------------------------------------------------------------------------
r369168 | spatel | 2019-08-17 01:10:34 +0200 (Sat, 17 Aug 2019) | 16 lines
[CodeGenPrepare] Fix use-after-free
If OptimizeExtractBits() encountered a shift instruction with no operands at all,
it would erase the instruction, but still return false.
This previously didn’t matter because its caller would always return after
processing the instruction, but https://reviews.llvm.org/D63233 changed the
function’s caller to fall through if it returned false, which would then cause
a use-after-free detectable by ASAN.
This change makes OptimizeExtractBits return true if it removes a shift
instruction with no users, terminating processing of the instruction.
Patch by: @brentdax (Brent Royal-Gordon)
Differential Revision: https://reviews.llvm.org/D66330
------------------------------------------------------------------------
git-svn-id: https://llvm.org/svn/llvm-project/llvm/branches/release_90@369355
91177308-0d34-0410-b5e6-
96231b3b80d8
TheUse = InsertedShift;
}
- // If we removed all uses, nuke the shift.
+ // If we removed all uses, or there are none, nuke the shift.
if (ShiftI->use_empty()) {
salvageDebugInfo(*ShiftI);
ShiftI->eraseFromParent();
+ MadeChange = true;
}
return MadeChange;
ret i32 %retval.0, !dbg !63
}
+; CodeGenPrepare was erasing the unused lshr instruction, but then further
+; processing the instruction after it was freed. If this bug is still present,
+; this test will always crash in an LLVM built with ASAN enabled, and may
+; crash even if ASAN is not enabled.
+
+define i32 @shift_unused(i32 %a) {
+; CHECK-LABEL: @shift_unused(
+; CHECK-NEXT: BB2:
+; CHECK-NEXT: ret i32 [[A:%.*]]
+;
+ %as = lshr i32 %a, 3
+ br label %BB2
+
+BB2:
+ ret i32 %a
+}
+
; CHECK: [[shift1_loc]] = !DILocation(line: 1
; CHECK: [[trunc1_loc]] = !DILocation(line: 2
; CHECK: [[shift2_loc]] = !DILocation(line: 3
projects / llvm / commitdiff