeConverter);
if (!typeConverterOp) {
InFlightDiagnostic diag = emitOpError()
<< "expected default converter child op to "
"implement TypeConverterBuilderOpInterface";
- diag.attachNote(typeConverterOp->getLoc()) << "op without interface";
+ diag.attachNote(maybeTypeConverter->getLoc()) << "op without interface";
return diag;
}
// Check default type converter type.
More information about the Mlir-commits
mailing list