Fix OOB access in SemanticARCOpts (#39351)

meg-gupta · web-flow · commit 22c288942bf9 · 2021-09-22T18:17:41.000-07:00
diff --git a/lib/SILOptimizer/SemanticARC/LoadCopyToLoadBorrowOpt.cpp b/lib/SILOptimizer/SemanticARC/LoadCopyToLoadBorrowOpt.cpp
@@ -123,7 +123,8 @@ class StorageGuaranteesLoadVisitor
 
     // If we have an inout parameter that isn't ever actually written to, return
     // false.
-    if (arg->getKnownParameterInfo().isIndirectMutating()) {
+    if (!arg->isIndirectResult() &&
+        arg->getKnownParameterInfo().isIndirectMutating()) {
       auto wellBehavedWrites = ctx.addressToExhaustiveWriteListCache.get(arg);
       if (!wellBehavedWrites.hasValue()) {
         return answer(true);
diff --git a/test/SILOptimizer/semantic-arc-opts-loadcopy-to-loadborrow.sil b/test/SILOptimizer/semantic-arc-opts-loadcopy-to-loadborrow.sil
@@ -56,6 +56,11 @@ final class Klass {
 extension Klass : MyFakeAnyObject {
   func myFakeMethod()
 }
+
+struct NonTrivialStruct {
+  var val: Klass
+}
+
 sil @guaranteed_klass_user : $@convention(thin) (@guaranteed Klass) -> ()
 sil @guaranteed_fakeoptional_klass_user : $@convention(thin) (@guaranteed FakeOptional<Klass>) -> ()
 sil @guaranteed_fakeoptional_classlet_user : $@convention(thin) (@guaranteed FakeOptional<ClassLet>) -> ()
@@ -1496,3 +1501,16 @@ bb3:
   %9999 = tuple()
   return %9999 : $()
 }
+
+// Make sure we don't crash on this code. We used to crash for @out args on the access path to the load
+sil [ossa] @test_opt_out_arg : $@convention(thin)(@in NonTrivialStruct) -> (@out NonTrivialStruct) {
+bb0(%0 : $*NonTrivialStruct, %1 : $*NonTrivialStruct):
+  copy_addr %1 to [initialization] %0 : $*NonTrivialStruct
+  %ele = struct_element_addr %0 : $*NonTrivialStruct, #NonTrivialStruct.val
+  %ld = load [copy] %ele : $*Klass
+  destroy_value %ld : $Klass
+  destroy_addr %1 : $*NonTrivialStruct
+  %9999 = tuple()
+  return %9999 : $()
+} 
+
