From a88968d8df2908bff2eabbc0b1237dd5dcbd409c Mon Sep 17 00:00:00 2001 From: Andi Drebes Date: Wed, 17 Apr 2024 09:55:10 +0200 Subject: [PATCH] fix(compiler): Type inference rewriter: Fix use-after-free in function renaming The type inference rewriter changes the name of the rewritten function to the name of the original function when the rewriting process is complete. However, the name is retrieved from the original function operation after the operation has already been replaced and thus destroyed, resulting in a null pointer dereference. This change retrieves the name of the original function before it is replaced and saves it in a copy, which is then used to safely assign the new name to the rewritten function. --- .../include/concretelang/Transforms/TypeInferenceRewriter.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/compilers/concrete-compiler/compiler/include/concretelang/Transforms/TypeInferenceRewriter.h b/compilers/concrete-compiler/compiler/include/concretelang/Transforms/TypeInferenceRewriter.h index 334fe15dbc..c874a69f6e 100644 --- a/compilers/concrete-compiler/compiler/include/concretelang/Transforms/TypeInferenceRewriter.h +++ b/compilers/concrete-compiler/compiler/include/concretelang/Transforms/TypeInferenceRewriter.h @@ -125,8 +125,9 @@ class TypeInferenceRewriter { // Replace original function and remove suffix from the name of the new // function + std::string oldFuncName = func.getName().str(); rewriter.replaceOp(func, newFunc->getResults()); - newFunc.setName(func.getName()); + newFunc.setName(oldFuncName); return mlir::success(); }