[flang][mlir] Fix-forward heap use-after-free in #155348 #164712
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
mapInfoOp should not be accessed here because cloneModifyAndErase (line 255) erased it. Fix the issue by replacing mapInfoOp with the cloned op.
Member
| @llvm/pr-subscribers-mlir-openmp Author: Thurston Dang (thurstond) Changes
Full diff: https://github.com/llvm/llvm-project/pull/164712.diff 1 Files Affected:
diff --git a/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp b/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp index 735b905bffb85..dafc1cbacdac7 100644 --- a/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp +++ b/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp @@ -252,7 +252,8 @@ class PrepareForOMPOffloadPrivatizationPass // variable, rewrite all the uses of the original variable with // the heap-allocated variable. rewriter.setInsertionPoint(targetOp); - rewriter.setInsertionPoint(cloneModifyAndErase(mapInfoOp)); + mapInfoOp = cloneModifyAndErase(mapInfoOp); + rewriter.setInsertionPoint(mapInfoOp); // Fix any members that may use varPtr to now use heapMem for (auto member : mapInfoOp.getMembers()) { |
Member
| @llvm/pr-subscribers-mlir Author: Thurston Dang (thurstond) Changes
Full diff: https://github.com/llvm/llvm-project/pull/164712.diff 1 Files Affected:
diff --git a/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp b/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp index 735b905bffb85..dafc1cbacdac7 100644 --- a/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp +++ b/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp @@ -252,7 +252,8 @@ class PrepareForOMPOffloadPrivatizationPass // variable, rewrite all the uses of the original variable with // the heap-allocated variable. rewriter.setInsertionPoint(targetOp); - rewriter.setInsertionPoint(cloneModifyAndErase(mapInfoOp)); + mapInfoOp = cloneModifyAndErase(mapInfoOp); + rewriter.setInsertionPoint(mapInfoOp); // Fix any members that may use varPtr to now use heapMem for (auto member : mapInfoOp.getMembers()) { |
Member
| @llvm/pr-subscribers-flang-openmp Author: Thurston Dang (thurstond) Changes
Full diff: https://github.com/llvm/llvm-project/pull/164712.diff 1 Files Affected:
diff --git a/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp b/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp index 735b905bffb85..dafc1cbacdac7 100644 --- a/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp +++ b/mlir/lib/Dialect/OpenMP/Transforms/OpenMPOffloadPrivatizationPrepare.cpp @@ -252,7 +252,8 @@ class PrepareForOMPOffloadPrivatizationPass // variable, rewrite all the uses of the original variable with // the heap-allocated variable. rewriter.setInsertionPoint(targetOp); - rewriter.setInsertionPoint(cloneModifyAndErase(mapInfoOp)); + mapInfoOp = cloneModifyAndErase(mapInfoOp); + rewriter.setInsertionPoint(mapInfoOp); // Fix any members that may use varPtr to now use heapMem for (auto member : mapInfoOp.getMembers()) { |
thurstond changed the title 
joker-eph reviewed Oct 22, 2025
| // the heap-allocated variable. | ||
| rewriter.setInsertionPoint(targetOp); | ||
| rewriter.setInsertionPoint(cloneModifyAndErase(mapInfoOp)); | ||
| auto clonedOp = cast<omp::MapInfoOp>(cloneModifyAndErase(mapInfoOp)); |
Collaborator
There was a problem hiding this comment.
Why not just updating it:
Suggested change
| auto clonedOp = cast<omp::MapInfoOp>(cloneModifyAndErase(mapInfoOp)); | |
| mapInfoOp = cast<omp::MapInfoOp>(cloneModifyAndErase(mapInfoOp)); |
That way no risk of misusing mapInfoOp anymore?
joker-eph approved these changes Oct 22, 2025
Also fix another use-after-free
Contributor Author
| @joker-eph I updated the patch to fix a second-use-after-free |
| ✅ With the latest revision this PR passed the C/C++ code formatter. |
fmayer approved these changes Oct 22, 2025
mikolaj-pirog pushed a commit to mikolaj-pirog/llvm-project that referenced this pull request Oct 23, 2025
…4712) `mapInfoOp.getMembers()` on line 258 is use-after-free, because cloneModifyAndErase (line 255) erased `mapInfoOp`. Fix the issue by replacing subsequent `mapInfoOp` usages with `clonedOp`. Similarly, update `memberMapInfoOp` to avoid subsequent use-after-free.
dvbuka pushed a commit to dvbuka/llvm-project that referenced this pull request Oct 27, 2025
…4712) `mapInfoOp.getMembers()` on line 258 is use-after-free, because cloneModifyAndErase (line 255) erased `mapInfoOp`. Fix the issue by replacing subsequent `mapInfoOp` usages with `clonedOp`. Similarly, update `memberMapInfoOp` to avoid subsequent use-after-free.
Lukacma pushed a commit to Lukacma/llvm-project that referenced this pull request Oct 29, 2025
…4712) `mapInfoOp.getMembers()` on line 258 is use-after-free, because cloneModifyAndErase (line 255) erased `mapInfoOp`. Fix the issue by replacing subsequent `mapInfoOp` usages with `clonedOp`. Similarly, update `memberMapInfoOp` to avoid subsequent use-after-free.
aokblast pushed a commit to aokblast/llvm-project that referenced this pull request Oct 30, 2025
…4712) `mapInfoOp.getMembers()` on line 258 is use-after-free, because cloneModifyAndErase (line 255) erased `mapInfoOp`. Fix the issue by replacing subsequent `mapInfoOp` usages with `clonedOp`. Similarly, update `memberMapInfoOp` to avoid subsequent use-after-free.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
mapInfoOp.getMembers()on line 258 is use-after-free, because cloneModifyAndErase (line 255) erasedmapInfoOp. Fix the issue by replacing subsequentmapInfoOpusages withclonedOp.Similarly, update
memberMapInfoOpto avoid subsequent use-after-free.