Use-after-free in FunctionSpecializationPass

[christetreault-llvm]

There is a use-after-free issue in FunctionSpecializationPass. In tryToReplaceWithConstant, After the replacement has happened, the code deletes the newly-replaced instruction. However, dangling pointers to the deleted instruction remain in SCCPInstVisitor::AnalysisResults. AnalysisResults is a map from Function * to the results of various analysis passes. As FunctionSpecializationPass continues to run, it may attempt to dereference this dangling pointer. The result of this is a very rare segfault.

If compiling opt with address sanitizer, asan will catch the use-after-free. I've attached a reduced (but unfortunately still huge) bitcode test case that, when opt is compiled to use asan, will reproduce the issue. This bitcode reproduces the use-after-free as-of commit 55c71c9eac9bc7f956a05fa9258fad4f86565450. I used bugpoint to reduce this test case, and while the original case reproduces the issue in both my downstream, and upstream opt, the reduced test case no longer reproduces the issue in my downstream. I'll upload the original test case if the reduced case does not reproduce the issue. I will also attach the output of asan on my machine.

PLEASE NOTE: This test case is derived from compiling GCC. This code should not be the basis for any test case that is committed to the project as it will be a GPL violation.

asan_dump.txt
bugpoint reduced.zip
original case.zip

[fhahn]

cc @sjoerdmeijer

[sjoerdmeijer]

Thanks for the report and also for copying me in.
I am going to take a look at this!

[labrinea]

Turning the instance variable named "Condition" of the class PredicateBase in llvm/include/llvm/Transforms/Utils/PredicateInfo.h from Value * to WeakVH makes the problem go away, but I am not sure this is the right fix. Here's a patch: https://reviews.llvm.org/D118591

[labrinea]

The sanitizer build https://lab.llvm.org/buildbot/#/builders/168/builds/4555 succeeded. I am closing this issue.