Use after free in CodeGenPrepare::optimizeInst()

[beccadax]

Bugzilla Link	43021
Resolution	FIXED
Resolved on	Aug 20, 2019 02:45
Version	trunk
OS	All
Blocks	#41819
CC	@zmodem,@LebedevRI,@RKSimon
Fixed by commit(s)	r369168

Extended Description

The OptimizeExtractBits() helper function in CodeGenPrepare.cpp is meant to replace certain uses of "lshr" and "ashr" instructions, then erase the original instruction if it is no longer used anywhere. It returns a flag indicating whether it made a change. However, it only sets that flag to "true" when it replaces an instruction. If it is passed an instruction that does not have any users to begin with, it will erase it and still return "false".

This behavior was previously harmless, but rL363511 changed OptimizeExtractBits()'s call site in CodeGenPrepare::optimizeInst() to allow processing of the instruction to continue if OptimizeExtractBits() returns false. The result is that CodeGenPrepare::optimizeInst() continues working on the instruction even though it has been freed. This can cause occasional, unpredictable crashes in normal builds, but it crashes reliably under ASAN.

I've prepared a test case and fix for this issue at https://reviews.llvm.org/D66330.

[beccadax]

assigned to @beccadax

[RKSimon]

Committed to trunk at rL369168

[LebedevRI]

(still needs to be cherry-picked i think)

[zmodem]

Merged in r369355.