Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix heap-use-after-free error in find_best_fit() #8483

Merged
merged 2 commits into from
Nov 20, 2024
Merged

Fix heap-use-after-free error in find_best_fit() #8483

merged 2 commits into from
Nov 20, 2024

Conversation

steven-johnson
Copy link
Contributor

@steven-johnson steven-johnson commented Nov 20, 2024
edited by alexreinking
Loading

Fixes #8482

@steven-johnson steven-johnson mentioned this pull request Nov 20, 2024
Closed
@steven-johnson steven-johnson merged commit f566881 into main Nov 20, 2024
15 of 19 checks passed
@steven-johnson steven-johnson deleted the srj/expr-lifetime branch November 20, 2024 16:37
@steven-johnson
Copy link
Contributor Author

Note that this reveals a fundamental danger of the as_const_int() and friends API (i.e. if the Expr being looked at is a temporary)...

@steven-johnson
Copy link
Contributor Author

From a quick skim of the source, I don't see any other obvious misuse of these calls that seem to be at-risk, but it would be easy to misuse them inadvertently. Not sure if we want to revisit this API somehow to minimize risk.

@abadams
Copy link
Member

abadams commented Nov 20, 2024

Could we add a as_const_int(Expr &&) that just contains a static_assert to stop you from calling it on rvals? We'd still have the problem below, but it would at least prevent one source of problems.

const uint64_t *i = nullptr;
{ 
  Expr e = some temporary expr
  i = as_const_int(e);
}
if (i && *i == 5) { // use-after-free
  ...
}

@abadams
Copy link
Member

abadams commented Nov 20, 2024

Actually the better fix is making as_const_int return a std::optional<int64_t>. IIUC the syntax for using it is even the same because they made it act like a pointer (if (i & *i == 5))

@alexreinking alexreinking changed the title Fix heap-use-after-free error in find_best_fit() (Fixes #8482) Fix heap-use-after-free error in find_best_fit() Nov 20, 2024
@BrewTestBot BrewTestBot mentioned this pull request Dec 17, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abadams abadams abadams approved these changes

@derek-gerstmann derek-gerstmann Awaiting requested review from derek-gerstmann

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[asan] FuseGPUThreadLoops heap-use-after-free in ExtractSharedAndHeapAllocations
2 participants
@steven-johnson @abadams