This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/Analysis/
-
Analysis/
3
ScopInfo.cpp

Differential D39979

[Polly][SI] Fix a potential use-after-free
ClosedPublic

Authored by philip.pfaffe on Nov 13 2017, 1:46 PM.

Download Raw Diff

Details

Reviewers

grosser
bollu
Meinersbur

Commits

rG8dd0f479e89e: [SI] Fix a potential use-after-free
rPLO318415: [SI] Fix a potential use-after-free
rL318415: [SI] Fix a potential use-after-free

Summary

There is a potential use-after-free bug in Scop::buildSchedule(Region *,
LoopStackTy &, LoopInfo &). Before, we took a reference to LoopStack.back()
which is a use after free, since back is popped off further below. This didn't
crash before by pure chance, since LoopStack is actually a vector, and the
memory isn't freed upon pop. I turned this into an iterator-based algorithm.

Diff Detail

Build Status

Buildable 12132
Build 12132: arc lint + arc unit

Event Timeline

philip.pfaffe created this revision.Nov 13 2017, 1:46 PM

Harbormaster completed remote builds in B12132: Diff 122721.Nov 13 2017, 1:46 PM

philip.pfaffe mentioned this in D39971: Port ScopInfo to the isl cpp bindings.Nov 13 2017, 1:53 PM

LGMT, thanks.

lib/Analysis/ScopInfo.cpp
4843	Could you consider adding an assertion `LoopData != LoopStack.rend()` as well?
4861	[Nit] `LoopStack.size()` returns `size_t`, no "almost-always-auto" as of LLVM coding standards.
4880	Could you consider adding a comment on why the stack has to be popped only at the end?

This revision is now accepted and ready to land.Nov 14 2017, 6:34 AM

Meinersbur added a child revision: D39971: Port ScopInfo to the isl cpp bindings.Nov 14 2017, 7:27 AM

Address Review Comments

Harbormaster completed remote builds in B12238: Diff 123177.Nov 16 2017, 7:06 AM

Closed by commit rL318415: [SI] Fix a potential use-after-free (authored by pfaffe). · Explain WhyNov 16 2017, 8:35 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

lib/

Analysis/

ScopInfo.cpp

29 lines

Diff 122721

lib/Analysis/ScopInfo.cpp

Show First 20 Lines • Show All 4,834 Lines • ▼ Show 20 Lines	void Scop::buildSchedule(RegionNode *RN, LoopStackTy &LoopStack, LoopInfo &LI) {
if (RN->isSubRegion()) {		if (RN->isSubRegion()) {
auto *LocalRegion = RN->getNodeAs<Region>();		auto *LocalRegion = RN->getNodeAs<Region>();
if (!isNonAffineSubRegion(LocalRegion)) {		if (!isNonAffineSubRegion(LocalRegion)) {
buildSchedule(LocalRegion, LoopStack, LI);		buildSchedule(LocalRegion, LoopStack, LI);
return;		return;
}		}
}		}

auto &LoopData = LoopStack.back();		auto LoopData = LoopStack.rbegin();
		MeinersburUnsubmitted Not Done Reply Inline Actions Could you consider adding an assertion `LoopData != LoopStack.rend()` as well? Meinersbur: Could you consider adding an assertion `LoopData != LoopStack.rend()` as well?
LoopData.NumBlocksProcessed += getNumBlocksInRegionNode(RN);		LoopData->NumBlocksProcessed += getNumBlocksInRegionNode(RN);

for (auto *Stmt : getStmtListFor(RN)) {		for (auto *Stmt : getStmtListFor(RN)) {
auto *UDomain = isl_union_set_from_set(Stmt->getDomain().release());		auto *UDomain = isl_union_set_from_set(Stmt->getDomain().release());
auto *StmtSchedule = isl_schedule_from_domain(UDomain);		auto *StmtSchedule = isl_schedule_from_domain(UDomain);
LoopData.Schedule = combineInSequence(LoopData.Schedule, StmtSchedule);		LoopData->Schedule = combineInSequence(LoopData->Schedule, StmtSchedule);
}		}

// Check if we just processed the last node in this loop. If we did, finalize		// Check if we just processed the last node in this loop. If we did, finalize
// the loop by:		// the loop by:
//		//
// - adding new schedule dimensions		// - adding new schedule dimensions
// - folding the resulting schedule into the parent loop schedule		// - folding the resulting schedule into the parent loop schedule
// - dropping the loop schedule from the LoopStack.		// - dropping the loop schedule from the LoopStack.
//		//
// Then continue to check surrounding loops, which might also have been		// Then continue to check surrounding loops, which might also have been
// completed by this node.		// completed by this node.
while (LoopData.L &&		auto Dimension = LoopStack.size();
		MeinersburUnsubmitted Not Done Reply Inline Actions [Nit] `LoopStack.size()` returns `size_t`, no "almost-always-auto" as of LLVM coding standards. Meinersbur: [Nit] `LoopStack.size()` returns `size_t`, no "almost-always-auto" as of [[ https://llvm.
LoopData.NumBlocksProcessed == getNumBlocksInLoop(LoopData.L)) {		while (LoopData->L &&
auto *Schedule = LoopData.Schedule;		LoopData->NumBlocksProcessed == getNumBlocksInLoop(LoopData->L)) {
auto NumBlocksProcessed = LoopData.NumBlocksProcessed;		auto *Schedule = LoopData->Schedule;
		auto NumBlocksProcessed = LoopData->NumBlocksProcessed;
LoopStack.pop_back();
auto &NextLoopData = LoopStack.back();		assert(std::next(LoopData) != LoopStack.rend());
		++LoopData;
		--Dimension;

if (Schedule) {		if (Schedule) {
isl::union_set Domain = give(isl_schedule_get_domain(Schedule));		isl::union_set Domain = give(isl_schedule_get_domain(Schedule));
isl::multi_union_pw_aff MUPA = mapToDimension(Domain, LoopStack.size());		isl::multi_union_pw_aff MUPA = mapToDimension(Domain, Dimension);
Schedule = isl_schedule_insert_partial_schedule(Schedule, MUPA.release());		Schedule = isl_schedule_insert_partial_schedule(Schedule, MUPA.release());
NextLoopData.Schedule =		LoopData->Schedule = combineInSequence(LoopData->Schedule, Schedule);
combineInSequence(NextLoopData.Schedule, Schedule);
}		}

NextLoopData.NumBlocksProcessed += NumBlocksProcessed;		LoopData->NumBlocksProcessed += NumBlocksProcessed;
LoopData = NextLoopData;
}		}
		LoopStack.erase(LoopStack.begin() + Dimension, LoopStack.end());
		MeinersburUnsubmitted Not Done Reply Inline Actions Could you consider adding a comment on why the stack has to be popped only at the end? Meinersbur: Could you consider adding a comment on why the stack has to be popped only at the end?
}		}

ArrayRef<ScopStmt > Scop::getStmtListFor(BasicBlock BB) const {		ArrayRef<ScopStmt > Scop::getStmtListFor(BasicBlock BB) const {
auto StmtMapIt = StmtMap.find(BB);		auto StmtMapIt = StmtMap.find(BB);
if (StmtMapIt == StmtMap.end())		if (StmtMapIt == StmtMap.end())
return {};		return {};
return StmtMapIt->second;		return StmtMapIt->second;
}		}
▲ Show 20 Lines • Show All 397 Lines • Show Last 20 Lines