This is an archive of the discontinued LLVM Phabricator instance.

Differential D95112

X86: Fix use-after-realloc in X86AsmParser::ParseIntelExpression
ClosedPublic

Authored by dexonsmith on Jan 20 2021, 7:03 PM.

Details

Reviewers
dblaikie
Commits
rGf2fd41d7897e: X86: Fix use-after-realloc in X86AsmParser::ParseIntelExpression
Summary

X86AsmParser::ParseIntelExpression has a while loop. In the body,
calls to MCAsmLexer::UnLex can force a reallocation in the MCAsmLexer's
CurToken SmallVector, invalidating saved references to
MCAsmLexer::getTok().

const MCAsmToken &Tok is such a saved reference, and this moves it
from outside the while loop to inside the body, fixing a
use-after-realloc.

Tok will still be reused across calls to Lex(), each of which
effectively destroys and constructs the pointed-to token. I'm a bit
skeptical of this usage pattern, but it seems broadly used in the
X86AsmParser (and others) so I'm leaving it alone (for now).

Somehow this bug was exposed by https://reviews.llvm.org/D94739,
resulting in test failures in dot-operator related tests in
llvm/test/tools/llvm-ml. I suspect the exposure path is related to
optimizer changes from splitting up the grow operation, but I haven't
dug all the way in. Regardless, there are already tests in tree that
cover this; they might fail consistently if we added ASan
instrumentation to SmallVector.

Diff Detail

Event Timeline

dexonsmith created this revision.Jan 20 2021, 7:03 PM
Herald added subscribers: ributzka, pengfei, hiraditya. · View Herald TranscriptJan 20 2021, 7:03 PM
dexonsmith requested review of this revision.Jan 20 2021, 7:03 PM
Herald added a project: Restricted Project. · View Herald TranscriptJan 20 2021, 7:03 PM
dexonsmith edited the summary of this revision. (Show Details)Jan 20 2021, 7:05 PM
dexonsmith edited the summary of this revision. (Show Details)
dexonsmith added a child revision: D94739: ADT: Fix reference invalidation in SmallVector::emplace_back and the size+value version of SmallVector::assign.
dexonsmith added a comment.Jan 20 2021, 7:08 PM

(I had intended to reference https://reviews.llvm.org/D94739... not sure why it took me three tries to get the right link.)

@dblaikie, I've added you here since you reviewed the SmallVector patch that triggered the problem, but let me know if you'd rather I found another reviewer. In case it's helpful, the Lex and UnLex functions are defined at https://github.com/llvm/llvm-project/blob/main/llvm/include/llvm/MC/MCParser/MCAsmLexer.h#L77.

dexonsmith mentioned this in D94739: ADT: Fix reference invalidation in SmallVector::emplace_back and the size+value version of SmallVector::assign.Jan 20 2021, 7:10 PM
dexonsmith updated this revision to Diff 318091.Jan 20 2021, 7:15 PM

Remove an unrelated whitespace change.

dblaikie accepted this revision.Jan 20 2021, 9:23 PM

Sounds plausible enough to me.

Would be nice to have the asm annotations on SmallVector to back that up/make the codebase more robust.

This revision is now accepted and ready to land.Jan 20 2021, 9:23 PM
Harbormaster completed remote builds in B86028: Diff 318089.Jan 20 2021, 11:10 PM
Closed by commit rGf2fd41d7897e: X86: Fix use-after-realloc in X86AsmParser::ParseIntelExpression (authored by dexonsmith). · Explain WhyJan 21 2021, 11:24 AM
This revision was automatically updated to reflect the committed changes.
dexonsmith added a commit: rGf2fd41d7897e: X86: Fix use-after-realloc in X86AsmParser::ParseIntelExpression.

Revision Contents

PathSize
llvm/
lib/
Target/
X86/
AsmParser/
5 lines

Diff 318263

llvm/lib/Target/X86/AsmParser/X86AsmParser.cpp

Show First 20 LinesShow All 1,836 Lines▼ Show 20 Lines if (Name.equals_lower("eq")) {
return false; return false;
} }
End = consumeToken(); End = consumeToken();
return true; return true;
} }
bool X86AsmParser::ParseIntelExpression(IntelExprStateMachine &SM, SMLoc &End) { bool X86AsmParser::ParseIntelExpression(IntelExprStateMachine &SM, SMLoc &End) {
MCAsmParser &Parser = getParser(); MCAsmParser &Parser = getParser();
const AsmToken &Tok = Parser.getTok();
StringRef ErrMsg; StringRef ErrMsg;
AsmToken::TokenKind PrevTK = AsmToken::Error; AsmToken::TokenKind PrevTK = AsmToken::Error;
bool Done = false; bool Done = false;
while (!Done) { while (!Done) {
// Get a fresh reference on each loop iteration in case the previous
// iteration moved the token storage during UnLex().
const AsmToken &Tok = Parser.getTok();
bool UpdateLocLex = true; bool UpdateLocLex = true;
AsmToken::TokenKind TK = getLexer().getKind(); AsmToken::TokenKind TK = getLexer().getKind();
switch (TK) { switch (TK) {
default: default:
if ((Done = SM.isValidEndState())) if ((Done = SM.isValidEndState()))
break; break;
return Error(Tok.getLoc(), "unknown token in expression"); return Error(Tok.getLoc(), "unknown token in expression");
▲ Show 20 LinesShow All 3,125 LinesShow Last 20 Lines