From a7202bdbedae69cd5feade4631eb61914c79e5fa Mon Sep 17 00:00:00 2001 From: Michael Ilseman Date: Wed, 5 Nov 2014 21:28:24 +0000 Subject: [PATCH] Fix heap-use-after-free bug in expandSDiv when the operands are constants, as discovered by ASAN. Patch by Mehdi Amini! llvm-svn: 221401 --- llvm/lib/Transforms/Utils/IntegerDivision.cpp | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/llvm/lib/Transforms/Utils/IntegerDivision.cpp b/llvm/lib/Transforms/Utils/IntegerDivision.cpp index 9f91eeb..0ae746c 100644 --- a/llvm/lib/Transforms/Utils/IntegerDivision.cpp +++ b/llvm/lib/Transforms/Utils/IntegerDivision.cpp @@ -398,11 +398,13 @@ bool llvm::expandRemainder(BinaryOperator *Rem) { Rem->dropAllReferences(); Rem->eraseFromParent(); - // If we didn't actually generate a udiv instruction, we're done - BinaryOperator *BO = dyn_cast(Builder.GetInsertPoint()); - if (!BO || BO->getOpcode() != Instruction::URem) + // If we didn't actually generate an urem instruction, we're done + // This happens for example if the input were constant. In this case the + // Builder insertion point was unchanged + if (Rem == Builder.GetInsertPoint()) return true; + BinaryOperator *BO = dyn_cast(Builder.GetInsertPoint()); Rem = BO; } @@ -456,11 +458,13 @@ bool llvm::expandDivision(BinaryOperator *Div) { Div->dropAllReferences(); Div->eraseFromParent(); - // If we didn't actually generate a udiv instruction, we're done - BinaryOperator *BO = dyn_cast(Builder.GetInsertPoint()); - if (!BO || BO->getOpcode() != Instruction::UDiv) + // If we didn't actually generate an udiv instruction, we're done + // This happens for example if the input were constant. In this case the + // Builder insertion point was unchanged + if (Div == Builder.GetInsertPoint()) return true; + BinaryOperator *BO = dyn_cast(Builder.GetInsertPoint()); Div = BO; } -- 2.7.4