[LoongArch] Fix assertion failure for annotate tablejump #140907
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix a use-after-free issue related to annotateTableJump in the LoongArch target. Previously, LoongArchPreRAExpandPseudo::annotateTableJump() recorded a reference to a MachineOperand representing a jump table index. However, later optimizations such as the BranchFolder pass may delete the instruction containing this operand, leaving a dangling reference. This led to an assertion failure in LoongArchAsmPrinter::emitJumpTableInfo() when trying to access a freed MachineOperand via getIndex(). The fix avoids holding a reference to the MachineOperand. Instead, we extract and store the jump table index at the time of annotation. During emitJumpTableInfo(), we verify whether the recorded index still exists in the MachineFunction's jump table. If not, we skip emission for that entry. Fixes llvm#140904
|
@llvm/pr-subscribers-backend-loongarch Author: hev (heiher) ChangesFix a use-after-free issue related to annotateTableJump in the LoongArch target. Previously, This led to an assertion failure in The fix avoids holding a reference to the MachineOperand. Instead, we extract and store the jump table index at the time of annotation. During Fixes #140904 Full diff: https://github.com/llvm/llvm-project/pull/140907.diff 3 Files Affected:
diff --git a/llvm/lib/Target/LoongArch/LoongArchAsmPrinter.cpp b/llvm/lib/Target/LoongArch/LoongArchAsmPrinter.cpp
index 0672570c4dcd0..9181e539f75cb 100644
--- a/llvm/lib/Target/LoongArch/LoongArchAsmPrinter.cpp
+++ b/llvm/lib/Target/LoongArch/LoongArchAsmPrinter.cpp
@@ -265,13 +265,16 @@ void LoongArchAsmPrinter::emitJumpTableInfo() {
assert(TM.getTargetTriple().isOSBinFormatELF());
- unsigned Size = getDataLayout().getPointerSize();
auto *LAFI = MF->getInfo<LoongArchMachineFunctionInfo>();
unsigned EntrySize = LAFI->getJumpInfoSize();
+ auto JTI = MF->getJumpTableInfo();
- if (0 == EntrySize)
+ if (!JTI || 0 == EntrySize)
return;
+ unsigned Size = getDataLayout().getPointerSize();
+ auto JT = JTI->getJumpTables();
+
// Emit an additional section to store the correlation info as pairs of
// addresses, each pair contains the address of a jump instruction (jr) and
// the address of the jump table.
@@ -279,14 +282,15 @@ void LoongArchAsmPrinter::emitJumpTableInfo() {
".discard.tablejump_annotate", ELF::SHT_PROGBITS, 0));
for (unsigned Idx = 0; Idx < EntrySize; ++Idx) {
+ int JTIIdx = LAFI->getJumpInfoJTIIndex(Idx);
+ if (JT[JTIIdx].MBBs.empty())
+ continue;
OutStreamer->emitValue(
MCSymbolRefExpr::create(LAFI->getJumpInfoJrMI(Idx)->getPreInstrSymbol(),
OutContext),
Size);
OutStreamer->emitValue(
- MCSymbolRefExpr::create(
- GetJTISymbol(LAFI->getJumpInfoJTIMO(Idx)->getIndex()), OutContext),
- Size);
+ MCSymbolRefExpr::create(GetJTISymbol(JTIIdx), OutContext), Size);
}
}
diff --git a/llvm/lib/Target/LoongArch/LoongArchExpandPseudoInsts.cpp b/llvm/lib/Target/LoongArch/LoongArchExpandPseudoInsts.cpp
index 9e9c65a041bf7..7aef4ab53e4ea 100644
--- a/llvm/lib/Target/LoongArch/LoongArchExpandPseudoInsts.cpp
+++ b/llvm/lib/Target/LoongArch/LoongArchExpandPseudoInsts.cpp
@@ -636,7 +636,8 @@ void LoongArchPreRAExpandPseudo::annotateTableJump(
if (MO.isJTI()) {
MBBI->setPreInstrSymbol(
*MF, MF->getContext().createNamedTempSymbol("jrtb_"));
- MF->getInfo<LoongArchMachineFunctionInfo>()->setJumpInfo(&*MBBI, &MO);
+ MF->getInfo<LoongArchMachineFunctionInfo>()->setJumpInfo(
+ &*MBBI, MO.getIndex());
IsFound = true;
return;
}
diff --git a/llvm/lib/Target/LoongArch/LoongArchMachineFunctionInfo.h b/llvm/lib/Target/LoongArch/LoongArchMachineFunctionInfo.h
index daa47c4dc7e32..904985c189dba 100644
--- a/llvm/lib/Target/LoongArch/LoongArchMachineFunctionInfo.h
+++ b/llvm/lib/Target/LoongArch/LoongArchMachineFunctionInfo.h
@@ -41,7 +41,7 @@ class LoongArchMachineFunctionInfo : public MachineFunctionInfo {
/// Pairs of `jr` instructions and corresponding JTI operands, used for the
/// `annotate-tablejump` option.
- SmallVector<std::pair<MachineInstr *, MachineOperand *>, 4> JumpInfos;
+ SmallVector<std::pair<MachineInstr *, int>, 4> JumpInfos;
public:
LoongArchMachineFunctionInfo(const Function &F,
@@ -76,14 +76,12 @@ class LoongArchMachineFunctionInfo : public MachineFunctionInfo {
return is_contained(SExt32Registers, Reg);
}
- void setJumpInfo(MachineInstr *JrMI, MachineOperand *JTIMO) {
- JumpInfos.push_back(std::make_pair(JrMI, JTIMO));
+ void setJumpInfo(MachineInstr *JrMI, int JTIIdx) {
+ JumpInfos.push_back(std::make_pair(JrMI, JTIIdx));
}
unsigned getJumpInfoSize() { return JumpInfos.size(); }
MachineInstr *getJumpInfoJrMI(unsigned Idx) { return JumpInfos[Idx].first; }
- MachineOperand *getJumpInfoJTIMO(unsigned Idx) {
- return JumpInfos[Idx].second;
- }
+ int getJumpInfoJTIIndex(unsigned Idx) { return JumpInfos[Idx].second; }
};
} // end namespace llvm
|
|
/cherry-pick 4e186f2 |
|
/pull-request #141193 |
swift-ci
pushed a commit
to swiftlang/llvm-project
that referenced
this pull request
May 24, 2025
Fix a use-after-free issue related to annotateTableJump in the LoongArch target. Previously, `LoongArchPreRAExpandPseudo::annotateTableJump()` recorded a reference to a MachineOperand representing a jump table index. However, later optimizations such as the `BranchFolder` pass may delete the instruction containing this operand, leaving a dangling reference. This led to an assertion failure in `LoongArchAsmPrinter::emitJumpTableInfo()` when trying to access a freed MachineOperand via `getIndex()`. The fix avoids holding a reference to the MachineOperand. Instead, we extract and store the jump table index at the time of annotation. During `emitJumpTableInfo()`, we verify whether the recorded index still exists in the MachineFunction's jump table. If not, we skip emission for that entry. Fixes llvm#140904 (cherry picked from commit 4e186f2)
sivan-shani
pushed a commit
to sivan-shani/llvm-project
that referenced
this pull request
Jun 3, 2025
Fix a use-after-free issue related to annotateTableJump in the LoongArch target. Previously, `LoongArchPreRAExpandPseudo::annotateTableJump()` recorded a reference to a MachineOperand representing a jump table index. However, later optimizations such as the `BranchFolder` pass may delete the instruction containing this operand, leaving a dangling reference. This led to an assertion failure in `LoongArchAsmPrinter::emitJumpTableInfo()` when trying to access a freed MachineOperand via `getIndex()`. The fix avoids holding a reference to the MachineOperand. Instead, we extract and store the jump table index at the time of annotation. During `emitJumpTableInfo()`, we verify whether the recorded index still exists in the MachineFunction's jump table. If not, we skip emission for that entry. Fixes llvm#140904
ajaden-codes
pushed a commit
to Jaddyen/llvm-project
that referenced
this pull request
Jun 6, 2025
Fix a use-after-free issue related to annotateTableJump in the LoongArch target. Previously, `LoongArchPreRAExpandPseudo::annotateTableJump()` recorded a reference to a MachineOperand representing a jump table index. However, later optimizations such as the `BranchFolder` pass may delete the instruction containing this operand, leaving a dangling reference. This led to an assertion failure in `LoongArchAsmPrinter::emitJumpTableInfo()` when trying to access a freed MachineOperand via `getIndex()`. The fix avoids holding a reference to the MachineOperand. Instead, we extract and store the jump table index at the time of annotation. During `emitJumpTableInfo()`, we verify whether the recorded index still exists in the MachineFunction's jump table. If not, we skip emission for that entry. Fixes llvm#140904
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix a use-after-free issue related to annotateTableJump in the LoongArch target.
Previously,
LoongArchPreRAExpandPseudo::annotateTableJump()recorded a reference to a MachineOperand representing a jump table index. However, later optimizations such as theBranchFolderpass may delete the instruction containing this operand, leaving a dangling reference.This led to an assertion failure in
LoongArchAsmPrinter::emitJumpTableInfo()when trying to access a freed MachineOperand viagetIndex().The fix avoids holding a reference to the MachineOperand. Instead, we extract and store the jump table index at the time of annotation. During
emitJumpTableInfo(), we verify whether the recorded index still exists in the MachineFunction's jump table. If not, we skip emission for that entry.Fixes #140904