Skip to content

[flang][mlir] Fix-forward heap use-after-free in #155348 #164712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 22, 2025
Merged

[flang][mlir] Fix-forward heap use-after-free in #155348 #164712

merged 4 commits into from
Oct 22, 2025

Conversation

@thurstond
Copy link
Contributor

@thurstond thurstond commented Oct 22, 2025
edited
Loading

mapInfoOp.getMembers() on line 258 is use-after-free, because cloneModifyAndErase (line 255) erased mapInfoOp. Fix the issue by replacing subsequent mapInfoOp usages with clonedOp.

Similarly, update memberMapInfoOp to avoid subsequent use-after-free.

@thurstond
[flang[mlir] Fix-forward heap use-after-free in llvm#155348
882c027 
mapInfoOp should not be accessed here because cloneModifyAndErase (line 255) erased it. Fix the issue by replacing mapInfoOp with the cloned op.
@thurstond thurstond mentioned this pull request Oct 22, 2025
Merged
@llvmbot
Copy link
Member

llvmbot commented Oct 22, 2025

@llvm/pr-subscribers-mlir-openmp

Author: Thurston Dang (thurstond)

Changes

mapInfoOp.getMembers() on line 258 was use-after-free, because cloneModifyAndErase (line 255) erased it. Fix the issue by replacing mapInfoOp with the cloned op.

Full diff: https://github.com/llvm/llvm-project/pull/164712.diff

1 Files Affected:

  • (modified) mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp (+2-1)
diff --git a/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp b/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp
index 735b905bffb85..dafc1cbacdac7 100644
--- a/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp
+++ b/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp
@@ -252,7 +252,8 @@ class PrepareForOMPOffloadPrivatizationPass
         // variable, rewrite all the uses of the original variable with
         // the heap-allocated variable.
         rewriter.setInsertionPoint(targetOp);
-        rewriter.setInsertionPoint(cloneModifyAndErase(mapInfoOp));
+        mapInfoOp = cloneModifyAndErase(mapInfoOp);
+        rewriter.setInsertionPoint(mapInfoOp);
 
         // Fix any members that may use varPtr to now use heapMem
         for (auto member : mapInfoOp.getMembers()) {

@llvmbot
Copy link
Member

llvmbot commented Oct 22, 2025

@llvm/pr-subscribers-mlir

Author: Thurston Dang (thurstond)

Changes

mapInfoOp.getMembers() on line 258 was use-after-free, because cloneModifyAndErase (line 255) erased it. Fix the issue by replacing mapInfoOp with the cloned op.

Full diff: https://github.com/llvm/llvm-project/pull/164712.diff

1 Files Affected:

  • (modified) mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp (+2-1)
diff --git a/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp b/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp
index 735b905bffb85..dafc1cbacdac7 100644
--- a/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp
+++ b/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp
@@ -252,7 +252,8 @@ class PrepareForOMPOffloadPrivatizationPass
         // variable, rewrite all the uses of the original variable with
         // the heap-allocated variable.
         rewriter.setInsertionPoint(targetOp);
-        rewriter.setInsertionPoint(cloneModifyAndErase(mapInfoOp));
+        mapInfoOp = cloneModifyAndErase(mapInfoOp);
+        rewriter.setInsertionPoint(mapInfoOp);
 
         // Fix any members that may use varPtr to now use heapMem
         for (auto member : mapInfoOp.getMembers()) {

@llvmbot
Copy link
Member

llvmbot commented Oct 22, 2025

@llvm/pr-subscribers-flang-openmp

Author: Thurston Dang (thurstond)

Changes

mapInfoOp.getMembers() on line 258 was use-after-free, because cloneModifyAndErase (line 255) erased it. Fix the issue by replacing mapInfoOp with the cloned op.

Full diff: https://github.com/llvm/llvm-project/pull/164712.diff

1 Files Affected:

  • (modified) mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp (+2-1)
diff --git a/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp b/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp
index 735b905bffb85..dafc1cbacdac7 100644
--- a/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp
+++ b/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp
@@ -252,7 +252,8 @@ class PrepareForOMPOffloadPrivatizationPass
         // variable, rewrite all the uses of the original variable with
         // the heap-allocated variable.
         rewriter.setInsertionPoint(targetOp);
-        rewriter.setInsertionPoint(cloneModifyAndErase(mapInfoOp));
+        mapInfoOp = cloneModifyAndErase(mapInfoOp);
+        rewriter.setInsertionPoint(mapInfoOp);
 
         // Fix any members that may use varPtr to now use heapMem
         for (auto member : mapInfoOp.getMembers()) {

@thurstond thurstond changed the title [flang[mlir] Fix-forward heap use-after-free in #155348 [flang][mlir] Fix-forward heap use-after-free in #155348 Oct 22, 2025
@thurstond thurstond marked this pull request as draft October 22, 2025 21:52
@thurstond thurstond marked this pull request as ready for review October 22, 2025 22:00
joker-eph
joker-eph reviewed Oct 22, 2025
View reviewed changes
mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp Outdated
// the heap-allocated variable.
rewriter.setInsertionPoint(targetOp);
rewriter.setInsertionPoint(cloneModifyAndErase(mapInfoOp));
auto clonedOp = cast<omp::MapInfoOp>(cloneModifyAndErase(mapInfoOp));
Copy link
Collaborator

@joker-eph joker-eph Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not just updating it:

Suggested change
auto clonedOp = cast<omp::MapInfoOp>(cloneModifyAndErase(mapInfoOp));
mapInfoOp = cast<omp::MapInfoOp>(cloneModifyAndErase(mapInfoOp));

That way no risk of misusing mapInfoOp anymore?

Copy link
Contributor Author

@thurstond thurstond Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, thanks! Done: 7fdd34a

@thurstond
Replace mapInfoOp
7fdd34a 
Also fix another use-after-free
@thurstond thurstond requested a review from joker-eph October 22, 2025 22:14
@thurstond
Copy link
Contributor Author

thurstond commented Oct 22, 2025

@joker-eph I updated the patch to fix a second-use-after-free

@github-actions
Copy link

github-actions bot commented Oct 22, 2025
edited
Loading

✅ With the latest revision this PR passed the C/C++ code formatter.

@thurstond thurstond merged commit cea0037 into llvm:main Oct 22, 2025
10 checks passed
mikolaj-pirog pushed a commit to mikolaj-pirog/llvm-project that referenced this pull request Oct 23, 2025
@thurstond @mikolaj-pirog
[flang][mlir] Fix-forward heap use-after-free in llvm#155348 (llvm#16…
20d7d91 
…4712)

`mapInfoOp.getMembers()` on line 258 is use-after-free, because
cloneModifyAndErase (line 255) erased `mapInfoOp`. Fix the issue by
replacing subsequent `mapInfoOp` usages with `clonedOp`.

Similarly, update `memberMapInfoOp` to avoid subsequent use-after-free.
dvbuka pushed a commit to dvbuka/llvm-project that referenced this pull request Oct 27, 2025
@thurstond @dvbuka
[flang][mlir] Fix-forward heap use-after-free in llvm#155348 (llvm#16…
4d8bc35 
…4712)

`mapInfoOp.getMembers()` on line 258 is use-after-free, because
cloneModifyAndErase (line 255) erased `mapInfoOp`. Fix the issue by
replacing subsequent `mapInfoOp` usages with `clonedOp`.

Similarly, update `memberMapInfoOp` to avoid subsequent use-after-free.
Lukacma pushed a commit to Lukacma/llvm-project that referenced this pull request Oct 29, 2025
@thurstond @Lukacma
[flang][mlir] Fix-forward heap use-after-free in llvm#155348 (llvm#16…
fc0cd43 
…4712)

`mapInfoOp.getMembers()` on line 258 is use-after-free, because
cloneModifyAndErase (line 255) erased `mapInfoOp`. Fix the issue by
replacing subsequent `mapInfoOp` usages with `clonedOp`.

Similarly, update `memberMapInfoOp` to avoid subsequent use-after-free.
aokblast pushed a commit to aokblast/llvm-project that referenced this pull request Oct 30, 2025
@thurstond @aokblast
[flang][mlir] Fix-forward heap use-after-free in llvm#155348 (llvm#16…
1d12016 
…4712)

`mapInfoOp.getMembers()` on line 258 is use-after-free, because
cloneModifyAndErase (line 255) erased `mapInfoOp`. Fix the issue by
replacing subsequent `mapInfoOp` usages with `clonedOp`.

Similarly, update `memberMapInfoOp` to avoid subsequent use-after-free.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fmayer fmayer fmayer approved these changes

@ergawy ergawy Awaiting requested review from ergawy

@tblah tblah Awaiting requested review from tblah

@bhandarkar-pranav bhandarkar-pranav Awaiting requested review from bhandarkar-pranav

@joker-eph joker-eph Awaiting requested review from joker-eph

Assignees

No one assigned

Labels

flang:openmp mlir:openmp mlir

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@thurstond @llvmbot @fmayer @joker-eph