SILOptimizer: avoid use-after-free with the name #20772
Merged
+5
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
On Windows at least, the std::string associated with the name of the property would be copy constructed before being passed to the diagnostic engine. The resultant DiagnosticArgument in the InFlightDiagnostic would hold a StringRef to the copy-constructed std::string. However, because the arguments are inalloca'ed on Windows, the copy constructed string would be destructed before the return of the argument. Fortunately, this would result in the standard library overwriting the string and the use-after-free would fail to print the argument. Explicitly construct the StringRef before passing the name to the diagnostic to avoid the use-after-free.
|
CC: @gottesmm |
|
@swift-ci please test |
|
LGTM. You seem to be finding a bunch of these. Is there a way we could statically define this away? |
|
I tried to do some trickery with the template specialization, unfortunately, I couldn't find a way to actually do that due to the implicit conversion operator defined for std::string to StringRef. That is what is biting us. I think that we are just getting lucky on other targets. |
|
This can't possibly be the right fix. We pass std::strings to diagnostics all the time. If we're accidentally copying them, that's a problem with the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
On Windows at least, the std::string associated with the name of the
property would be copy constructed before being passed to the diagnostic
engine. The resultant DiagnosticArgument in the InFlightDiagnostic
would hold a StringRef to the copy-constructed std::string. However,
because the arguments are inalloca'ed on Windows, the copy constructed
string would be destructed before the return of the argument.
Fortunately, this would result in the standard library overwriting the
string and the use-after-free would fail to print the argument.
Explicitly construct the StringRef before passing the name to the
diagnostic to avoid the use-after-free.
Replace this paragraph with a description of your changes and rationale. Provide links to external references/discussions if appropriate.
Resolves SR-NNNN.