Liang Wang
2014-Oct-18 00:21 UTC
[LLVMdev] Dereferencing NULL pointer in IndVarSimplify.cpp?
Hi, Here is the code in IndVarSimplify.cpp. SmallVector<WeakVH, 16> DeadInsts; while (!DeadInsts.empty()) if (Instruction *Inst dyn_cast_or_null<Instruction>(&*DeadInsts.pop_back_val())) RecursivelyDeleteTriviallyDeadInstructions(Inst, TLI); Since DeadInsts.pop_back_val() is WeakVH which could hold a NULL pointer, the expression, &*DeadInsts.pop_back_val(), could be &*NULL. Then NULL pointer is dereferenced here. I wrote a small test case and it works just fine. But is this a well-defined behavior in the standard? Thanks, Liang
Andrew Trick
2014-Oct-24 03:32 UTC
[LLVMdev] Dereferencing NULL pointer in IndVarSimplify.cpp?
> On Oct 17, 2014, at 5:21 PM, Liang Wang <netcasper at gmail.com> wrote: > > Hi, > > Here is the code in IndVarSimplify.cpp. > > SmallVector<WeakVH, 16> DeadInsts; > > > while (!DeadInsts.empty()) > if (Instruction *Inst > dyn_cast_or_null<Instruction>(&*DeadInsts.pop_back_val())) > RecursivelyDeleteTriviallyDeadInstructions(Inst, TLI); > > Since DeadInsts.pop_back_val() is WeakVH which could hold a NULL > pointer, the expression, &*DeadInsts.pop_back_val(), could be &*NULL. > Then NULL pointer is dereferenced here. > > I wrote a small test case and it works just fine. But is this a > well-defined behavior in the standard?Try clang-dev or a c++ list for questions about the standard. I think it would have been nicer to write (Value*)DeadInsts.pop_back_val() -Andy> > > Thanks, > Liang > _______________________________________________ > LLVM Developers mailing list > LLVMdev at cs.uiuc.edu http://llvm.cs.uiuc.edu > http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev
Duncan P. N. Exon Smith
2014-Oct-24 15:28 UTC
[LLVMdev] Dereferencing NULL pointer in IndVarSimplify.cpp?
> On 2014-Oct-23, at 20:32, Andrew Trick <atrick at apple.com> wrote: > > >> On Oct 17, 2014, at 5:21 PM, Liang Wang <netcasper at gmail.com> wrote: >> >> Hi, >> >> Here is the code in IndVarSimplify.cpp. >> >> SmallVector<WeakVH, 16> DeadInsts; >> >> >> while (!DeadInsts.empty()) >> if (Instruction *Inst >> dyn_cast_or_null<Instruction>(&*DeadInsts.pop_back_val())) >> RecursivelyDeleteTriviallyDeadInstructions(Inst, TLI); >> >> Since DeadInsts.pop_back_val() is WeakVH which could hold a NULL >> pointer, the expression, &*DeadInsts.pop_back_val(), could be &*NULL. >> Then NULL pointer is dereferenced here. >> >> I wrote a small test case and it works just fine. But is this a >> well-defined behavior in the standard?This is UB, but `&*nullptr` often "works" so I'm not surprised you couldn't expose it with a testcase.> > Try clang-dev or a c++ list for questions about the standard. > > I think it would have been nicer to write (Value*)DeadInsts.pop_back_val() > -Andy+1 (or `static_cast<Value *>(DeadInsts.pop_back_val())`).