Skip to content

Commit 546f32d

Browse files
kparzyszkparzysz
authored
[flang][CodeGen] Fix use-after-free in BoxedProcedurePass (#84376)
Avoid inspecting an operation that has been replaced. This was detected by address sanitizer.
1 parent aec9283 commit 546f32d

File tree

1 file changed

+10
-1
lines changed

1 file changed

+10
-1
lines changed

flang/lib/Optimizer/CodeGen/BoxedProcedure.cpp

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -209,6 +209,7 @@ class BoxedProcedurePass
209209
BoxprocTypeRewriter typeConverter(mlir::UnknownLoc::get(context));
210210
mlir::Dialect *firDialect = context->getLoadedDialect("fir");
211211
getModule().walk([&](mlir::Operation *op) {
212+
bool opIsValid = true;
212213
typeConverter.setLocation(op->getLoc());
213214
if (auto addr = mlir::dyn_cast<BoxAddrOp>(op)) {
214215
mlir::Type ty = addr.getVal().getType();
@@ -220,6 +221,7 @@ class BoxedProcedurePass
220221
rewriter.setInsertionPoint(addr);
221222
rewriter.replaceOpWithNewOp<ConvertOp>(
222223
addr, typeConverter.convertType(addr.getType()), addr.getVal());
224+
opIsValid = false;
223225
} else if (typeConverter.needsConversion(resTy)) {
224226
rewriter.startOpModification(op);
225227
op->getResult(0).setType(typeConverter.convertType(resTy));
@@ -271,10 +273,12 @@ class BoxedProcedurePass
271273
llvm::ArrayRef<mlir::Value>{tramp});
272274
rewriter.replaceOpWithNewOp<ConvertOp>(embox, toTy,
273275
adjustCall.getResult(0));
276+
opIsValid = false;
274277
} else {
275278
// Just forward the function as a pointer.
276279
rewriter.replaceOpWithNewOp<ConvertOp>(embox, toTy,
277280
embox.getFunc());
281+
opIsValid = false;
278282
}
279283
} else if (auto global = mlir::dyn_cast<GlobalOp>(op)) {
280284
auto ty = global.getType();
@@ -297,6 +301,7 @@ class BoxedProcedurePass
297301
rewriter.replaceOpWithNewOp<AllocaOp>(
298302
mem, toTy, uniqName, bindcName, isPinned, mem.getTypeparams(),
299303
mem.getShape());
304+
opIsValid = false;
300305
}
301306
} else if (auto mem = mlir::dyn_cast<AllocMemOp>(op)) {
302307
auto ty = mem.getType();
@@ -310,6 +315,7 @@ class BoxedProcedurePass
310315
rewriter.replaceOpWithNewOp<AllocMemOp>(
311316
mem, toTy, uniqName, bindcName, mem.getTypeparams(),
312317
mem.getShape());
318+
opIsValid = false;
313319
}
314320
} else if (auto coor = mlir::dyn_cast<CoordinateOp>(op)) {
315321
auto ty = coor.getType();
@@ -321,6 +327,7 @@ class BoxedProcedurePass
321327
auto toBaseTy = typeConverter.convertType(baseTy);
322328
rewriter.replaceOpWithNewOp<CoordinateOp>(coor, toTy, coor.getRef(),
323329
coor.getCoor(), toBaseTy);
330+
opIsValid = false;
324331
}
325332
} else if (auto index = mlir::dyn_cast<FieldIndexOp>(op)) {
326333
auto ty = index.getType();
@@ -332,6 +339,7 @@ class BoxedProcedurePass
332339
auto toOnTy = typeConverter.convertType(onTy);
333340
rewriter.replaceOpWithNewOp<FieldIndexOp>(
334341
index, toTy, index.getFieldId(), toOnTy, index.getTypeparams());
342+
opIsValid = false;
335343
}
336344
} else if (auto index = mlir::dyn_cast<LenParamIndexOp>(op)) {
337345
auto ty = index.getType();
@@ -343,6 +351,7 @@ class BoxedProcedurePass
343351
auto toOnTy = typeConverter.convertType(onTy);
344352
rewriter.replaceOpWithNewOp<LenParamIndexOp>(
345353
index, toTy, index.getFieldId(), toOnTy, index.getTypeparams());
354+
opIsValid = false;
346355
}
347356
} else if (op->getDialect() == firDialect) {
348357
rewriter.startOpModification(op);
@@ -354,7 +363,7 @@ class BoxedProcedurePass
354363
rewriter.finalizeOpModification(op);
355364
}
356365
// Ensure block arguments are updated if needed.
357-
if (op->getNumRegions() != 0) {
366+
if (opIsValid && op->getNumRegions() != 0) {
358367
rewriter.startOpModification(op);
359368
for (mlir::Region &region : op->getRegions())
360369
for (mlir::Block &block : region.getBlocks())

0 commit comments

Comments
 (0)