This is an archive of the discontinued LLVM Phabricator instance.

Fix use-after-free in CodeGenPrepare
ClosedPublic

Authored by beccadax on Aug 15 2019, 7:38 PM.

Download Raw Diff

Details

Reviewers

spatel
lebedev.ri
RKSimon
craig.topper

Commits

rG0482ca8ded8c: Merging r369168: --------------------------------------------------------------…
rL369355: Merging r369168:
rGacceedb15f52: [CodeGenPrepare] Fix use-after-free
rL369168: [CodeGenPrepare] Fix use-after-free

Summary

If OptimizeExtractBits() encountered a shift instruction with no operands at all, it would erase the instruction, but still return false. This previously didn’t matter because its caller would always return after processing the instruction, but https://reviews.llvm.org/D63233 changed the function’s caller to fall through if it returned false, which would then cause a use-after-free detectable by ASAN.

This change makes OptimizeExtractBits return true if it removes a shift instruction with no users, terminating processing of the instruction.

Diff Detail

Repository: rL LLVM

Event Timeline

beccadax created this revision.Aug 15 2019, 7:38 PM

Herald added a project: Restricted Project. · View Herald TranscriptAug 15 2019, 7:38 PM

Herald added subscribers: llvm-commits, hiraditya. · View Herald Transcript

beccadax added reviewers: spatel, lebedev.ri, RKSimon.Aug 15 2019, 7:46 PM

Please file a blocker bug for https://bugs.llvm.org/show_bug.cgi?id=42474, this sounds 9.0-worthy.
This looks obviously correct (C), but wait a bit in case anyone else wants to comment.

This revision is now accepted and ready to land.Aug 15 2019, 11:47 PM

RKSimon added a reviewer: craig.topper.Aug 16 2019, 3:03 AM

LGTM - in D63233, I added a TODO that I've marked here for reference, but this appears to be a minimal/safe fix.

llvm/lib/CodeGen/CodeGenPrepare.cpp
7019 ↗	(On Diff #215530)	Alternative to this patch: act on that TODO.

I've filed a bug at https://bugs.llvm.org/show_bug.cgi?id=43021.

beccadax marked an inline comment as done.Aug 16 2019, 1:42 PM

beccadax added inline comments.

llvm/lib/CodeGen/CodeGenPrepare.cpp
7019 ↗	(On Diff #215530)	Even if I did act on the TODO, I think we would still need the fix in this patch to avoid calling optimizeShiftInst() with the freed instruction.

@spatel @lebedev.ri I don't have commit access, so could one of you commit this when you think it's had enough time for comments?

Closed by commit rL369168: [CodeGenPrepare] Fix use-after-free (authored by spatel). · Explain WhyAug 16 2019, 4:13 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

llvm/

trunk/

lib/

CodeGen/

CodeGenPrepare.cpp

3 lines

test/

Transforms/

CodeGenPrepare/

sink-shift-and-trunc.ll

17 lines

Diff 215706

llvm/trunk/lib/CodeGen/CodeGenPrepare.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 1,676 Lines • ▼ Show 20 Lines	if (!InsertedShift) {

MadeChange = true;		MadeChange = true;
}		}

// Replace a use of the shift with a use of the new shift.		// Replace a use of the shift with a use of the new shift.
TheUse = InsertedShift;		TheUse = InsertedShift;
}		}

// If we removed all uses, nuke the shift.		// If we removed all uses, or there are none, nuke the shift.
if (ShiftI->use_empty()) {		if (ShiftI->use_empty()) {
salvageDebugInfo(*ShiftI);		salvageDebugInfo(*ShiftI);
ShiftI->eraseFromParent();		ShiftI->eraseFromParent();
		MadeChange = true;
}		}

return MadeChange;		return MadeChange;
}		}

/// If counting leading or trailing zeros is an expensive operation and a zero		/// If counting leading or trailing zeros is an expensive operation and a zero
/// input is defined, add a check for zero to avoid calling the intrinsic.		/// input is defined, add a check for zero to avoid calling the intrinsic.
///		///
▲ Show 20 Lines • Show All 5,651 Lines • Show Last 20 Lines

llvm/trunk/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll

Show First 20 Lines • Show All 52 Lines • ▼ Show 20 Lines	if.then17: ; preds = %if.end13
%add23 = add nsw i32 %conv22, 32, !dbg !60		%add23 = add nsw i32 %conv22, 32, !dbg !60
br label %return, !dbg !61		br label %return, !dbg !61

return: ; preds = %if.then17, %if.end13, %if.then7, %if.then		return: ; preds = %if.then17, %if.end13, %if.then7, %if.then
%retval.0 = phi i32 [ %conv, %if.then ], [ %add, %if.then7 ], [ %add23, %if.then17 ], [ 64, %if.end13 ], !dbg !62		%retval.0 = phi i32 [ %conv, %if.then ], [ %add, %if.then7 ], [ %add23, %if.then17 ], [ 64, %if.end13 ], !dbg !62
ret i32 %retval.0, !dbg !63		ret i32 %retval.0, !dbg !63
}		}

		; CodeGenPrepare was erasing the unused lshr instruction, but then further
		; processing the instruction after it was freed. If this bug is still present,
		; this test will always crash in an LLVM built with ASAN enabled, and may
		; crash even if ASAN is not enabled.

		define i32 @shift_unused(i32 %a) {
		; CHECK-LABEL: @shift_unused(
		; CHECK-NEXT: BB2:
		; CHECK-NEXT: ret i32 [[A:%.*]]
		;
		%as = lshr i32 %a, 3
		br label %BB2

		BB2:
		ret i32 %a
		}

; CHECK: [[shift1_loc]] = !DILocation(line: 1		; CHECK: [[shift1_loc]] = !DILocation(line: 1
; CHECK: [[trunc1_loc]] = !DILocation(line: 2		; CHECK: [[trunc1_loc]] = !DILocation(line: 2
; CHECK: [[shift2_loc]] = !DILocation(line: 3		; CHECK: [[shift2_loc]] = !DILocation(line: 3

declare void @llvm.dbg.value(metadata, metadata, metadata) #1		declare void @llvm.dbg.value(metadata, metadata, metadata) #1

attributes #0 = { nounwind readonly ssp }		attributes #0 = { nounwind readonly ssp }
attributes #1 = { nounwind readnone speculatable }		attributes #1 = { nounwind readnone speculatable }
▲ Show 20 Lines • Show All 42 Lines • Show Last 20 Lines