diff options
| author | Duncan P. N. Exon Smith <dexonsmith@apple.com> | 2021-01-20 18:46:09 -0800 |
|---|---|---|
| committer | Duncan P. N. Exon Smith <dexonsmith@apple.com> | 2021-01-21 11:24:35 -0800 |
| commit | f2fd41d7897e1cc8fc6e9fb2ea46e5b6527852e4 (patch) | |
| tree | 1bdaf7ea7ec198ef981ec0edc2affe13d37c03dd /llvm/unittests/ADT/SmallVectorTest.cpp | |
| parent | 119a9ea13f9f2e5fe78125bc3f9a76ebf85d3270 (diff) | |
| download | llvm-f2fd41d7897e1cc8fc6e9fb2ea46e5b6527852e4.zip llvm-f2fd41d7897e1cc8fc6e9fb2ea46e5b6527852e4.tar.gz llvm-f2fd41d7897e1cc8fc6e9fb2ea46e5b6527852e4.tar.bz2 | |
X86: Fix use-after-realloc in X86AsmParser::ParseIntelExpression
`X86AsmParser::ParseIntelExpression` has a while loop. In the body,
calls to MCAsmLexer::UnLex can force a reallocation in the MCAsmLexer's
`CurToken` SmallVector, invalidating saved references to
`MCAsmLexer::getTok()`.
`const MCAsmToken &Tok` is such a saved reference, and this moves it
from outside the while loop to inside the body, fixing a
use-after-realloc.
`Tok` will still be reused across calls to `Lex()`, each of which
effectively destroys and constructs the pointed-to token. I'm a bit
skeptical of this usage pattern, but it seems broadly used in the
X86AsmParser (and others) so I'm leaving it alone (for now).
Somehow this bug was exposed by https://reviews.llvm.org/D94739,
resulting in test failures in dot-operator related tests in
llvm/test/tools/llvm-ml. I suspect the exposure path is related to
optimizer changes from splitting up the grow operation, but I haven't
dug all the way in. Regardless, there are already tests in tree that
cover this; they might fail consistently if we added ASan
instrumentation to SmallVector.
Differential Revision: https://reviews.llvm.org/D95112
Diffstat (limited to 'llvm/unittests/ADT/SmallVectorTest.cpp')
0 files changed, 0 insertions, 0 deletions