[Mlir-commits] [mlir] [tosa]: canonicalize dynamic size of tosa.slice to static output shape (PR #135429)

Thurston Dang llvmlistbot at llvm.org
Sat Apr 12 19:56:02 PDT 2025 

thurstond wrote:

Based on the ASan output, I think after the replaceOp on line 775, it's no longer valid to do getSize() on sliceOp:

```
   775      rewriter.replaceOp(sliceOp, newSliceOp.getResult());
   776
   777      // Remove const_shape size op when it no longer has use point.
   778      Operation *sizeConstShape = sliceOp.getSize().getDefiningOp();
```

```
==mlir-opt==1182057==ERROR: AddressSanitizer: heap-use-after-free on address 0x76a7f48bbc7c at pc 0x6010214a6254 bp 0x7ffc067d9790 sp 0x7ffc067d9788
READ of size 4 at 0x76a7f48bbc7c thread T0
    #0 0x6010214a6253 in getOpOperands /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/mlir/include/mlir/IR/Operation.h:384:12
    #1 0x6010214a6253 in getOperands /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/mlir/include/mlir/IR/Operation.h:379:43
    #2 0x6010214a6253 in operand_begin /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/mlir/include/mlir/IR/Operation.h:374:45
    #3 0x6010214a6253 in getODSOperands /home/b/sanitizer-x86_64-linux-fast/build/llvm_build_asan_ubsan/tools/mlir/include/mlir/Dialect/Tosa/IR/TosaOps.h.inc:14332:39
    #4 0x6010214a6253 in mlir::tosa::SliceOp::getSize() /home/b/sanitizer-x86_64-linux-fast/build/llvm_build_asan_ubsan/tools/mlir/include/mlir/Dialect/Tosa/IR/TosaOps.h.inc:14345:69
    #5 0x60102176a3ff in SliceDynamicSizeCanonicalization::matchAndRewrite(mlir::tosa::SliceOp, mlir::PatternRewriter&) const /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/mlir/lib/Dialect/Tosa/IR/TosaCanonicalizations.cpp:778:41
...

freed by thread T0 here:
    #0 0x60101ac8aeb6 in free /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:51:3
    #1 0x601022f7a71d in erase /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/llvm/include/llvm/ADT/ilist.h:205:5
    #2 0x601022f7a71d in erase /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/llvm/include/llvm/ADT/ilist.h:209:39
    #3 0x601022f7a71d in mlir::Operation::erase() /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/mlir/lib/IR/Operation.cpp:541:29
    #4 0x601022fb2d6a in operator() /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/mlir/lib/IR/PatternMatch.cpp:184:9
    #5 0x601022fb2d6a in operator() /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/mlir/lib/IR/PatternMatch.cpp:223:5
    #6 0x601022fb2d6a in __invoke<(lambda at /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/mlir/lib/IR/PatternMatch.cpp:190:48) &, mlir::Operation *> /home/b/sanitizer-x86_64-linux-fast/build/libcxx_install_asan_ubsan/include/c++/v1/__type_traits/invoke.h:179:25
    #7 0x601022fb2d6a in __call<(lambda at /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/mlir/lib/IR/PatternMatch.cpp:190:48) &, mlir::Operation *> /home/b/sanitizer-x86_64-linux-fast/build/libcxx_install_asan_ubsan/include/c++/v1/__type_traits/invoke.h:251:5
    #8 0x601022fb2d6a in __invoke_r<void, (lambda at /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/mlir/lib/IR/PatternMatch.cpp:190:48) &, mlir::Operation *> /home/b/sanitizer-x86_64-linux-fast/build/libcxx_install_asan_ubsan/include/c++/v1/__type_traits/invoke.h:273:10
    #9 0x601022fb2d6a in operator() /home/b/sanitizer-x86_64-linux-fast/build/libcxx_install_asan_ubsan/include/c++/v1/__functional/function.h:167:12
    #10 0x601022fb2d6a in std::__1::__function::__func<mlir::RewriterBase::eraseOp(mlir::Operation*)::$_0, std::__1::allocator<mlir::RewriterBase::eraseOp(mlir::Operation*)::$_0>, void (mlir::Operation*)>::operator()(mlir::Operation*&&) /home/b/sanitizer-x86_64-linux-fast/build/libcxx_install_asan_ubsan/include/c++/v1/__functional/function.h:319:10
    #11 0x601022fae6a3 in operator() /home/b/sanitizer-x86_64-linux-fast/build/libcxx_install_asan_ubsan/include/c++/v1/__functional/function.h:436:12
    #12 0x601022fae6a3 in operator() /home/b/sanitizer-x86_64-linux-fast/build/libcxx_install_asan_ubsan/include/c++/v1/__functional/function.h:995:10
      #13 0x5c8e0439e5a4 in executeAction<(anonymous namespace)::GreedyPatternRewriteIteration, long &> /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/mlir/include/mlir/IR/MLIRContext.h:280:7
    #14 0x5c8e0439e5a4 in simplify /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/mlir/lib/Transforms/Utils/GreedyPatternRewriteDriver.cpp:872:10
    #15 0x5c8e0439e5a4 in mlir::applyPatternsGreedily(mlir::Region&, mlir::FrozenRewritePatternSet const&, mlir::GreedyRewriteConfig, bool*) /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/mlir/lib/Transforms/Utils/GreedyPatternRewriteDriver.cpp:919:47
    #16 0x5c8e0001d2ad in mlir::applyPatternsGreedily(mlir::Operation*, mlir::FrozenRewritePatternSet const&, mlir::GreedyRewriteConfig, bool*) /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/mlir/include/mlir/Transforms/GreedyPatternRewriteDriver.h:174:15
    #17 0x5c8e0430af42 in (anonymous namespace)::Canonicalizer::runOnOperation() /home/b/sanitizer-x86_64-linux-fast/build/llvm-project/mlir/lib/Transforms/Canonicalizer.cpp:64:9
...
```

https://github.com/llvm/llvm-project/pull/135429

More information about the Mlir-commits mailing list