Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FIRRTL] InferResets: deleting op used to drive reset network results in use-after-free #7225

Closed
youngar opened this issue Jun 21, 2024 · 1 comment · Fixed by #7273
Closed

[FIRRTL] InferResets: deleting op used to drive reset network results in use-after-free #7225

youngar opened this issue Jun 21, 2024 · 1 comment · Fixed by #7273
Labels
bug Something isn't working FIRRTL Involving the `firrtl` dialect

Comments

@youngar
Copy link
Member

youngar commented Jun 21, 2024
edited
Loading 

firrtl.circuit "MovableNodeShouldDominate" {
  firrtl.module @MovableNodeShouldDominate(in %clock: !firrtl.clock) {
    %child_clock = firrtl.instance child @Child(in clock: !firrtl.clock)
    firrtl.connect %child_clock, %clock : !firrtl.clock
    %ui1 = firrtl.constant 1 : !firrtl.uint<1>
    %0 = firrtl.asAsyncReset %ui1 : (!firrtl.uint<1>) -> !firrtl.asyncreset
    %localReset = firrtl.node %0 {annotations = [{class = "sifive.enterprise.firrtl.FullAsyncResetAnnotation"}]} : !firrtl.asyncreset
  }
  firrtl.module @Child(in %clock: !firrtl.clock) {
    %reg = firrtl.reg %clock : !firrtl.clock, !firrtl.uint<8>
  }
}
./bin/circt-opt --pass-pipeline='builtin.module(firrtl.circuit(firrtl-infer-resets))' reset.mlir

InferResets needs to wire the result of the NodeOp to the instance of Child, and to do so replaces it with a wire. This results in a dangling reference to the deleted node stored in the ResetDomain.

Running it under valgrind yields many errors, such as the one below, but my line numbers won't line up with main due to a lot of printf debugging:

==176563== Invalid read of size 8
==176563==    at 0x1C35A53: mlir::Value::getLoc() const (llvm/mlir/lib/IR/Value.cpp:0)
==176563==    by 0x12A6F98: implementAsyncReset (lib/Dialect/FIRRTL/Transforms/InferResets.cpp:1688)
==176563==    by 0x12A6F98: implementAsyncReset (lib/Dialect/FIRRTL/Transforms/InferResets.cpp:1647)
==176563==    by 0x12A6F98: (anonymous namespace)::InferResetsPass::runOnOperationInner() (lib/Dialect/FIRRTL/Transforms/InferResets.cpp:545)
==176563==    by 0x12A4465: (anonymous namespace)::InferResetsPass::runOnOperation() (lib/Dialect/FIRRTL/Transforms/InferResets.cpp:513)

==176563==  Address 0x613f688 is 40 bytes inside a block of size 128 free'd
==176563==    at 0x4C39A93: free (vg_replace_malloc.c:872)
==176563==    by 0x18E466D: llvm::iplist_impl<llvm::simple_ilist<mlir::Operation>, llvm::ilist_traits<mlir::Operation> >::erase(llvm::ilist_iterator<llvm::ilist_detail::node_options<mlir::Operation, true, false, void, false>, false, false>) (ilist.h:205)
==176563==    by 0x12A7755: erase (OpDefinition.h:131)
==176563==    by 0x12A7755: implementAsyncReset (lib/Dialect/FIRRTL/Transforms/InferResets.cpp:1742)
==176563==    by 0x12A7755: implementAsyncReset (lib/Dialect/FIRRTL/Transforms/InferResets.cpp:1647)
==176563==    by 0x12A7755: (anonymous namespace)::InferResetsPass::runOnOperationInner() (lib/Dialect/FIRRTL/Transforms/InferResets.cpp:545)
==176563==    by 0x12A4465: (anonymous namespace)::InferResetsPass::runOnOperation() (lib/Dialect/FIRRTL/Transforms/InferResets.cpp:513)
@youngar youngar added the FIRRTL Involving the `firrtl` dialect label Jun 21, 2024
@dtzSiFive dtzSiFive added the bug Something isn't working label Jun 21, 2024
@darthscsi
Copy link
Contributor

Might it be enough to just add the wire and tie the output of the node to the wire rather than trying to replace the node?

darthscsi added a commit that referenced this issue Jul 2, 2024
@darthscsi
[FIRRTL] Fix use-after-free in InferReset
ad0a34c 
As @youngar explains well, a node was being deleted when it had references.  Just route the node through the bounce wire instead of trying to replace it.

Closes #7225
@darthscsi darthscsi mentioned this issue Jul 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working FIRRTL Involving the `firrtl` dialect
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[FIRRTL] Fix use-after-free in InferReset llvm/circt
3 participants
@youngar @darthscsi @dtzSiFive