Merging r369168:

zmodem · zmodem · commit 0482ca8ded8c · 2019-08-20T09:45:09.000Z
------------------------------------------------------------------------ r369168 | spatel | 2019-08-17 01:10:34 +0200 (Sat, 17 Aug 2019) | 16 lines [CodeGenPrepare] Fix use-after-free If OptimizeExtractBits() encountered a shift instruction with no operands at all, it would erase the instruction, but still return false. This previously didn’t matter because its caller would always return after processing the instruction, but https://reviews.llvm.org/D63233 changed the function’s caller to fall through if it returned false, which would then cause a use-after-free detectable by ASAN. This change makes OptimizeExtractBits return true if it removes a shift instruction with no users, terminating processing of the instruction. Patch by: @brentdax (Brent Royal-Gordon) Differential Revision: https://reviews.llvm.org/D66330 ------------------------------------------------------------------------ llvm-svn: 369355
diff --git a/llvm/lib/CodeGen/CodeGenPrepare.cpp b/llvm/lib/CodeGen/CodeGenPrepare.cpp
@@ -1682,10 +1682,11 @@ static bool OptimizeExtractBits(BinaryOperator *ShiftI, ConstantInt *CI,
     TheUse = InsertedShift;
   }
 
-  // If we removed all uses, nuke the shift.
+  // If we removed all uses, or there are none, nuke the shift.
   if (ShiftI->use_empty()) {
     salvageDebugInfo(*ShiftI);
     ShiftI->eraseFromParent();
+    MadeChange = true;
   }
 
   return MadeChange;
diff --git a/llvm/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll b/llvm/test/Transforms/CodeGenPrepare/sink-shift-and-trunc.ll
@@ -58,6 +58,23 @@ return:                                           ; preds = %if.then17, %if.end1
   ret i32 %retval.0, !dbg !63
 }
 
+; CodeGenPrepare was erasing the unused lshr instruction, but then further
+; processing the instruction after it was freed. If this bug is still present,
+; this test will always crash in an LLVM built with ASAN enabled, and may
+; crash even if ASAN is not enabled.
+
+define i32 @shift_unused(i32 %a) {
+; CHECK-LABEL: @shift_unused(
+; CHECK-NEXT:  BB2:
+; CHECK-NEXT:    ret i32 [[A:%.*]]
+;
+  %as = lshr i32 %a, 3
+  br label %BB2
+
+BB2:
+  ret i32 %a
+}
+
 ; CHECK: [[shift1_loc]] = !DILocation(line: 1
 ; CHECK: [[trunc1_loc]] = !DILocation(line: 2
 ; CHECK: [[shift2_loc]] = !DILocation(line: 3

Original file line number	Diff line number	Diff line change
`@@ -1682,10 +1682,11 @@ static bool OptimizeExtractBits(BinaryOperator ShiftI, ConstantInt CI,`
`1682`	`1682`	`TheUse = InsertedShift;`
`1683`	`1683`	`}`
`1684`	`1684`
`1685`		`- // If we removed all uses, nuke the shift.`
	`1685`	`+ // If we removed all uses, or there are none, nuke the shift.`
`1686`	`1686`	`if (ShiftI->use_empty()) {`
`1687`	`1687`	`salvageDebugInfo(*ShiftI);`
`1688`	`1688`	`ShiftI->eraseFromParent();`
	`1689`	`+ MadeChange = true;`
`1689`	`1690`	`}`
`1690`	`1691`
`1691`	`1692`	`return MadeChange;`