Commit 11f3e05
committed
syn: fix stack-use-after-return in constant fold sliceDff
sliceDff() was declared to return a BundleView (a non-owning view) but
returned the owning Bundle produced by Graph::add<Dff>(). The implicit
BundleView(const Bundle&) conversion stores a pointer to that temporary,
which is destroyed when sliceDff() returns, so foldSequentials() then
indexes a dangling view (BundleView::operator[] -> Bundle::operator[]).
This is undefined behavior that optimized builds tolerate (sliceDff() is
inlined, so the temporary's storage survives the read), but a DEBUG
(unoptimized) build faults on. It reproduces as a SIGSEGV during
synthesis of larger designs using the integrated syn flow (e.g.
asap7/aes, asap7/jpeg with SYNTH_USE_SYN=1); AddressSanitizer reports a
stack-use-after-return at ir/Bundle.cc.
Return an owning Bundle from sliceDff() and hold it as a Bundle at the
call site (a BundleView local would re-create the dangle).
Signed-off-by: Matthew Guthaus <mrg@ucsc.edu>1 parent b442cab commit 11f3e05
1 file changed
Lines changed: 5 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
448 | 448 | | |
449 | 449 | | |
450 | 450 | | |
451 | | - | |
452 | | - | |
453 | | - | |
454 | | - | |
| 451 | + | |
| 452 | + | |
| 453 | + | |
| 454 | + | |
455 | 455 | | |
456 | 456 | | |
457 | 457 | | |
| |||
575 | 575 | | |
576 | 576 | | |
577 | 577 | | |
578 | | - | |
| 578 | + | |
579 | 579 | | |
580 | 580 | | |
581 | 581 | | |
| |||
0 commit comments