Skip to content

SILGen: Fix double-free of __owned parameters of functions with @_backDeploy #63114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 20, 2023
Merged

SILGen: Fix double-free of __owned parameters of functions with @_backDeploy #63114

merged 1 commit into from
Jan 20, 2023

Conversation

tshortli
Copy link
Contributor

The following program crashed when compiled with the Swift 5.7 and 5.8 compilers:

@available(macOS 12, *)
@_backDeploy(before: macOS 99)
public func foo<T>(_ t: __owned T) {
  print("foo")
}

class C {
  deinit {
    print("deinit")
  }
}

foo(C())
print("done")

> ./test
foo
deinit
[1]    49162 segmentation fault  ./test

The root cause is that generated SIL for the back deployment thunk for foo(_:) included its own destroy_addr instruction for the value of t, but didn't copy the parameter before passing it to the real function implementation which also destroys the value. The fix is to forward ownership of the parameter values to the called function, which causes cleanup generation to be skipped.

Resolves rdar://104436515

@tshortli
SILGen: Fix double-free of __owned parameters of functions with `@_…
9f54e9c 
…backDeploy`.

The following program crashed when compiled with the Swift 5.7 and 5.8 compilers:

```
@available(macOS 12, *)
@_backDeploy(before: macOS 99)
public func foo<T>(_ t: __owned T) {
  print("foo")
}

class C {
  deinit {
    print("deinit")
  }
}

foo(C())
print("done")
```

```
> ./test
foo
deinit
[1]    49162 segmentation fault  ./test
```

The root cause is that generated SIL for the back deployment thunk for `foo(_:)` included its own `destroy_addr` instruction for the value of `t`, but didn't copy the parameter before passing it to the real function implementation which also destroys the value. The fix is to forward ownership of the parameter values to the called function, which causes cleanup generation to be skipped.

Resolves rdar://104436515
@tshortli tshortli requested a review from jckarter January 19, 2023 21:12
@tshortli
Copy link
Contributor Author

@swift-ci please test

@tshortli tshortli mentioned this pull request Jan 19, 2023
Merged
@tshortli tshortli merged commit 9618083 into swiftlang:main Jan 20, 2023
@tshortli tshortli deleted the back-deploy-double-free branch January 20, 2023 05:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jckarter jckarter Awaiting requested review from jckarter jckarter is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tshortli