[mlir][Transforms] Fix use-after-free in llvm#82474 (llvm#82504)

matthias-springer · web-flow · commit 3f732c4141e9 · 2024-02-21T17:28:42.000+01:00
When a `ModifyOperationRewrite` is committed, the operation may already have been erased, so `OperationName` must be cached in the rewrite object. Note: This will no longer be needed with llvm#81757, which adds a "cleanup" method to `IRRewrite`.
diff --git a/mlir/lib/Transforms/Utils/DialectConversion.cpp b/mlir/lib/Transforms/Utils/DialectConversion.cpp
@@ -965,14 +965,14 @@ class ModifyOperationRewrite : public OperationRewrite {
   ModifyOperationRewrite(ConversionPatternRewriterImpl &rewriterImpl,
                          Operation *op)
       : OperationRewrite(Kind::ModifyOperation, rewriterImpl, op),
-        loc(op->getLoc()), attrs(op->getAttrDictionary()),
+        name(op->getName()), loc(op->getLoc()), attrs(op->getAttrDictionary()),
         operands(op->operand_begin(), op->operand_end()),
         successors(op->successor_begin(), op->successor_end()) {
     if (OpaqueProperties prop = op->getPropertiesStorage()) {
       // Make a copy of the properties.
       propertiesStorage = operator new(op->getPropertiesStorageSize());
       OpaqueProperties propCopy(propertiesStorage);
-      op->getName().initOpProperties(propCopy, /*init=*/prop);
+      name.initOpProperties(propCopy, /*init=*/prop);
     }
   }
 
@@ -988,7 +988,9 @@ class ModifyOperationRewrite : public OperationRewrite {
   void commit() override {
     if (propertiesStorage) {
       OpaqueProperties propCopy(propertiesStorage);
-      op->getName().destroyOpProperties(propCopy);
+      // Note: The operation may have been erased in the mean time, so
+      // OperationName must be stored in this object.
+      name.destroyOpProperties(propCopy);
       operator delete(propertiesStorage);
       propertiesStorage = nullptr;
     }
@@ -1003,13 +1005,14 @@ class ModifyOperationRewrite : public OperationRewrite {
     if (propertiesStorage) {
       OpaqueProperties propCopy(propertiesStorage);
       op->copyProperties(propCopy);
-      op->getName().destroyOpProperties(propCopy);
+      name.destroyOpProperties(propCopy);
       operator delete(propertiesStorage);
       propertiesStorage = nullptr;
     }
   }
 
 private:
+  OperationName name;
   LocationAttr loc;
   DictionaryAttr attrs;
   SmallVector<Value, 8> operands;
