[1.11>master] [MERGE #6267 @zenparsing] Prevent a use after free in memop

Kevin Smith · Kevin Smith · commit e79d68a8c0f9 · 2019-09-05T13:33:23.000-07:00
Merge pull request #6267 from zenparsing:use-after-free-memop
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -17410,13 +17410,14 @@ GlobOpt::EmitMemop(Loop * loop, LoopCount *loopCount, const MemOpEmitData* emitD
     RemoveMemOpSrcInstr(memopInstr, emitData->stElemInstr, emitData->block);
     if (!isMemset)
     {
-        if (((MemCopyEmitData*)emitData)->ldElemInstr->GetSrc1()->IsIndirOpnd())
+        IR::Instr* ldElemInstr = ((MemCopyEmitData*)emitData)->ldElemInstr;
+        if (ldElemInstr->GetSrc1()->IsIndirOpnd())
         {
-            baseOpnd = ((MemCopyEmitData*)emitData)->ldElemInstr->GetSrc1()->AsIndirOpnd()->GetBaseOpnd();
+            baseOpnd = ldElemInstr->GetSrc1()->AsIndirOpnd()->GetBaseOpnd();
             isLikelyJsArray = baseOpnd->GetValueType().IsLikelyArrayOrObjectWithArray();
-            ProcessNoImplicitCallArrayUses(baseOpnd, baseOpnd->IsArrayRegOpnd() ? baseOpnd->AsArrayRegOpnd() : nullptr, emitData->stElemInstr, isLikelyJsArray, true);
+            ProcessNoImplicitCallArrayUses(baseOpnd, baseOpnd->IsArrayRegOpnd() ? baseOpnd->AsArrayRegOpnd() : nullptr, ldElemInstr, isLikelyJsArray, true);
         }
-        RemoveMemOpSrcInstr(memopInstr, ((MemCopyEmitData*)emitData)->ldElemInstr, emitData->block);
+        RemoveMemOpSrcInstr(memopInstr, ldElemInstr, emitData->block);
     }
     InsertNoImplicitCallUses(memopInstr);
     noImplicitCallUsesToInsert->Clear();

Original file line number	Diff line number	Diff line change
`@@ -17410,13 +17410,14 @@ GlobOpt::EmitMemop(Loop * loop, LoopCount loopCount, const MemOpEmitData emitD`
`17410`	`17410`	`RemoveMemOpSrcInstr(memopInstr, emitData->stElemInstr, emitData->block);`
`17411`	`17411`	`if (!isMemset)`
`17412`	`17412`	`{`
`17413`		`- if (((MemCopyEmitData*)emitData)->ldElemInstr->GetSrc1()->IsIndirOpnd())`
	`17413`	`+ IR::Instr* ldElemInstr = ((MemCopyEmitData*)emitData)->ldElemInstr;`
	`17414`	`+ if (ldElemInstr->GetSrc1()->IsIndirOpnd())`
`17414`	`17415`	`{`
`17415`		`- baseOpnd = ((MemCopyEmitData*)emitData)->ldElemInstr->GetSrc1()->AsIndirOpnd()->GetBaseOpnd();`
	`17416`	`+ baseOpnd = ldElemInstr->GetSrc1()->AsIndirOpnd()->GetBaseOpnd();`
`17416`	`17417`	`isLikelyJsArray = baseOpnd->GetValueType().IsLikelyArrayOrObjectWithArray();`
`17417`		`- ProcessNoImplicitCallArrayUses(baseOpnd, baseOpnd->IsArrayRegOpnd() ? baseOpnd->AsArrayRegOpnd() : nullptr, emitData->stElemInstr, isLikelyJsArray, true);`
	`17418`	`+ ProcessNoImplicitCallArrayUses(baseOpnd, baseOpnd->IsArrayRegOpnd() ? baseOpnd->AsArrayRegOpnd() : nullptr, ldElemInstr, isLikelyJsArray, true);`
`17418`	`17419`	`}`
`17419`		`- RemoveMemOpSrcInstr(memopInstr, ((MemCopyEmitData*)emitData)->ldElemInstr, emitData->block);`
	`17420`	`+ RemoveMemOpSrcInstr(memopInstr, ldElemInstr, emitData->block);`
`17420`	`17421`	`}`
`17421`	`17422`	`InsertNoImplicitCallUses(memopInstr);`
`17422`	`17423`	`noImplicitCallUsesToInsert->Clear();`