InlineFunction.cpp: IFI.InlinedCallSites and intrinsics

Hi all,

I have been investigating a 'use after free' in the inliner. (This is with the full restrict patches)

The problem is related to an intrinsic call that is removed, but later on is used anyway because
the instruction was being tracked in the 'IFI.InlinedCallSites':

https://github.com/llvm/llvm-project/blob/1db2551cc1a356a67c0967f424d6158e2ea127e3/llvm/lib/Transforms/Utils/InlineFunction.cpp#L2448

As similar code here:
https://github.com/llvm/llvm-project/blob/1db2551cc1a356a67c0967f424d6158e2ea127e3/llvm/lib/Transforms/Utils/InlineFunction.cpp#L1350

avoids updating 'IFI.InlinedCalls' for intrinsics, I am wondering if the same logic should be added to the former.
Or is there a good reason that intrinsics must be included in 'IFI.InlinedCallSites' ?

Thanks,

Jeroen Dobbelaere

I don’t see any reason to add intrinsics into IFI.InlinedCallSites. Seems like all users expect it to only contain actual function calls.

Is the use after free specific to your patches, or is it observable currently in ToT LLVM?

Hi Arthur,

I think that the problem is only visible with the full restrict patches where we sometimes remove an intrinsic

after those calls were tracked.

I am not aware of other places, after the tracking of those calls, where intrinsics might be removed.

I can prepare a [nfc] fix for this.

Thanks,

Jeroen Dobbelaere