[llvm-bugs] [Bug 71363] [mlir] Dangling function object assigned to function_ref

Sun, 05 Nov 2023 23:55:38 -0800

Issue 71363
Summary [mlir] Dangling function object assigned to function_ref
Labels mlir
Assignees
Reporter peledins-zimperium 
    /opt/homebrew/opt/llvm@17/include/mlir/IR/StorageUniquerSupport.h:134 returns a temporary object on stack:
```
133   static auto getWalkImmediateSubElementsFn() {
134     return [](auto instance, function_ref<void(Attribute)> walkAttrsFn,
135 function_ref<void(Type)> walkTypesFn) {
136 ::mlir::detail::walkImmediateSubElementsImpl(
137 llvm::cast<ConcreteT>(instance), walkAttrsFn, walkTypesFn);
138 };
139 }
```

/opt/homebrew/opt/llvm@17/include/mlir/IR/TypeSupport.h:46 has:
```
 44   template <typename T>
 45   static AbstractType get(Dialect &dialect) {
 46     return AbstractType(dialect, T::getInterfaceMap(), T::getHasTraitFn(),
 47 T::getWalkImmediateSubElementsFn(),
 48 T::getReplaceImmediateSubElementsFn(), T::getTypeID());
 49 }
...
104   AbstractType(Dialect &dialect, detail::InterfaceMap &&interfaceMap,
105                HasTraitFn &&hasTrait,
106 WalkImmediateSubElementsFn walkImmediateSubElementsFn,
107 ReplaceImmediateSubElementsFn replaceImmediateSubElementsFn,
108 TypeID typeID)
109       : dialect(dialect), interfaceMap(std::move(interfaceMap)),
110 hasTraitFn(std::move(hasTrait)),
111 walkImmediateSubElementsFn(walkImmediateSubElementsFn),
112 replaceImmediateSubElementsFn(replaceImmediateSubElementsFn),
113 typeID(typeID) {}
```
walkImmediateSubElementsFn is:
```
 33 using WalkImmediateSubElementsFn = function_ref<void(
 34       Type, function_ref<void(Attribute)>, function_ref<void(Type)>)>;
 ```

However, function_ref says:
```
/// An efficient, type-erasing, non-owning reference to a callable. This is
/// intended for use as the type of a function parameter that is not used
/// after the function in question returns.
///
/// This class does not own the callable, so it is not in general safe to store
/// a function_ref.
template<typename Fn> class function_ref;
```

Thus a temporary is stored into a reference object, which can lead to a crash.
Found by clang-tidy+clang-analyzer.

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to