maxjhandsome
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity

[SCCPSolver] Fix use-after-free in markArgInFuncSpecialization 

In SCCPSolver::markArgInFuncSpecialization, the ValueState map may be
reallocated *after* the initial ValueLatticeElement reference is grabbed, but
*before* its use in copy initialization. This causes a use-after-free.  To fix
this, this commit changes the behavior to create the new ValueLatticeElement
before assigning the old one to it.

Patch by: https://github.com/duck-37/

Differential Revision: https://reviews.llvm.org/D111112
This commit is contained in:
Sjoerd Meijer 2021-10-05 12:12:39 +01:00
parent 40e00063bc
commit cdfc678572
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
llvm/lib/Transforms/Utils/SCCPSolver.cpp
View File

@ -540,8 +540,14 @@ void SCCPInstVisitor::markArgInFuncSpecialization(Function *F, Argument *A,
E = F->arg_end();
I != E; ++I, ++J)
if (J != A && ValueState.count(I)) {
ValueState[J] = ValueState[I];
pushToWorkList(ValueState[J], J);
// Note: This previously looked like this:
// ValueState[J] = ValueState[I];
// This is incorrect because the DenseMap class may resize the underlying
// memory when inserting `J`, which will invalidate the reference to `I`.
// Instead, we make sure `J` exists, then set it to `I` afterwards.
auto &NewValue = ValueState[J];
NewValue = ValueState[I];
pushToWorkList(NewValue, J);
}
}