Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[flang][OpenMP] Fix use-after-free in OMPFunctionFiltering #84373

Merged
merged 2 commits into from
Mar 8, 2024
Merged

[flang][OpenMP] Fix use-after-free in OMPFunctionFiltering #84373

merged 2 commits into from
Mar 8, 2024

Conversation

kparzysz
Copy link
Contributor

@kparzysz kparzysz commented Mar 7, 2024
edited

When walking over functions (in pre-order), if the function being visited needs to be erased, skip visiting its regions.

This was detected by address sanitizer.

@kparzysz kparzysz requested review from skatrak and TIFitis March 7, 2024 20:13
@llvmbot llvmbot added flang Flang issues not falling into any other category flang:fir-hlfir flang:openmp labels Mar 7, 2024
@kparzysz kparzysz changed the title [flang][OpenMP] Fix use-after-tree in OMPFunctionFiltering [flang][OpenMP] Fix use-after-free in OMPFunctionFiltering Mar 7, 2024
@kparzysz
[flang][OpenMP] Fix use-after-free in OMPFunctionFiltering
4bf5b95 
Erasing the element of the range that it being iterated on can
invalidate the range. Instead of erasing function as we see them,
store them in a separate list, then erase them after the range
has been traversed.

This was detected by address sanitizer.
@llvmbot
Copy link
Collaborator

llvmbot commented Mar 7, 2024
edited

@llvm/pr-subscribers-flang-openmp

@llvm/pr-subscribers-flang-fir-hlfir

Author: Krzysztof Parzyszek (kparzysz)

Changes

Erasing the element of the range that it being iterated on can invalidate the range. Instead of erasing function as we see them, store them in a separate list, then erase them after the range has been traversed.

This was detected by address sanitizer.

Full diff: https://github.com/llvm/llvm-project/pull/84373.diff

1 Files Affected:

  • (modified) flang/lib/Optimizer/Transforms/OMPFunctionFiltering.cpp (+5-1)
diff --git a/flang/lib/Optimizer/Transforms/OMPFunctionFiltering.cpp b/flang/lib/Optimizer/Transforms/OMPFunctionFiltering.cpp
index 466bf53e8dbd60..f8bede88293ff5 100644
--- a/flang/lib/Optimizer/Transforms/OMPFunctionFiltering.cpp
+++ b/flang/lib/Optimizer/Transforms/OMPFunctionFiltering.cpp
@@ -40,6 +40,8 @@ class OMPFunctionFilteringPass
     if (!op || !op.getIsTargetDevice())
       return;
 
+    llvm::SmallVector<func::FuncOp> removedFuncs;
+
     op->walk<WalkOrder::PreOrder>([&](func::FuncOp funcOp) {
       // Do not filter functions with target regions inside, because they have
       // to be available for both host and device so that regular and reverse
@@ -80,12 +82,14 @@ class OMPFunctionFilteringPass
           callOp->erase();
         }
         if (!hasTargetRegion)
-          funcOp.erase();
+          removedFuncs.push_back(funcOp);
         else if (declareTargetOp)
           declareTargetOp.setDeclareTarget(declareType,
                                            omp::DeclareTargetCaptureClause::to);
       }
     });
+    for (func::FuncOp f : removedFuncs)
+      f.erase();
   }
 };
 } // namespace

@skatrak
Copy link
Contributor

skatrak commented Mar 8, 2024

Thank you for noticing this issue. I think we can simplify the fix a bit, though. The docs for Operation::walk() state that the callback is allowed to erase that operation when walking in pre-order if it is skipped after the erasure. It seems simpler and cheaper to just return WalkResult::skip() at that point rather than constructing a list to be deleted later.

@kparzysz
Copy link
Contributor Author

kparzysz commented Mar 8, 2024

Done,

skatrak
skatrak approved these changes Mar 8, 2024
View reviewed changes
Copy link
Contributor

@skatrak skatrak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, LGTM

@kparzysz kparzysz merged commit c4a89f1 into llvm:main Mar 8, 2024
4 checks passed
@kparzysz kparzysz deleted the users/kparzysz/uaf-03 branch March 8, 2024 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skatrak skatrak skatrak approved these changes

@TIFitis TIFitis Awaiting requested review from TIFitis

Assignees
No one assigned
Labels
flang:fir-hlfir flang:openmp flang Flang issues not falling into any other category
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@kparzysz @llvmbot @skatrak