This is an archive of the discontinued LLVM Phabricator instance.

Differential D135019

[SelectionDAG] Fix use-after-free introduced in D130881
ClosedPublic

Authored by zero9178 on Oct 1 2022, 1:41 PM.

Details

Reviewers
melver
vitalybuka
dvyukov
eugenis
pcc
MaskRay
Commits
rG36af4c8418c1: [SelectionDAG] Fix use-after-free introduced in D130881
Summary

The code introduced in https://reviews.llvm.org/D130881 has a bug as it may cause a use-after-free error that can be caught by ASAN.
The bug essentially boils down to iterator invalidation of DenseMap. The expression SDEI[To] = I->second; may cause SDEI to grow if To is inserted for the very first time. When that happens, all existing iterators to the map are invalidated as their backing storage has been freed. Accessing I->second is then invalid and attempts to access freed memory (as I is an iterator of SDEI).

This patch fixes that quite simply by first making a copy of I->second, and then moving into the possibly newly inserted KV of the DenseMap.

No test attached as I am not sure it is practible to test.

Downstream ASAN failure for reference:
https://github.com/zero9178/Pylir/actions/runs/3165945057/jobs/5155328897

As can nicely be seen in the stacktrace, the memor is freed by operator[] and the accessed by operator= afterwards

Diff Detail

Event Timeline

zero9178 created this revision.Oct 1 2022, 1:41 PM
Herald added a project: Restricted Project. · View Herald TranscriptOct 1 2022, 1:41 PM
Herald added subscribers: StephenFan, ecnelises, hiraditya. · View Herald Transcript
zero9178 requested review of this revision.Oct 1 2022, 1:41 PM
Herald added a project: Restricted Project. · View Herald TranscriptOct 1 2022, 1:41 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
zero9178 edited the summary of this revision. (Show Details)Oct 1 2022, 1:41 PM
Harbormaster completed remote builds in B189861: Diff 464515.Oct 1 2022, 2:47 PM
melver accepted this revision.Oct 3 2022, 4:37 AM

Thanks for the fix!

This revision is now accepted and ready to land.Oct 3 2022, 4:37 AM
This revision was landed with ongoing or failed builds.Oct 3 2022, 6:11 AM
Closed by commit rG36af4c8418c1: [SelectionDAG] Fix use-after-free introduced in D130881 (authored by zero9178). · Explain Why
This revision was automatically updated to reflect the committed changes.
zero9178 added a commit: rG36af4c8418c1: [SelectionDAG] Fix use-after-free introduced in D130881.

Revision Contents

PathSize
llvm/
lib/
CodeGen/
SelectionDAG/
6 lines

Diff 464661

llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 12,023 Lines▼ Show 20 LinesSDValue SelectionDAG::getNeutralElement(unsigned Opcode, const SDLoc &DL,
} }
} }
void SelectionDAG::copyExtraInfo(SDNode *From, SDNode *To) { void SelectionDAG::copyExtraInfo(SDNode *From, SDNode *To) {
assert(From && To && "Invalid SDNode; empty source SDValue?"); assert(From && To && "Invalid SDNode; empty source SDValue?");
auto I = SDEI.find(From); auto I = SDEI.find(From);
if (I == SDEI.end()) if (I == SDEI.end())
return; return;
SDEI[To] = I->second;
// Use of operator[] on the DenseMap may cause an insertion, which invalidates
// the iterator, hence the need to make a copy to prevent a use-after-free.
NodeExtraInfo Copy = I->second;
SDEI[To] = std::move(Copy);
} }
#ifndef NDEBUG #ifndef NDEBUG
static void checkForCyclesHelper(const SDNode *N, static void checkForCyclesHelper(const SDNode *N,
SmallPtrSetImpl<const SDNode*> &Visited, SmallPtrSetImpl<const SDNode*> &Visited,
SmallPtrSetImpl<const SDNode*> &Checked, SmallPtrSetImpl<const SDNode*> &Checked,
const llvm::SelectionDAG *DAG) { const llvm::SelectionDAG *DAG) {
// If this node has already been checked, don't check it again. // If this node has already been checked, don't check it again.
Show All 40 Lines