Skip to content

[5.7] SILGen: Fix potential use-after-free in @_backDeploy coroutines #60022

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 13, 2022
Merged

[5.7] SILGen: Fix potential use-after-free in @_backDeploy coroutines #60022

merged 1 commit into from
Jul 13, 2022

Conversation

tshortli
Copy link
Contributor

Cherry-pick of #60021

The SIL verifier has identified an issue with the SIL generated for property accessors structured like this:

public struct S {
  @available(macOS, introduced: 12.0)
  @_backDeploy(before: macOS 13.0)
  public var x: String {
    _read {
      yield "x"
    }
  }
}

The emitted SIL is invalid because the value %9 is used after end_apply may have ended the lifetime of the value:

bb1:
  %8 = function_ref @$s4test1SV1xSSvrTwB : $@yield_once @convention(method) (S) -> @yields @guaranteed String9
  (%9, %10) = begin_apply %8(%0) : $@yield_once @convention(method) (S) -> @yields @guaranteed String
  end_apply %10
  yield %9 : $String, resume bb3, unwind bb2

The fix is to move the end_apply to the resume and unwind blocks, after the value has been yielded to the caller.

Resolves rdar://96879247

@tshortli
SILGen: Fix potential use-after-free in @_backDeploy coroutines.
ac0e966 
The SIL verifier has identified an issue with the SIL generated for property accessors structured like this:

```
public struct S {
  @available(macOS, introduced: 12.0)
  @_backDeploy(before: macOS 13.0)
  public var x: String {
    _read {
      yield "x"
    }
  }
}
```

The emitted SIL is invalid because the value `%9` is used after `end_apply` may have ended the lifetime of the value:

```
bb1:
  %8 = function_ref @$s4test1SV1xSSvrTwB : $@yield_once @convention(method) (S) -> @yields @guaranteed String9
  (%9, %10) = begin_apply %8(%0) : $@yield_once @convention(method) (S) -> @yields @guaranteed String
  end_apply %10
  yield %9 : $String, resume bb3, unwind bb2
```

The fix is to move the `end_apply` to the resume and unwind blocks, after the value has been yielded to the caller.

Resolves rdar://96879247
@tshortli tshortli added the r5.7 label Jul 12, 2022
@tshortli tshortli requested a review from nkcsgexi July 12, 2022 18:55
@tshortli tshortli requested a review from a team as a code owner July 12, 2022 18:55
@tshortli
Copy link
Contributor Author

@swift-ci please test

@tshortli tshortli merged commit 6000578 into swiftlang:release/5.7 Jul 13, 2022
@tshortli tshortli deleted the back-deploy-coroutine-use-after-free-5.7 branch July 13, 2022 02:29
@AnthonyLatsis AnthonyLatsis added 🍒 release cherry pick Flag: Release branch cherry picks swift 5.7 labels Jan 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nkcsgexi nkcsgexi nkcsgexi approved these changes

Assignees
No one assigned
Labels
🍒 release cherry pick Flag: Release branch cherry picks swift 5.7
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tshortli @nkcsgexi @AnthonyLatsis