This is an archive of the discontinued LLVM Phabricator instance.

Differential D62624

[InstCombine] Avoid use after free in DenseMap, when built with GCC
ClosedPublic

Authored by mstorsjo on May 29 2019, 1:18 PM.

Details

Reviewers
sbaranga
rnk
chandlerc
Commits
rG0fe645c0866b: [InstCombine] Avoid use after free in DenseMap, when built with GCC
rL362150: [InstCombine] Avoid use after free in DenseMap, when built with GCC
Summary

In a statement like Map[A] = Map[B], first the right hand side is evaluated as a reference, then left hand side is evaluated. If the left hand side operator[] invocation grows the map, the previous reference may be invalidated.

GCC seems to dereference the right hand side reference only after evaluating the left hand side, while Clang dereferences it before. (If the value type is larger type, Clang also dereferences it after the left hand side operator[] call.)

With GCC, a cast to Value* isn't enough to make it dereference the right hand side reference before invoking (while that is enough to make Clang/LLVM do the right thing for larger types), but storing it in an intermediate variable in a separate statement works.

Diff Detail

Event Timeline

mstorsjo created this revision.May 29 2019, 1:18 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 29 2019, 1:18 PM
mstorsjo added a comment.May 29 2019, 1:19 PM

FWIW, I can provide a small repro case that highlights the issue and file it as a bug, if you want.

mstorsjo added a comment.May 29 2019, 1:58 PM

Testcase and slightly longer description is available at https://bugs.llvm.org/show_bug.cgi?id=42065.

sbaranga accepted this revision.May 30 2019, 4:09 AM

Thanks, LGTM!

This revision is now accepted and ready to land.May 30 2019, 4:09 AM
Closed by commit rL362150: [InstCombine] Avoid use after free in DenseMap, when built with GCC (authored by mstorsjo). · Explain WhyMay 30 2019, 1:53 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
Transforms/
InstCombine/
5 lines

Diff 202039

lib/Transforms/InstCombine/InstCombineCompares.cpp

Show First 20 LinesShow All 697 Lines▼ Show 20 Linesstatic Value *rewriteGEPAsOffset(Value *Start, Value *Base,
// Create all the other instructions. // Create all the other instructions.
for (Value *Val : Explored) { for (Value *Val : Explored) {
if (NewInsts.find(Val) != NewInsts.end()) if (NewInsts.find(Val) != NewInsts.end())
continue; continue;
if (auto *CI = dyn_cast<CastInst>(Val)) { if (auto *CI = dyn_cast<CastInst>(Val)) {
NewInsts[CI] = NewInsts[CI->getOperand(0)]; // Don't get rid of the intermediate variable here; the store can grow
// the map which will invalidate the reference to the input value.
Value *V = NewInsts[CI->getOperand(0)];
NewInsts[CI] = V;
continue; continue;
} }
if (auto *GEP = dyn_cast<GEPOperator>(Val)) { if (auto *GEP = dyn_cast<GEPOperator>(Val)) {
Value *Index = NewInsts[GEP->getOperand(1)] ? NewInsts[GEP->getOperand(1)] Value *Index = NewInsts[GEP->getOperand(1)] ? NewInsts[GEP->getOperand(1)]
: GEP->getOperand(1); : GEP->getOperand(1);
setInsertionPoint(Builder, GEP); setInsertionPoint(Builder, GEP);
// Indices might need to be sign extended. GEPs will magically do // Indices might need to be sign extended. GEPs will magically do
// this, but we need to do it ourselves here. // this, but we need to do it ourselves here.
▲ Show 20 LinesShow All 991 LinesShow Last 20 Lines