Date: Sun, 29 May 2016 20:54:16 +0000 (UTC) From: Dimitry Andric <dim@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r300974 - head/contrib/llvm/lib/Transforms/Vectorize Message-ID: <201605292054.u4TKsGHU027894@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dim Date: Sun May 29 20:54:16 2016 New Revision: 300974 URL: https://svnweb.freebsd.org/changeset/base/300974 Log: Pull in r269908 from upstream llvm trunk (by James Molloy): [VectorUtils] Fix nasty use-after-free In truncateToMinimalBitwidths() we were RAUW'ing an instruction then erasing it. However, that intruction could be cached in the map we're iterating over. The first check is "I->use_empty()" which in most cases would return true, as the (deleted) object was RAUW'd first so would have zero use count. However in some cases the object could have been polluted or written over and this wouldn't be the case. Also it makes valgrind, asan and traditionalists who don't like their compiler to crash sad. No testcase as there are no externally visible symptoms apart from a crash if the stars align. Fixes PR26509. This should fix crashes when building a number of ports on arm64. Reported by: andrew Modified: head/contrib/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp Modified: head/contrib/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp ============================================================================== --- head/contrib/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp Sun May 29 20:28:01 2016 (r300973) +++ head/contrib/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp Sun May 29 20:54:16 2016 (r300974) @@ -3161,10 +3161,11 @@ void InnerLoopVectorizer::truncateToMini // truncated version of `I` and reextend its result. InstCombine runs // later and will remove any ext/trunc pairs. // + SmallPtrSet<Value *, 4> Erased; for (auto &KV : MinBWs) { VectorParts &Parts = WidenMap.get(KV.first); for (Value *&I : Parts) { - if (I->use_empty()) + if (Erased.count(I) || I->use_empty()) continue; Type *OriginalTy = I->getType(); Type *ScalarTruncatedTy = IntegerType::get(OriginalTy->getContext(), @@ -3238,6 +3239,7 @@ void InnerLoopVectorizer::truncateToMini Value *Res = B.CreateZExtOrTrunc(NewI, OriginalTy); I->replaceAllUsesWith(Res); cast<Instruction>(I)->eraseFromParent(); + Erased.insert(I); I = Res; } }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605292054.u4TKsGHU027894>