diff options
| author | Matthias Springer <me@m-sp.org> | 2024-02-21 17:28:42 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-21 17:28:42 +0100 |
| commit | 3f732c4141e95de829a896c38af11473377dbcd6 (patch) | |
| tree | 85af571cc56ceb3067f47a7608e213ab070fd41d | |
| parent | 13b0321e978fd95503d5f5471a0cfdcd439a5936 (diff) | |
| download | llvm-3f732c4141e95de829a896c38af11473377dbcd6.zip llvm-3f732c4141e95de829a896c38af11473377dbcd6.tar.gz llvm-3f732c4141e95de829a896c38af11473377dbcd6.tar.bz2 | |
[mlir][Transforms] Fix use-after-free in #82474 (#82504)
When a `ModifyOperationRewrite` is committed, the operation may already
have been erased, so `OperationName` must be cached in the rewrite
object.
Note: This will no longer be needed with #81757, which adds a "cleanup"
method to `IRRewrite`.
| -rw-r--r-- | mlir/lib/Transforms/Utils/DialectConversion.cpp | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/mlir/lib/Transforms/Utils/DialectConversion.cpp b/mlir/lib/Transforms/Utils/DialectConversion.cpp index 88709bb..4989ddc 100644 --- a/mlir/lib/Transforms/Utils/DialectConversion.cpp +++ b/mlir/lib/Transforms/Utils/DialectConversion.cpp @@ -965,14 +965,14 @@ public: ModifyOperationRewrite(ConversionPatternRewriterImpl &rewriterImpl, Operation *op) : OperationRewrite(Kind::ModifyOperation, rewriterImpl, op), - loc(op->getLoc()), attrs(op->getAttrDictionary()), + name(op->getName()), loc(op->getLoc()), attrs(op->getAttrDictionary()), operands(op->operand_begin(), op->operand_end()), successors(op->successor_begin(), op->successor_end()) { if (OpaqueProperties prop = op->getPropertiesStorage()) { // Make a copy of the properties. propertiesStorage = operator new(op->getPropertiesStorageSize()); OpaqueProperties propCopy(propertiesStorage); - op->getName().initOpProperties(propCopy, /*init=*/prop); + name.initOpProperties(propCopy, /*init=*/prop); } } @@ -988,7 +988,9 @@ public: void commit() override { if (propertiesStorage) { OpaqueProperties propCopy(propertiesStorage); - op->getName().destroyOpProperties(propCopy); + // Note: The operation may have been erased in the mean time, so + // OperationName must be stored in this object. + name.destroyOpProperties(propCopy); operator delete(propertiesStorage); propertiesStorage = nullptr; } @@ -1003,13 +1005,14 @@ public: if (propertiesStorage) { OpaqueProperties propCopy(propertiesStorage); op->copyProperties(propCopy); - op->getName().destroyOpProperties(propCopy); + name.destroyOpProperties(propCopy); operator delete(propertiesStorage); propertiesStorage = nullptr; } } private: + OperationName name; LocationAttr loc; DictionaryAttr attrs; SmallVector<Value, 8> operands; |