From cdfc678572d60af414daf56a5f2f5811f7e6ca31 Mon Sep 17 00:00:00 2001 From: Sjoerd Meijer Date: Tue, 5 Oct 2021 12:12:39 +0100 Subject: [PATCH] [SCCPSolver] Fix use-after-free in markArgInFuncSpecialization In SCCPSolver::markArgInFuncSpecialization, the ValueState map may be reallocated *after* the initial ValueLatticeElement reference is grabbed, but *before* its use in copy initialization. This causes a use-after-free. To fix this, this commit changes the behavior to create the new ValueLatticeElement before assigning the old one to it. Patch by: https://github.com/duck-37/ Differential Revision: https://reviews.llvm.org/D111112 --- llvm/lib/Transforms/Utils/SCCPSolver.cpp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/llvm/lib/Transforms/Utils/SCCPSolver.cpp b/llvm/lib/Transforms/Utils/SCCPSolver.cpp index 4cf99ab..4475474 100644 --- a/llvm/lib/Transforms/Utils/SCCPSolver.cpp +++ b/llvm/lib/Transforms/Utils/SCCPSolver.cpp @@ -540,8 +540,14 @@ void SCCPInstVisitor::markArgInFuncSpecialization(Function *F, Argument *A, E = F->arg_end(); I != E; ++I, ++J) if (J != A && ValueState.count(I)) { - ValueState[J] = ValueState[I]; - pushToWorkList(ValueState[J], J); + // Note: This previously looked like this: + // ValueState[J] = ValueState[I]; + // This is incorrect because the DenseMap class may resize the underlying + // memory when inserting `J`, which will invalidate the reference to `I`. + // Instead, we make sure `J` exists, then set it to `I` afterwards. + auto &NewValue = ValueState[J]; + NewValue = ValueState[I]; + pushToWorkList(NewValue, J); } } -- 2.7.4