This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
mlir/lib/IR/
-
lib/
-
IR/
-
SymbolTable.cpp

Differential D129345

[mlir] Fixed double-free bug in SymbolUserMap
ClosedPublic

Authored by nand on Jul 7 2022, 11:01 PM.

Download Raw Diff

Details

Reviewers

darthscsi
rriddle

Commits

rGf92d319c70b5: [mlir] Fixed double-free bug in SymbolUserMap

Summary

SymbolUserMap relied on try_emplace and std::move to relocate an entry to another key. However, if this triggered the resizing of the DenseMap, the value was destroyed before it could be moved to the new storage location, leading to a dangling users reference to be inserted into the map. On destruction, since a new entry was created from one that was already freed, a double-free error occurred.

Fixed issue by re-fetching the iterator after the mutation of the container.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

nand created this revision.Jul 7 2022, 11:01 PM

Herald added a reviewer: rriddle. · View Herald TranscriptJul 7 2022, 11:01 PM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: bzcheeseman, sdasgup3, wenzhicui and 18 others. · View Herald Transcript

nand requested review of this revision.Jul 7 2022, 11:01 PM

Herald added a project: Restricted Project. · View Herald TranscriptJul 7 2022, 11:01 PM

Herald added subscribers: stephenneuendorffer, nicolasvasilache. · View Herald Transcript

Harbormaster completed remote builds in B174313: Diff 443142.Jul 7 2022, 11:24 PM

We could alternatively try to move the users first and then update later, but this is fine as well.

This revision is now accepted and ready to land.Jul 8 2022, 10:05 AM

Closed by commit rGf92d319c70b5: [mlir] Fixed double-free bug in SymbolUserMap (authored by nand). · Explain WhyJul 8 2022, 10:07 AM

This revision was automatically updated to reflect the committed changes.

nand added a commit: rGf92d319c70b5: [mlir] Fixed double-free bug in SymbolUserMap.

Revision Contents

Path

Size

mlir/

lib/

IR/

SymbolTable.cpp

18 lines

Diff 443277

mlir/lib/IR/SymbolTable.cpp

Show First 20 Lines • Show All 1,060 Lines • ▼ Show 20 Lines	SymbolTable::walkSymbolTables(symbolTableOp, /allSymUsesVisible=/false,
walkFn);		walkFn);
}		}

void SymbolUserMap::replaceAllUsesWith(Operation *symbol,		void SymbolUserMap::replaceAllUsesWith(Operation *symbol,
StringAttr newSymbolName) {		StringAttr newSymbolName) {
auto it = symbolToUsers.find(symbol);		auto it = symbolToUsers.find(symbol);
if (it == symbolToUsers.end())		if (it == symbolToUsers.end())
return;		return;
SetVector<Operation *> &users = it->second;

// Replace the uses within the users of `symbol`.		// Replace the uses within the users of `symbol`.
for (Operation *user : users)		for (Operation *user : it->second)
(void)SymbolTable::replaceAllSymbolUses(symbol, newSymbolName, user);		(void)SymbolTable::replaceAllSymbolUses(symbol, newSymbolName, user);

// Move the current users of `symbol` to the new symbol if it is in the		// Move the current users of `symbol` to the new symbol if it is in the
// symbol table.		// symbol table.
Operation *newSymbol =		Operation *newSymbol =
symbolTable.lookupSymbolIn(symbol->getParentOp(), newSymbolName);		symbolTable.lookupSymbolIn(symbol->getParentOp(), newSymbolName);
if (newSymbol != symbol) {		if (newSymbol != symbol) {
// Transfer over the users to the new symbol.		// Transfer over the users to the new symbol. The reference to the old one
auto newIt = symbolToUsers.find(newSymbol);		// is fetched again as the iterator is invalidated during the insertion.
if (newIt == symbolToUsers.end())		auto newIt = symbolToUsers.try_emplace(newSymbol, SetVector<Operation *>{});
symbolToUsers.try_emplace(newSymbol, std::move(users));		auto oldIt = symbolToUsers.find(symbol);
		assert(oldIt != symbolToUsers.end() && "missing old users list");
		if (newIt.second)
		newIt.first->second = std::move(oldIt->second);
else		else
newIt->second.set_union(users);		newIt.first->second.set_union(oldIt->second);
symbolToUsers.erase(symbol);		symbolToUsers.erase(oldIt);
}		}
}		}

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// Visibility parsing implementation.		// Visibility parsing implementation.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

ParseResult impl::parseOptionalVisibilityKeyword(OpAsmParser &parser,		ParseResult impl::parseOptionalVisibilityKeyword(OpAsmParser &parser,
Show All 17 Lines