Skip to content

Fix a nullptr dereferencing in a FuncBufferizableOpInterfaceImpl.cpp::getCalledFunction #150518

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix a nullptr dereferencing in a FuncBufferizableOpInterfaceImpl.cpp::getCalledFunction #150518

wants to merge 1 commit into from

Conversation

paul0403
Copy link

@paul0403 paul0403 commented Jul 24, 2025
edited by CoTinker
Loading

There is a potential nullptr dereferencing in the helper function getCalledFunction when bufferizing call ops.
The solution is making the nullptr check explicit before dereferencing it.

Fixes #150441.

@github-actions GitHub Actions
Copy link

Thank you for submitting a Pull Request (PR) to the LLVM Project!

This PR will be automatically labeled and the relevant teams will be notified.

If you wish to, you can add reviewers by using the "Reviewers" section on this page.

If this is not working for you, it is probably because you do not have write permissions for the repository. In which case you can instead tag reviewers by name in a comment by using @ followed by their GitHub username.

If you have received no comments on your PR for a week, you can request a review by "ping"ing the PR by adding a comment “Ping”. The common courtesy "ping" rate is once a week. Please remember that you are asking for valuable time from other developers.

If you have further questions, they may be answered by the LLVM GitHub User Guide.

You can also ask questions in a comment on this PR, on the LLVM Discord or on the forums.

@llvmbot llvmbot added mlir mlir:bufferization Bufferization infrastructure labels Jul 24, 2025
@llvmbot
Copy link
Member

llvmbot commented Jul 24, 2025

@llvm/pr-subscribers-mlir-bufferization

Author: Paul (paul0403)

Changes

There is a potential nullptr dereferencing in the helper function getCalledFunction when bufferizing call ops.
The solution is making the nullptr check explicit before dereferencing it.

Fixes issue #150441

Full diff: https://github.com/llvm/llvm-project/pull/150518.diff

1 Files Affected:

  • (modified) mlir/lib/Dialect/Bufferization/Transforms/FuncBufferizableOpInterfaceImpl.cpp (+3-2)
diff --git a/mlir/lib/Dialect/Bufferization/Transforms/FuncBufferizableOpInterfaceImpl.cpp b/mlir/lib/Dialect/Bufferization/Transforms/FuncBufferizableOpInterfaceImpl.cpp
index 2a98203da9d7d..ac0ef0edb0438 100644
--- a/mlir/lib/Dialect/Bufferization/Transforms/FuncBufferizableOpInterfaceImpl.cpp
+++ b/mlir/lib/Dialect/Bufferization/Transforms/FuncBufferizableOpInterfaceImpl.cpp
@@ -90,8 +90,9 @@ static FuncOp getCalledFunction(CallOpInterface callOp,
                                 const AnalysisState &state) {
   auto &oneShotAnalysisState = static_cast<const OneShotAnalysisState &>(state);
 
-  if (auto *funcAnalysisState =
-          oneShotAnalysisState.getExtension<FuncAnalysisState>()) {
+  auto *funcAnalysisState =
+      oneShotAnalysisState.getExtension<FuncAnalysisState>();
+  if (funcAnalysisState != nullptr) {
     // Use the cached symbol tables.
     return getCalledFunction(callOp, funcAnalysisState->symbolTables);
   }

@llvmbot
Copy link
Member

llvmbot commented Jul 24, 2025

@llvm/pr-subscribers-mlir

Author: Paul (paul0403)

Changes

There is a potential nullptr dereferencing in the helper function getCalledFunction when bufferizing call ops.
The solution is making the nullptr check explicit before dereferencing it.

Fixes issue #150441

Full diff: https://github.com/llvm/llvm-project/pull/150518.diff

1 Files Affected:

  • (modified) mlir/lib/Dialect/Bufferization/Transforms/FuncBufferizableOpInterfaceImpl.cpp (+3-2)
diff --git a/mlir/lib/Dialect/Bufferization/Transforms/FuncBufferizableOpInterfaceImpl.cpp b/mlir/lib/Dialect/Bufferization/Transforms/FuncBufferizableOpInterfaceImpl.cpp
index 2a98203da9d7d..ac0ef0edb0438 100644
--- a/mlir/lib/Dialect/Bufferization/Transforms/FuncBufferizableOpInterfaceImpl.cpp
+++ b/mlir/lib/Dialect/Bufferization/Transforms/FuncBufferizableOpInterfaceImpl.cpp
@@ -90,8 +90,9 @@ static FuncOp getCalledFunction(CallOpInterface callOp,
                                 const AnalysisState &state) {
   auto &oneShotAnalysisState = static_cast<const OneShotAnalysisState &>(state);
 
-  if (auto *funcAnalysisState =
-          oneShotAnalysisState.getExtension<FuncAnalysisState>()) {
+  auto *funcAnalysisState =
+      oneShotAnalysisState.getExtension<FuncAnalysisState>();
+  if (funcAnalysisState != nullptr) {
     // Use the cached symbol tables.
     return getCalledFunction(callOp, funcAnalysisState->symbolTables);
   }

CoTinker
CoTinker reviewed Jul 25, 2025
View reviewed changes
mlir/lib/Dialect/Bufferization/Transforms/FuncBufferizableOpInterfaceImpl.cpp
oneShotAnalysisState.getExtension<FuncAnalysisState>()) {
auto *funcAnalysisState =
oneShotAnalysisState.getExtension<FuncAnalysisState>();
if (funcAnalysisState != nullptr) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe change to:

if (!funcAnalysisState)

And please add a test.

matthias-springer
matthias-springer reviewed Jul 25, 2025
View reviewed changes
mlir/lib/Dialect/Bufferization/Transforms/FuncBufferizableOpInterfaceImpl.cpp
@@ -90,8 +90,9 @@ static FuncOp getCalledFunction(CallOpInterface callOp,
const AnalysisState &state) {
auto &oneShotAnalysisState = static_cast<const OneShotAnalysisState &>(state);

if (auto *funcAnalysisState =
oneShotAnalysisState.getExtension<FuncAnalysisState>()) {
auto *funcAnalysisState =
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this really fix the issue?

auto *x = abc();
if (x != nullptr) foo();

is identical to

if (auto *x = abc()) foo();

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you are right, I need to investigate the segfault more. Maybe this is not where the root cause is...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthias-springer matthias-springer matthias-springer left review comments

@CoTinker CoTinker CoTinker left review comments

Assignees
No one assigned
Labels
mlir:bufferization Bufferization infrastructure mlir
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

One shot bufferization on call op segfaults when bufferizing function boundaries for a callee with tensor arguments and forcing copy before write
4 participants
@paul0403 @llvmbot @matthias-springer @CoTinker