Fix a potential use-after-free in lazy global emission.

rjmccall · rjmccall · commit 847c060eaf85 · 2022-08-25T16:31:17.000-04:00
Extended existential type shapes can trigger this by introducing
more entities (and thus causing GlobalVars to be rehashed) during
the lazy-emission callback.

Fixes rdar://98995607
diff --git a/lib/IRGen/GenDecl.cpp b/lib/IRGen/GenDecl.cpp
@@ -3509,9 +3509,9 @@ IRGenModule::getAddrOfLLVMVariable(LinkEntity entity,
     ? overrideDeclType
     : entity.getDefaultDeclarationType(*this);
   
-  auto &entry = GlobalVars[entity];
-  if (entry) {
-    auto existing = cast<llvm::GlobalValue>(entry);
+  auto existingGlobal = GlobalVars[entity];
+  if (existingGlobal) {
+    auto existing = cast<llvm::GlobalValue>(existingGlobal);
 
     // If we're looking to define something, we may need to replace a
     // forward declaration.
@@ -3531,12 +3531,12 @@ IRGenModule::getAddrOfLLVMVariable(LinkEntity entity,
 
       // Fall out to the case below, clearing the name so that
       // createVariable doesn't detect a collision.
-      entry->setName("");
+      existingGlobal->setName("");
 
     // Otherwise, we have a previous declaration or definition which
     // we need to ensure has the right type.
     } else {
-      return getElementBitCast(entry, defaultType);
+      return getElementBitCast(existingGlobal, defaultType);
     }
   }
 
@@ -3580,11 +3580,17 @@ IRGenModule::getAddrOfLLVMVariable(LinkEntity entity,
     lazyInitializer->Create(var);
   }
 
+  if (lazyInitializer) {
+    // Protect against self-references that might've been created during
+    // the lazy emission.
+    existingGlobal = GlobalVars[entity];
+  }
+
   // If we have an existing entry, destroy it, replacing it with the
-  // new variable.
-  if (entry) {
-    auto existing = cast<llvm::GlobalValue>(entry);
-    auto castVar = llvm::ConstantExpr::getBitCast(var, entry->getType());
+  // new variable.  We only really have to do 
+  if (existingGlobal) {
+    auto existing = cast<llvm::GlobalValue>(existingGlobal);
+    auto castVar = llvm::ConstantExpr::getBitCast(var, existing->getType());
     existing->replaceAllUsesWith(castVar);
     existing->eraseFromParent();
   }
@@ -3607,7 +3613,7 @@ IRGenModule::getAddrOfLLVMVariable(LinkEntity entity,
   }
 
   // Cache and return.
-  entry = var;
+  GlobalVars[entity] = var;
   return var;
 }
 
diff --git a/validation-test/IRGen/98995607.swift.gyb b/validation-test/IRGen/98995607.swift.gyb
@@ -0,0 +1,21 @@
+// RUN: %target-run-simple-swiftgyb
+
+%for N in range(0, 100):
+
+protocol P${N}<A, B> {
+  associatedtype A
+  associatedtype B
+}
+
+%end
+
+var array : [Any.Type] = [
+%for N in range(0, 100):
+  (any P${N}<Int, Float>).self,
+%end
+%for N in range(0, 100):
+  (any P${N}<Float, String>).self,
+%end
+]
+
+print(array)
