diff options
author | Job Noorman <jnoorman@igalia.com> | 2023-04-17 14:55:11 +0200 |
---|---|---|
committer | Job Noorman <jnoorman@igalia.com> | 2023-04-17 16:16:49 +0200 |
commit | 48ad4296f7847db15b6bee7a465fc2cbe687ba6a (patch) | |
tree | 0de04412f495cf8ab92bc606d7518c427b5ed8e6 /bolt | |
parent | 56f7052d9226838b745970c4156be30ee209ee03 (diff) | |
download | llvm-48ad4296f7847db15b6bee7a465fc2cbe687ba6a.tar.gz |
[BOLT] Fix use-after-free in RewriteInstance::mapCodeSections
When a cold function is too large, its section gets deregistered.
However, the section is still dereferenced later to get its RuntimeDyld
ID. This patch moves the deregistration to after the last dereference.
Reviewed By: Amir
Differential Revision: https://reviews.llvm.org/D148427
Diffstat (limited to 'bolt')
-rw-r--r-- | bolt/lib/Rewrite/RewriteInstance.cpp | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/bolt/lib/Rewrite/RewriteInstance.cpp b/bolt/lib/Rewrite/RewriteInstance.cpp index 57e41d5b5724..4c4b3fa47c62 100644 --- a/bolt/lib/Rewrite/RewriteInstance.cpp +++ b/bolt/lib/Rewrite/RewriteInstance.cpp @@ -4097,7 +4097,6 @@ void RewriteInstance::mapCodeSections(RuntimeDyld &RTDyld) { FF.setImageAddress(0); FF.setImageSize(0); FF.setFileOffset(0); - BC->deregisterSection(*ColdSection); } else { FF.setAddress(NextAvailableAddress); FF.setImageAddress(ColdSection->getAllocAddress()); @@ -4112,6 +4111,9 @@ void RewriteInstance::mapCodeSections(RuntimeDyld &RTDyld) { FF.getImageAddress(), FF.getAddress(), FF.getImageSize())); RTDyld.reassignSectionAddress(ColdSection->getSectionID(), FF.getAddress()); + if (TooLarge) + BC->deregisterSection(*ColdSection); + NextAvailableAddress += FF.getImageSize(); } |