Skip to content

Commit 11f3e05

Browse files
committed
syn: fix stack-use-after-return in constant fold sliceDff
sliceDff() was declared to return a BundleView (a non-owning view) but returned the owning Bundle produced by Graph::add<Dff>(). The implicit BundleView(const Bundle&) conversion stores a pointer to that temporary, which is destroyed when sliceDff() returns, so foldSequentials() then indexes a dangling view (BundleView::operator[] -> Bundle::operator[]). This is undefined behavior that optimized builds tolerate (sliceDff() is inlined, so the temporary's storage survives the read), but a DEBUG (unoptimized) build faults on. It reproduces as a SIGSEGV during synthesis of larger designs using the integrated syn flow (e.g. asap7/aes, asap7/jpeg with SYNTH_USE_SYN=1); AddressSanitizer reports a stack-use-after-return at ir/Bundle.cc. Return an owning Bundle from sliceDff() and hold it as a Bundle at the call site (a BundleView local would re-create the dangle). Signed-off-by: Matthew Guthaus <mrg@ucsc.edu>
1 parent b442cab commit 11f3e05

1 file changed

Lines changed: 5 additions & 5 deletions

File tree

src/syn/src/flow/constant_fold.cc

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -448,10 +448,10 @@ static void foldCombinationals(Graph& g)
448448
});
449449
}
450450

451-
static BundleView sliceDff(Graph& g,
452-
const Dff* original,
453-
uint32_t base,
454-
uint32_t width)
451+
static Bundle sliceDff(Graph& g,
452+
const Dff* original,
453+
uint32_t base,
454+
uint32_t width)
455455
{
456456
assert(width > 0);
457457

@@ -575,7 +575,7 @@ static bool foldSequentials(Graph& g)
575575
break;
576576
}
577577
}
578-
BundleView new_out_slice = sliceDff(g, dff, i, slice_width);
578+
Bundle new_out_slice = sliceDff(g, dff, i, slice_width);
579579
for (uint32_t k = 0; k < slice_width; k++) {
580580
new_out[i + k] = new_out_slice[k];
581581
}

0 commit comments

Comments
 (0)