Fix potential pointer lifetime issue in the type scavenger. (#1850)

jcranmer-intel · web-flow · commit 4af277cb42bf · 2023-02-20T13:01:02.000+01:00
As computerPointerElementType is recursive, it's possible for the hash table to
be resized during the call to the function. If this happens, then the reference
to the value is no longer a valid reference, and may overwrite memory (or just
plain segfault).
diff --git a/lib/SPIRV/SPIRVTypeScavenger.cpp b/lib/SPIRV/SPIRVTypeScavenger.cpp
@@ -293,7 +293,7 @@ SPIRVTypeScavenger::computePointerElementType(Value *V) {
   }
 
   // Check if we've already deduced a type for the value.
-  DeducedType &Ty = DeducedTypes[V];
+  DeducedType Ty = DeducedTypes[V];
   if (Ty) {
     return Ty;
   }
@@ -402,6 +402,7 @@ SPIRVTypeScavenger::computePointerElementType(Value *V) {
     Ty = Deferred;
   }
 
+  DeducedTypes[V] = Ty;
   VisitStack.pop_back();
   return Ty;
 }

Original file line number	Diff line number	Diff line change
`@@ -293,7 +293,7 @@ SPIRVTypeScavenger::computePointerElementType(Value *V) {`
`293`	`293`	`}`
`294`	`294`
`295`	`295`	`// Check if we've already deduced a type for the value.`
`296`		`- DeducedType &Ty = DeducedTypes[V];`
	`296`	`+ DeducedType Ty = DeducedTypes[V];`
`297`	`297`	`if (Ty) {`
`298`	`298`	`return Ty;`
`299`	`299`	`}`
`@@ -402,6 +402,7 @@ SPIRVTypeScavenger::computePointerElementType(Value *V) {`
`402`	`402`	`Ty = Deferred;`
`403`	`403`	`}`
`404`	`404`
	`405`	`+ DeducedTypes[V] = Ty;`
`405`	`406`	`VisitStack.pop_back();`
`406`	`407`	`return Ty;`
`407`	`408`	`}`