Fix GH-102: heap corruption in GCM when using MEM2SSA

The crash was caused by reusing of CFG built before MEM2SSA part. That CFG didn't take into account new PHI nodes inserted during SSA construction. This also enables MEM2SSA for O1 in ir_main() (like in ir_jit_compile)
dstogov · Jan 20, 2025 · 4942279 · 4942279
1 parent d6d7fc4
commit 4942279
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 6 deletions.
diff --git a/ir.c b/ir.c
@@ -348,6 +348,12 @@ static void ir_grow_top(ir_ctx *ctx)
 		memset(ctx->use_lists + old_insns_limit, 0,
 			(ctx->insns_limit - old_insns_limit) * sizeof(ir_use_list));
 	}
+
+	if (ctx->cfg_map) {
+		ctx->cfg_map = ir_mem_realloc(ctx->cfg_map, ctx->insns_limit * sizeof(uint32_t));
+		memset(ctx->cfg_map + old_insns_limit, 0,
+			(ctx->insns_limit - old_insns_limit) * sizeof(uint32_t));
+	}
 }
 
 static ir_ref ir_next_insn(ir_ctx *ctx)

diff --git a/ir.h b/ir.h
@@ -958,10 +958,12 @@ IR_ALWAYS_INLINE void *ir_jit_compile(ir_ctx *ctx, int opt_level, size_t *size)
 			 || !ir_mem2ssa(ctx)) {
 				return NULL;
 			}
+			if (opt_level > 1) {
+				ir_reset_cfg(ctx);
+			}
 		}
 
 		if (opt_level > 1) {
-			ir_reset_cfg(ctx);
 			if (!ir_sccp(ctx)) {
 				return NULL;
 			}

diff --git a/ir_cfg.c b/ir_cfg.c
@@ -92,7 +92,7 @@ int ir_build_cfg(ir_ctx *ctx)
 	uint32_t len = ir_bitset_len(ctx->insns_count);
 	ir_bitset bb_starts = ir_mem_calloc(len * 2, IR_BITSET_BITS / 8);
 	ir_bitset bb_leaks = bb_starts + len;
-	_blocks = ir_mem_calloc(ctx->insns_count, sizeof(uint32_t));
+	_blocks = ir_mem_calloc(ctx->insns_limit, sizeof(uint32_t));
 	ir_worklist_init(&worklist, ctx->insns_count);
 
 	/* First try to perform backward DFS search starting from "stop" nodes */

diff --git a/ir_main.c b/ir_main.c
@@ -255,6 +255,9 @@ int ir_compile_func(ir_ctx *ctx, int opt_level, uint32_t save_flags, uint32_t du
 		}
 
 		ir_mem2ssa(ctx);
+		if (opt_level > 1) {
+			ir_reset_cfg(ctx);
+		}
 		if ((dump & (IR_DUMP_AFTER_MEM2SSA|IR_DUMP_AFTER_ALL))
 		 && !_save(ctx, save_flags, dump, IR_DUMP_AFTER_MEM2SSA, dump_file, func_name)) {
 			return 0;
@@ -266,9 +269,6 @@ int ir_compile_func(ir_ctx *ctx, int opt_level, uint32_t save_flags, uint32_t du
 
 	/* Global Optimization */
 	if (opt_level > 1) {
-		if (ctx->cfg_blocks) {
-			ir_reset_cfg(ctx);
-		}
 		ir_sccp(ctx);
 		if ((dump & (IR_DUMP_AFTER_SCCP|IR_DUMP_AFTER_ALL))
 		 && !_save(ctx, save_flags, dump, IR_DUMP_AFTER_SCCP, dump_file, func_name)) {
@@ -1325,7 +1325,7 @@ int main(int argc, char **argv)
 	if (opt_level > 1 && !disable_inline) {
 		flags |= IR_OPT_INLINE;
 	}
-	if (opt_level > 1 && !disable_mem2ssa) {
+	if (opt_level > 0 && !disable_mem2ssa) {
 		flags |= IR_OPT_MEM2SSA;
 	}
 	if (emit_c || emit_llvm) {