RPCS3/llvm-mirror
1
0
Fork 0
mirror of https://github.com/RPCS3/llvm-mirror.git synced 2024-10-19 11:02:59 +02:00
Code Issues Projects Releases Wiki Activity

CodeGen: Handle missed case of block removal during BlockPlacement.

Browse Source 
There is a use after free bug in the existing code. Loop layout selects
a preferred exit block, and then lays out the loop. If this block is
removed during layout, it needs to be invalidated to prevent a use after
free.

llvm-svn: 285348
This commit is contained in:
Kyle Butt 2016-10-27 21:37:20 +00:00
parent fc59e659b5
commit 2446e56186
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/CodeGen/MachineBlockPlacement.cpp
View File

@ -282,6 +282,11 @@ class MachineBlockPlacement : public MachineFunctionPass {
/// \brief A handle to the loop info.
MachineLoopInfo *MLI;
/// \brief Preferred loop exit.
/// Member variable for convenience. It may be removed by duplication deep
/// in the call stack.
MachineBasicBlock *PreferredLoopExit;
/// \brief A handle to the target's instruction info.
const TargetInstrInfo *TII;
@ -1474,9 +1479,9 @@ void MachineBlockPlacement::buildLoopChains(MachineLoop &L) {
// If we selected just the header for the loop top, look for a potentially
// profitable exit block in the event that rotating the loop can eliminate
// branches by placing an exit edge at the bottom.
MachineBasicBlock *ExitingBB = nullptr;
PreferredLoopExit = nullptr;
if (!RotateLoopWithProfile && LoopTop == L.getHeader())
ExitingBB = findBestLoopExit(L, LoopBlockSet);
PreferredLoopExit = findBestLoopExit(L, LoopBlockSet);
BlockChain &LoopChain = *BlockToChain[LoopTop];
@ -1495,7 +1500,7 @@ void MachineBlockPlacement::buildLoopChains(MachineLoop &L) {
if (RotateLoopWithProfile)
rotateLoopWithProfile(LoopChain, L, LoopBlockSet);
else
rotateLoop(LoopChain, ExitingBB, LoopBlockSet);
rotateLoop(LoopChain, PreferredLoopExit, LoopBlockSet);
DEBUG({
// Crash at the end so we get all of the debugging output first.
@ -1928,8 +1933,9 @@ bool MachineBlockPlacement::maybeTailDuplicateBlock(
// Remove the block from loop info.
MLI->removeBlock(RemBB);
if (RemBB == PreferredLoopExit)
PreferredLoopExit = nullptr;
// TailDuplicator handles removing it from loops.
DEBUG(dbgs() << "TailDuplicator deleted block: "
<< getBlockName(RemBB) << "\n");
};