Author: Duncan P. N. Exon Smith Date: 2021-01-21T11:24:35-08:00 New Revision: f2fd41d7897e1cc8fc6e9fb2ea46e5b6527852e4
URL: https://github.com/llvm/llvm-project/commit/f2fd41d7897e1cc8fc6e9fb2ea46e5b6527852e4 DIFF: https://github.com/llvm/llvm-project/commit/f2fd41d7897e1cc8fc6e9fb2ea46e5b6527852e4.diff LOG: X86: Fix use-after-realloc in X86AsmParser::ParseIntelExpression `X86AsmParser::ParseIntelExpression` has a while loop. In the body, calls to MCAsmLexer::UnLex can force a reallocation in the MCAsmLexer's `CurToken` SmallVector, invalidating saved references to `MCAsmLexer::getTok()`. `const MCAsmToken &Tok` is such a saved reference, and this moves it from outside the while loop to inside the body, fixing a use-after-realloc. `Tok` will still be reused across calls to `Lex()`, each of which effectively destroys and constructs the pointed-to token. I'm a bit skeptical of this usage pattern, but it seems broadly used in the X86AsmParser (and others) so I'm leaving it alone (for now). Somehow this bug was exposed by https://reviews.llvm.org/D94739, resulting in test failures in dot-operator related tests in llvm/test/tools/llvm-ml. I suspect the exposure path is related to optimizer changes from splitting up the grow operation, but I haven't dug all the way in. Regardless, there are already tests in tree that cover this; they might fail consistently if we added ASan instrumentation to SmallVector. Differential Revision: https://reviews.llvm.org/D95112 Added: Modified: llvm/lib/Target/X86/AsmParser/X86AsmParser.cpp Removed: ################################################################################ diff --git a/llvm/lib/Target/X86/AsmParser/X86AsmParser.cpp b/llvm/lib/Target/X86/AsmParser/X86AsmParser.cpp index e4ffe3f71100..9d9a20183f0f 100644 --- a/llvm/lib/Target/X86/AsmParser/X86AsmParser.cpp +++ b/llvm/lib/Target/X86/AsmParser/X86AsmParser.cpp @@ -1842,12 +1842,15 @@ bool X86AsmParser::ParseMasmNamedOperator(StringRef Name, bool X86AsmParser::ParseIntelExpression(IntelExprStateMachine &SM, SMLoc &End) { MCAsmParser &Parser = getParser(); - const AsmToken &Tok = Parser.getTok(); StringRef ErrMsg; AsmToken::TokenKind PrevTK = AsmToken::Error; bool Done = false; while (!Done) { + // Get a fresh reference on each loop iteration in case the previous + // iteration moved the token storage during UnLex(). + const AsmToken &Tok = Parser.getTok(); + bool UpdateLocLex = true; AsmToken::TokenKind TK = getLexer().getKind(); _______________________________________________ llvm-branch-commits mailing list llvm-branch-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-branch-commits
