[BOLT] Fix use-after-free in RewriteInstance::mapCodeSections

When a cold function is too large, its section gets deregistered. However, the section is still dereferenced later to get its RuntimeDyld ID. This patch moves the deregistration to after the last dereference. Reviewed By: Amir Differential Revision: https://reviews.llvm.org/D148427
author: Job Noorman <jnoorman@igalia.com> 2023-04-17 14:55:11 +0200
committer: Job Noorman <jnoorman@igalia.com> 2023-04-17 16:16:49 +0200
commit: 48ad4296f7847db15b6bee7a465fc2cbe687ba6a (patch)
tree: 0de04412f495cf8ab92bc606d7518c427b5ed8e6 /bolt
parent: 56f7052d9226838b745970c4156be30ee209ee03 (diff)
download: llvm-48ad4296f7847db15b6bee7a465fc2cbe687ba6a.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/bolt/lib/Rewrite/RewriteInstance.cpp b/bolt/lib/Rewrite/RewriteInstance.cpp
index 57e41d5b5724..4c4b3fa47c62 100644
--- a/bolt/lib/Rewrite/RewriteInstance.cpp
+++ b/bolt/lib/Rewrite/RewriteInstance.cpp
@@ -4097,7 +4097,6 @@ void RewriteInstance::mapCodeSections(RuntimeDyld &RTDyld) {
       FF.setImageAddress(0);
       FF.setImageSize(0);
       FF.setFileOffset(0);
-      BC->deregisterSection(*ColdSection);
     } else {
       FF.setAddress(NextAvailableAddress);
       FF.setImageAddress(ColdSection->getAllocAddress());
@@ -4112,6 +4111,9 @@ void RewriteInstance::mapCodeSections(RuntimeDyld &RTDyld) {
             FF.getImageAddress(), FF.getAddress(), FF.getImageSize()));
     RTDyld.reassignSectionAddress(ColdSection->getSectionID(), FF.getAddress());
 
+    if (TooLarge)
+      BC->deregisterSection(*ColdSection);
+
     NextAvailableAddress += FF.getImageSize();
   }
author	Job Noorman <jnoorman@igalia.com>	2023-04-17 14:55:11 +0200
committer	Job Noorman <jnoorman@igalia.com>	2023-04-17 16:16:49 +0200
commit	48ad4296f7847db15b6bee7a465fc2cbe687ba6a (patch)
tree	0de04412f495cf8ab92bc606d7518c427b5ed8e6 /bolt
parent	56f7052d9226838b745970c4156be30ee209ee03 (diff)
download	llvm-48ad4296f7847db15b6bee7a465fc2cbe687ba6a.tar.gz