fix(compiler): Type inference rewriter: Fix use-after-free in functio…

…n renaming The type inference rewriter changes the name of the rewritten function to the name of the original function when the rewriting process is complete. However, the name is retrieved from the original function operation after the operation has already been replaced and thus destroyed, resulting in a null pointer dereference. This change retrieves the name of the original function before it is replaced and saves it in a copy, which is then used to safely assign the new name to the rewritten function.
zama-ai · Apr 17, 2024 · a88968d · a88968d
1 parent 3d0727b
commit a88968d
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/compilers/concrete-compiler/compiler/include/concretelang/Transforms/TypeInferenceRewriter.h b/compilers/concrete-compiler/compiler/include/concretelang/Transforms/TypeInferenceRewriter.h
@@ -125,8 +125,9 @@ class TypeInferenceRewriter {
 
     // Replace original function and remove suffix from the name of the new
     // function
+    std::string oldFuncName = func.getName().str();
     rewriter.replaceOp(func, newFunc->getResults());
-    newFunc.setName(func.getName());
+    newFunc.setName(oldFuncName);
 
     return mlir::success();
   }