This is an archive of the discontinued LLVM Phabricator instance.

Differential D39979

[Polly][SI] Fix a potential use-after-free
ClosedPublic

Authored by philip.pfaffe on Nov 13 2017, 1:46 PM.

Details

Reviewers
grosser
bollu
Meinersbur
Commits
rG8dd0f479e89e: [SI] Fix a potential use-after-free
rPLO318415: [SI] Fix a potential use-after-free
rL318415: [SI] Fix a potential use-after-free
Summary

There is a potential use-after-free bug in Scop::buildSchedule(Region *,
LoopStackTy &, LoopInfo &). Before, we took a reference to LoopStack.back()
which is a use after free, since back is popped off further below. This didn't
crash before by pure chance, since LoopStack is actually a vector, and the
memory isn't freed upon pop. I turned this into an iterator-based algorithm.

Diff Detail

Repository
rL LLVM

Event Timeline

philip.pfaffe created this revision.Nov 13 2017, 1:46 PM
Harbormaster completed remote builds in B12132: Diff 122721.Nov 13 2017, 1:46 PM
philip.pfaffe mentioned this in D39971: Port ScopInfo to the isl cpp bindings.Nov 13 2017, 1:53 PM
Meinersbur accepted this revision.Nov 14 2017, 6:34 AM

LGMT, thanks.

lib/Analysis/ScopInfo.cpp
4843 ↗(On Diff #122721)

Could you consider adding an assertion LoopData != LoopStack.rend() as well?

4861 ↗(On Diff #122721)

[Nit] LoopStack.size() returns size_t, no "almost-always-auto" as of LLVM coding standards.

4880 ↗(On Diff #122721)

Could you consider adding a comment on why the stack has to be popped only at the end?

This revision is now accepted and ready to land.Nov 14 2017, 6:34 AM
Meinersbur added a child revision: D39971: Port ScopInfo to the isl cpp bindings.Nov 14 2017, 7:27 AM
philip.pfaffe updated this revision to Diff 123177.Nov 16 2017, 7:05 AM

Address Review Comments

Harbormaster completed remote builds in B12238: Diff 123177.Nov 16 2017, 7:06 AM
Closed by commit rL318415: [SI] Fix a potential use-after-free (authored by pfaffe). · Explain WhyNov 16 2017, 8:35 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
polly/
trunk/
lib/
Analysis/
33 lines

Diff 123194

polly/trunk/lib/Analysis/ScopInfo.cpp

Show First 20 LinesShow All 4,834 Lines▼ Show 20 Linesvoid Scop::buildSchedule(RegionNode *RN, LoopStackTy &LoopStack, LoopInfo &LI) {
if (RN->isSubRegion()) { if (RN->isSubRegion()) {
auto *LocalRegion = RN->getNodeAs<Region>(); auto *LocalRegion = RN->getNodeAs<Region>();
if (!isNonAffineSubRegion(LocalRegion)) { if (!isNonAffineSubRegion(LocalRegion)) {
buildSchedule(LocalRegion, LoopStack, LI); buildSchedule(LocalRegion, LoopStack, LI);
return; return;
} }
} }
auto &LoopData = LoopStack.back(); assert(LoopStack.rbegin() != LoopStack.rend());
LoopData.NumBlocksProcessed += getNumBlocksInRegionNode(RN); auto LoopData = LoopStack.rbegin();
LoopData->NumBlocksProcessed += getNumBlocksInRegionNode(RN);
for (auto *Stmt : getStmtListFor(RN)) { for (auto *Stmt : getStmtListFor(RN)) {
auto *UDomain = isl_union_set_from_set(Stmt->getDomain().release()); auto *UDomain = isl_union_set_from_set(Stmt->getDomain().release());
auto *StmtSchedule = isl_schedule_from_domain(UDomain); auto *StmtSchedule = isl_schedule_from_domain(UDomain);
LoopData.Schedule = combineInSequence(LoopData.Schedule, StmtSchedule); LoopData->Schedule = combineInSequence(LoopData->Schedule, StmtSchedule);
} }
// Check if we just processed the last node in this loop. If we did, finalize // Check if we just processed the last node in this loop. If we did, finalize
// the loop by: // the loop by:
// //
// - adding new schedule dimensions // - adding new schedule dimensions
// - folding the resulting schedule into the parent loop schedule // - folding the resulting schedule into the parent loop schedule
// - dropping the loop schedule from the LoopStack. // - dropping the loop schedule from the LoopStack.
// //
// Then continue to check surrounding loops, which might also have been // Then continue to check surrounding loops, which might also have been
// completed by this node. // completed by this node.
while (LoopData.L && size_t Dimension = LoopStack.size();
LoopData.NumBlocksProcessed == getNumBlocksInLoop(LoopData.L)) { while (LoopData->L &&
auto *Schedule = LoopData.Schedule; LoopData->NumBlocksProcessed == getNumBlocksInLoop(LoopData->L)) {
auto NumBlocksProcessed = LoopData.NumBlocksProcessed; auto *Schedule = LoopData->Schedule;
auto NumBlocksProcessed = LoopData->NumBlocksProcessed;
LoopStack.pop_back();
auto &NextLoopData = LoopStack.back(); assert(std::next(LoopData) != LoopStack.rend());
++LoopData;
--Dimension;
if (Schedule) { if (Schedule) {
isl::union_set Domain = give(isl_schedule_get_domain(Schedule)); isl::union_set Domain = give(isl_schedule_get_domain(Schedule));
isl::multi_union_pw_aff MUPA = mapToDimension(Domain, LoopStack.size()); isl::multi_union_pw_aff MUPA = mapToDimension(Domain, Dimension);
Schedule = isl_schedule_insert_partial_schedule(Schedule, MUPA.release()); Schedule = isl_schedule_insert_partial_schedule(Schedule, MUPA.release());
NextLoopData.Schedule = LoopData->Schedule = combineInSequence(LoopData->Schedule, Schedule);
combineInSequence(NextLoopData.Schedule, Schedule);
} }
NextLoopData.NumBlocksProcessed += NumBlocksProcessed; LoopData->NumBlocksProcessed += NumBlocksProcessed;
LoopData = NextLoopData;
} }
// Now pop all loops processed up there from the LoopStack
LoopStack.erase(LoopStack.begin() + Dimension, LoopStack.end());
} }
ArrayRef<ScopStmt *> Scop::getStmtListFor(BasicBlock *BB) const { ArrayRef<ScopStmt *> Scop::getStmtListFor(BasicBlock *BB) const {
auto StmtMapIt = StmtMap.find(BB); auto StmtMapIt = StmtMap.find(BB);
if (StmtMapIt == StmtMap.end()) if (StmtMapIt == StmtMap.end())
return {}; return {};
return StmtMapIt->second; return StmtMapIt->second;
} }
▲ Show 20 LinesShow All 397 LinesShow Last 20 Lines