This is an archive of the discontinued LLVM Phabricator instance.

Differential D105061

[IR] Fix replaceUsesWithIf ponetial issue with constants
ClosedPublic

Authored by rampitec on Jun 28 2021, 1:50 PM.

Download Raw Diff

Details

Reviewers

efriedma

Commits

rGb608053efb88: [IR] Fix replaceUsesWithIf ponetial issue with constants

Summary

There can be a use after free in the Value::replaceUsesWithIf()
if two uses point to the same constant. Patch defers handling
of the constants past the iterator scan.

Another potential issue is that handleOperandChange updates all
the uses in a given Constant, not just the one passed to
ShouldReplace. Added a FIXME comment.

Both issues are not currently exploitable as the only use of
this call with constants avoids it.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

rampitec created this revision.Jun 28 2021, 1:50 PM

Herald added subscribers: dexonsmith, hiraditya. · View Herald TranscriptJun 28 2021, 1:50 PM

rampitec requested review of this revision.Jun 28 2021, 1:50 PM

Herald added a project: Restricted Project. · View Herald TranscriptJun 28 2021, 1:50 PM

rampitec mentioned this in D103051: [IR] Allow Value::replaceUsesWithIf() to process constants.Jun 28 2021, 1:50 PM

efriedma added inline comments.Jun 28 2021, 2:02 PM

llvm/lib/IR/Value.cpp
534	I think you need a TrackingVH here, instead of a raw pointer. Suppose you have something like the following: ConstantStruct(ConstantStruct(C, C), C) Say we replaceUsesWithIf on C. Calling handleOperandChange on the inner ConstantStruct will invalidate pointers to the outer CostantStruct. So depending on the use-list order, you might have a dangling pointer.

Use TrackingVH.

llvm/lib/IR/Value.cpp
534	Like in the updated patch?

LGTM

This revision is now accepted and ready to land.Jun 28 2021, 3:25 PM

This revision was landed with ongoing or failed builds.Jun 28 2021, 3:57 PM

Closed by commit rGb608053efb88: [IR] Fix replaceUsesWithIf ponetial issue with constants (authored by rampitec). · Explain Why

This revision was automatically updated to reflect the committed changes.

rampitec added a commit: rGb608053efb88: [IR] Fix replaceUsesWithIf ponetial issue with constants.

Harbormaster completed remote builds in B111389: Diff 355046.Jun 28 2021, 4:23 PM

Revision Contents

Path

Size

llvm/

lib/

IR/

Value.cpp

12 lines

Diff 355055

llvm/lib/IR/Value.cpp

	Show First 20 Lines • Show All 525 Lines • ▼ Show 20 Lines
	}			}

	void Value::replaceUsesWithIf(Value *New,			void Value::replaceUsesWithIf(Value *New,
	llvm::function_ref<bool(Use &U)> ShouldReplace) {			llvm::function_ref<bool(Use &U)> ShouldReplace) {
	assert(New && "Value::replaceUsesWithIf(<null>) is invalid!");			assert(New && "Value::replaceUsesWithIf(<null>) is invalid!");
	assert(New->getType() == getType() &&			assert(New->getType() == getType() &&
	"replaceUses of value with new value of different type!");			"replaceUses of value with new value of different type!");

				SmallVector<TrackingVH<Constant>, 8> Consts;
				efriedmaUnsubmitted Done Reply Inline Actions I think you need a TrackingVH here, instead of a raw pointer. Suppose you have something like the following: ConstantStruct(ConstantStruct(C, C), C) Say we replaceUsesWithIf on C. Calling handleOperandChange on the inner ConstantStruct will invalidate pointers to the outer CostantStruct. So depending on the use-list order, you might have a dangling pointer. efriedma: I think you need a TrackingVH here, instead of a raw pointer. Suppose you have something like…
				rampitecAuthorUnsubmitted Done Reply Inline Actions Like in the updated patch? rampitec: Like in the updated patch?
				SmallPtrSet<Constant *, 8> Visited;

	for (use_iterator UI = use_begin(), E = use_end(); UI != E;) {			for (use_iterator UI = use_begin(), E = use_end(); UI != E;) {
	Use &U = *UI;			Use &U = *UI;
	++UI;			++UI;
	if (!ShouldReplace(U))			if (!ShouldReplace(U))
	continue;			continue;
	// Must handle Constants specially, we cannot call replaceUsesOfWith on a			// Must handle Constants specially, we cannot call replaceUsesOfWith on a
	// constant because they are uniqued.			// constant because they are uniqued.
	if (auto *C = dyn_cast<Constant>(U.getUser())) {			if (auto *C = dyn_cast<Constant>(U.getUser())) {
	if (!isa<GlobalValue>(C)) {			if (!isa<GlobalValue>(C)) {
	C->handleOperandChange(this, New);			if (Visited.insert(C).second)
				Consts.push_back(TrackingVH<Constant>(C));
	continue;			continue;
	}			}
	}			}
	U.set(New);			U.set(New);
	}			}

				while (!Consts.empty()) {
				// FIXME: handleOperandChange() updates all the uses in a given Constant,
				// not just the one passed to ShouldReplace
				Consts.pop_back_val()->handleOperandChange(this, New);
				}
	}			}

	/// Replace llvm.dbg.* uses of MetadataAsValue(ValueAsMetadata(V)) outside BB			/// Replace llvm.dbg.* uses of MetadataAsValue(ValueAsMetadata(V)) outside BB
	/// with New.			/// with New.
	static void replaceDbgUsesOutsideBlock(Value V, Value New, BasicBlock *BB) {			static void replaceDbgUsesOutsideBlock(Value V, Value New, BasicBlock *BB) {
	SmallVector<DbgVariableIntrinsic *> DbgUsers;			SmallVector<DbgVariableIntrinsic *> DbgUsers;
	findDbgUsers(DbgUsers, V);			findDbgUsers(DbgUsers, V);
	for (auto *DVI : DbgUsers) {			for (auto *DVI : DbgUsers) {
	▲ Show 20 Lines • Show All 670 Lines • Show Last 20 Lines