This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
llvm/trunk/
-
trunk/
-
include/llvm/Analysis/
-
llvm/
-
Analysis/
-
AssumptionCache.h
-
lib/Analysis/
-
Analysis/
-
AssumptionCache.cpp

Differential D28749

Fix use-after-free bug in AffectedValueCallbackVH::allUsesReplacedWith
ClosedPublic

Authored by hfinkel on Jan 15 2017, 2:38 PM.

Download Raw Diff

Details

Reviewers

dim
chandlerc
sanjoy

Commits

rG481bb24909f3: Merging r292133: --------------------------------------------------------------…
rGc29d5f167446: Fix use-after-free bug in AffectedValueCallbackVH::allUsesReplacedWith
rL292312: Merging r292133:
rL292133: Fix use-after-free bug in AffectedValueCallbackVH::allUsesReplacedWith

Summary

When transferring affected values in the cache from an old value, identified by the value of the current callback, to the specified new value we might need to insert a new entry into the DenseMap which constitutes the cache. Doing so might delete the current callback object. Move the copying logic into a new function, a member of the assumption cache itself, so that we don't run into UB should the callback handle itself be removed mid-copy.

Diff Detail

Repository: rL LLVM

Event Timeline

hfinkel updated this revision to Diff 84505.Jan 15 2017, 2:38 PM

hfinkel retitled this revision from to Fix use-after-free bug in AffectedValueCallbackVH::allUsesReplacedWith.

hfinkel updated this object.

hfinkel added reviewers: dim, chandlerc.

hfinkel added a subscriber: llvm-commits.

Herald added a subscriber: mcrosier. · View Herald TranscriptJan 15 2017, 2:38 PM

The code lgtm, but

Can you easily test this using a C++ unit test? I'll settle for something that normally runs "fine", but trips asan if the build is using asan.
getAffectedValues should be renamed to getOrInsertAffectedValues.

lib/Analysis/AssumptionCache.cpp
121 ↗	(On Diff #84505)	Can you use `llvm::find` here (in a later change)?
132 ↗	(On Diff #84505)	Please add why it may dangle.

This revision is now accepted and ready to land.Jan 15 2017, 3:32 PM

emaste added a subscriber: emaste.Jan 15 2017, 4:10 PM

In D28749#646897, @sanjoy wrote:

The code lgtm, but

Can you easily test this using a C++ unit test? I'll settle for something that normally runs "fine", but trips asan if the build is using asan.

I'll experiment with this today and commit one in follow-up. I might also be able to create an IR test case for instcombine if things work out just right.

getAffectedValues should be renamed to getOrInsertAffectedValues.

Sure.

lib/Analysis/AssumptionCache.cpp
121 ↗	(On Diff #84505)	Yes, I think so. I'd forgotten about that.

Closed by commit rL292133: Fix use-after-free bug in AffectedValueCallbackVH::allUsesReplacedWith (authored by hfinkel). · Explain WhyJan 16 2017, 7:33 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

llvm/

trunk/

include/

llvm/

Analysis/

AssumptionCache.h

5 lines

lib/

Analysis/

AssumptionCache.cpp

27 lines

Diff 84562

llvm/trunk/include/llvm/Analysis/AssumptionCache.h

Show First 20 Lines • Show All 62 Lines • ▼ Show 20 Lines	class AssumptionCache {
/// \brief A map of values about which an assumption might be providing		/// \brief A map of values about which an assumption might be providing
/// information to the relevant set of assumptions.		/// information to the relevant set of assumptions.
using AffectedValuesMap =		using AffectedValuesMap =
DenseMap<AffectedValueCallbackVH, SmallVector<WeakVH, 1>,		DenseMap<AffectedValueCallbackVH, SmallVector<WeakVH, 1>,
AffectedValueCallbackVH::DMI>;		AffectedValueCallbackVH::DMI>;
AffectedValuesMap AffectedValues;		AffectedValuesMap AffectedValues;

/// Get the vector of assumptions which affect a value from the cache.		/// Get the vector of assumptions which affect a value from the cache.
SmallVector<WeakVH, 1> &getAffectedValues(Value *V);		SmallVector<WeakVH, 1> &getOrInsertAffectedValues(Value *V);

		/// Copy affected values in the cache for OV to be affected values for NV.
		void copyAffectedValuesInCache(Value OV, Value NV);

/// \brief Flag tracking whether we have scanned the function yet.		/// \brief Flag tracking whether we have scanned the function yet.
///		///
/// We want to be as lazy about this as possible, and so we scan the function		/// We want to be as lazy about this as possible, and so we scan the function
/// at the last moment.		/// at the last moment.
bool Scanned;		bool Scanned;

/// \brief Scan the function for assumptions and add them to the cache.		/// \brief Scan the function for assumptions and add them to the cache.
▲ Show 20 Lines • Show All 137 Lines • Show Last 20 Lines

llvm/trunk/lib/Analysis/AssumptionCache.cpp

Show All 18 Lines
#include "llvm/IR/Instructions.h"		#include "llvm/IR/Instructions.h"
#include "llvm/IR/IntrinsicInst.h"		#include "llvm/IR/IntrinsicInst.h"
#include "llvm/IR/PassManager.h"		#include "llvm/IR/PassManager.h"
#include "llvm/IR/PatternMatch.h"		#include "llvm/IR/PatternMatch.h"
#include "llvm/Support/Debug.h"		#include "llvm/Support/Debug.h"
using namespace llvm;		using namespace llvm;
using namespace llvm::PatternMatch;		using namespace llvm::PatternMatch;

SmallVector<WeakVH, 1> &AssumptionCache::getAffectedValues(Value *V) {		SmallVector<WeakVH, 1> &AssumptionCache::getOrInsertAffectedValues(Value *V) {
// Try using find_as first to avoid creating extra value handles just for the		// Try using find_as first to avoid creating extra value handles just for the
// purpose of doing the lookup.		// purpose of doing the lookup.
auto AVI = AffectedValues.find_as(V);		auto AVI = AffectedValues.find_as(V);
if (AVI != AffectedValues.end())		if (AVI != AffectedValues.end())
return AVI->second;		return AVI->second;

auto AVIP = AffectedValues.insert({		auto AVIP = AffectedValues.insert({
AffectedValueCallbackVH(V, this), SmallVector<WeakVH, 1>()});		AffectedValueCallbackVH(V, this), SmallVector<WeakVH, 1>()});
▲ Show 20 Lines • Show All 57 Lines • ▼ Show 20 Lines	if (Pred == ICmpInst::ICMP_EQ) {
};		};

AddAffectedFromEq(A);		AddAffectedFromEq(A);
AddAffectedFromEq(B);		AddAffectedFromEq(B);
}		}
}		}

for (auto &AV : Affected) {		for (auto &AV : Affected) {
auto &AVV = getAffectedValues(AV);		auto &AVV = getOrInsertAffectedValues(AV);
if (std::find(AVV.begin(), AVV.end(), CI) == AVV.end())		if (std::find(AVV.begin(), AVV.end(), CI) == AVV.end())
AVV.push_back(CI);		AVV.push_back(CI);
}		}
}		}

void AssumptionCache::AffectedValueCallbackVH::deleted() {		void AssumptionCache::AffectedValueCallbackVH::deleted() {
auto AVI = AC->AffectedValues.find(getValPtr());		auto AVI = AC->AffectedValues.find(getValPtr());
if (AVI != AC->AffectedValues.end())		if (AVI != AC->AffectedValues.end())
AC->AffectedValues.erase(AVI);		AC->AffectedValues.erase(AVI);
// 'this' now dangles!		// 'this' now dangles!
}		}

		void AssumptionCache::copyAffectedValuesInCache(Value OV, Value NV) {
		auto &NAVV = getOrInsertAffectedValues(NV);
		auto AVI = AffectedValues.find(OV);
		if (AVI == AffectedValues.end())
		return;

		for (auto &A : AVI->second)
		if (std::find(NAVV.begin(), NAVV.end(), A) == NAVV.end())
		NAVV.push_back(A);
		}

void AssumptionCache::AffectedValueCallbackVH::allUsesReplacedWith(Value *NV) {		void AssumptionCache::AffectedValueCallbackVH::allUsesReplacedWith(Value *NV) {
if (!isa<Instruction>(NV) && !isa<Argument>(NV))		if (!isa<Instruction>(NV) && !isa<Argument>(NV))
return;		return;

// Any assumptions that affected this value now affect the new value.		// Any assumptions that affected this value now affect the new value.

auto &NAVV = AC->getAffectedValues(NV);		AC->copyAffectedValuesInCache(getValPtr(), NV);
auto AVI = AC->AffectedValues.find(getValPtr());		// 'this' now might dangle! If the AffectedValues map was resized to add an
if (AVI == AC->AffectedValues.end())		// entry for NV then this object might have been destroyed in favor of some
return;		// copy in the grown map.

for (auto &A : AVI->second)
if (std::find(NAVV.begin(), NAVV.end(), A) == NAVV.end())
NAVV.push_back(A);
}		}

void AssumptionCache::scanFunction() {		void AssumptionCache::scanFunction() {
assert(!Scanned && "Tried to scan the function twice!");		assert(!Scanned && "Tried to scan the function twice!");
assert(AssumeHandles.empty() && "Already have assumes when scanning!");		assert(AssumeHandles.empty() && "Already have assumes when scanning!");

// Go through all instructions in all blocks, add all calls to @llvm.assume		// Go through all instructions in all blocks, add all calls to @llvm.assume
// to this cache.		// to this cache.
▲ Show 20 Lines • Show All 114 Lines • Show Last 20 Lines