[MERGE #6267 @zenparsing] Prevent a use after free in memop

Kevin Smith · Kevin Smith · commit c5297b86536f · 2019-09-05T13:20:28.000-07:00
Merge pull request #6267 from zenparsing:use-after-free-memop
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -17080,13 +17080,14 @@ GlobOpt::EmitMemop(Loop * loop, LoopCount *loopCount, const MemOpEmitData* emitD
     RemoveMemOpSrcInstr(memopInstr, emitData->stElemInstr, emitData->block);
     if (!isMemset)
     {
-        if (((MemCopyEmitData*)emitData)->ldElemInstr->GetSrc1()->IsIndirOpnd())
+        IR::Instr* ldElemInstr = ((MemCopyEmitData*)emitData)->ldElemInstr;
+        if (ldElemInstr->GetSrc1()->IsIndirOpnd())
         {
-            baseOpnd = ((MemCopyEmitData*)emitData)->ldElemInstr->GetSrc1()->AsIndirOpnd()->GetBaseOpnd();
+            baseOpnd = ldElemInstr->GetSrc1()->AsIndirOpnd()->GetBaseOpnd();
             isLikelyJsArray = baseOpnd->GetValueType().IsLikelyArrayOrObjectWithArray();
-            ProcessNoImplicitCallArrayUses(baseOpnd, baseOpnd->IsArrayRegOpnd() ? baseOpnd->AsArrayRegOpnd() : nullptr, emitData->stElemInstr, isLikelyJsArray, true);
+            ProcessNoImplicitCallArrayUses(baseOpnd, baseOpnd->IsArrayRegOpnd() ? baseOpnd->AsArrayRegOpnd() : nullptr, ldElemInstr, isLikelyJsArray, true);
         }
-        RemoveMemOpSrcInstr(memopInstr, ((MemCopyEmitData*)emitData)->ldElemInstr, emitData->block);
+        RemoveMemOpSrcInstr(memopInstr, ldElemInstr, emitData->block);
     }
     InsertNoImplicitCallUses(memopInstr);
     noImplicitCallUsesToInsert->Clear();    

Original file line number	Diff line number	Diff line change
`@@ -17080,13 +17080,14 @@ GlobOpt::EmitMemop(Loop * loop, LoopCount loopCount, const MemOpEmitData emitD`
`17080`	`17080`	`RemoveMemOpSrcInstr(memopInstr, emitData->stElemInstr, emitData->block);`
`17081`	`17081`	`if (!isMemset)`
`17082`	`17082`	`{`
`17083`		`- if (((MemCopyEmitData*)emitData)->ldElemInstr->GetSrc1()->IsIndirOpnd())`
	`17083`	`+ IR::Instr* ldElemInstr = ((MemCopyEmitData*)emitData)->ldElemInstr;`
	`17084`	`+ if (ldElemInstr->GetSrc1()->IsIndirOpnd())`
`17084`	`17085`	`{`
`17085`		`- baseOpnd = ((MemCopyEmitData*)emitData)->ldElemInstr->GetSrc1()->AsIndirOpnd()->GetBaseOpnd();`
	`17086`	`+ baseOpnd = ldElemInstr->GetSrc1()->AsIndirOpnd()->GetBaseOpnd();`
`17086`	`17087`	`isLikelyJsArray = baseOpnd->GetValueType().IsLikelyArrayOrObjectWithArray();`
`17087`		`- ProcessNoImplicitCallArrayUses(baseOpnd, baseOpnd->IsArrayRegOpnd() ? baseOpnd->AsArrayRegOpnd() : nullptr, emitData->stElemInstr, isLikelyJsArray, true);`
	`17088`	`+ ProcessNoImplicitCallArrayUses(baseOpnd, baseOpnd->IsArrayRegOpnd() ? baseOpnd->AsArrayRegOpnd() : nullptr, ldElemInstr, isLikelyJsArray, true);`
`17088`	`17089`	`}`
`17089`		`- RemoveMemOpSrcInstr(memopInstr, ((MemCopyEmitData*)emitData)->ldElemInstr, emitData->block);`
	`17090`	`+ RemoveMemOpSrcInstr(memopInstr, ldElemInstr, emitData->block);`
`17090`	`17091`	`}`
`17091`	`17092`	`InsertNoImplicitCallUses(memopInstr);`
`17092`	`17093`	`noImplicitCallUsesToInsert->Clear();`