CVE-2023-29941: [mlir] Sparse-buffer-rewrite pass crashes with Segmentation fault · Issue #59988 · llvm/llvm-project

MLIR built at commit a0138390
Reproduced with:
mlir-opt --sparse-buffer-rewrite temp.mlir

temp.mlir:

module attributes {llvm.data_layout = ""} { llvm.func @func(%arg0: i64, %arg1: !llvm.ptr<i8>, %arg2: !llvm.ptr<i8>, %arg3: i64, %arg4: i64, %arg5: i64, %arg6: !llvm.ptr<i8>, %arg7: !llvm.ptr<i8>, %arg8: i64, %arg9: i64, %arg10: i64, %arg11: !llvm.ptr<f64>, %arg12: !llvm.ptr<f64>, %arg13: i64, %arg14: i64, %arg15: i64) -> !llvm.struct<(struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)>, struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)>, struct<(ptr<f64>, ptr<f64>, i64, array<1 x i64>, array<1 x i64>)>)> { %0 = builtin.unrealized_conversion_cast %arg0 : i64 to index %1 = llvm.mlir.undef : !llvm.struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)> %2 = llvm.insertvalue %arg1, %1[0] : !llvm.struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)> %3 = llvm.insertvalue %arg2, %2[1] : !llvm.struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)> %4 = llvm.insertvalue %arg3, %3[2] : !llvm.struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)> %5 = llvm.insertvalue %arg4, %4[3, 0] : !llvm.struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)> %6 = llvm.insertvalue %arg5, %5[4, 0] : !llvm.struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)> %7 = builtin.unrealized_conversion_cast %6 : !llvm.struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)> to memref<10xi8> %8 = llvm.mlir.undef : !llvm.struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)> %9 = llvm.insertvalue %arg6, %8[0] : !llvm.struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)> %10 = llvm.insertvalue %arg7, %9[1] : !llvm.struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)> %11 = llvm.insertvalue %arg8, %10[2] : !llvm.struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)> %12 = llvm.insertvalue %arg9, %11[3, 0] : !llvm.struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)> %13 = llvm.insertvalue %arg10, %12[4, 0] : !llvm.struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)> %14 = builtin.unrealized_conversion_cast %13 : !llvm.struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)> to memref<20xi8> %15 = llvm.mlir.undef : !llvm.struct<(ptr<f64>, ptr<f64>, i64, array<1 x i64>, array<1 x i64>)> %16 = llvm.insertvalue %arg11, %15[0] : !llvm.struct<(ptr<f64>, ptr<f64>, i64, array<1 x i64>, array<1 x i64>)> %17 = llvm.insertvalue %arg12, %16[1] : !llvm.struct<(ptr<f64>, ptr<f64>, i64, array<1 x i64>, array<1 x i64>)> %18 = llvm.insertvalue %arg13, %17[2] : !llvm.struct<(ptr<f64>, ptr<f64>, i64, array<1 x i64>, array<1 x i64>)> %19 = llvm.insertvalue %arg14, %18[3, 0] : !llvm.struct<(ptr<f64>, ptr<f64>, i64, array<1 x i64>, array<1 x i64>)> %20 = llvm.insertvalue %arg15, %19[4, 0] : !llvm.struct<(ptr<f64>, ptr<f64>, i64, array<1 x i64>, array<1 x i64>)> %21 = builtin.unrealized_conversion_cast %20 : !llvm.struct<(ptr<f64>, ptr<f64>, i64, array<1 x i64>, array<1 x i64>)> to memref<10xf64> sparse_tensor.sort %0, %7, %14 jointly %21 : memref<10xi8>, memref<20xi8> jointly memref<10xf64> %22 = llvm.mlir.undef : !llvm.struct<(struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)>, struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)>, struct<(ptr<f64>, ptr<f64>, i64, array<1 x i64>, array<1 x i64>)>)> %23 = llvm.insertvalue %6, %22[0] : !llvm.struct<(struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)>, struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)>, struct<(ptr<f64>, ptr<f64>, i64, array<1 x i64>, array<1 x i64>)>)> %24 = llvm.insertvalue %13, %23[1] : !llvm.struct<(struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)>, struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)>, struct<(ptr<f64>, ptr<f64>, i64, array<1 x i64>, array<1 x i64>)>)> %25 = llvm.insertvalue %20, %24[2] : !llvm.struct<(struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)>, struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)>, struct<(ptr<f64>, ptr<f64>, i64, array<1 x i64>, array<1 x i64>)>)> llvm.return %25 : !llvm.struct<(struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)>, struct<(ptr<i8>, ptr<i8>, i64, array<1 x i64>, array<1 x i64>)>, struct<(ptr<f64>, ptr<f64>, i64, array<1 x i64>, array<1 x i64>)>)> } }

trace:

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace. Stack dump:

1. Program arguments: mlir-opt --sparse-buffer-rewrite temp.mlir Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var `LLVM_SYMBOLIZER_PATH` to point to it): 0 mlir-opt 0x0000000100d785bc llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) + 56 1 mlir-opt 0x0000000100d77624 llvm::sys::RunSignalHandlers() + 112 2 mlir-opt 0x0000000100d78c54 SignalHandler(int) + 344 3 libsystem_platform.dylib 0x00000001a56894c4 _sigtramp + 56 4 mlir-opt 0x00000001016f1050 getMangledSortHelperFunc(mlir::OpBuilder&, mlir::func::FuncOp, mlir::TypeRange, llvm::StringRef, unsigned long long, unsigned long long, bool, mlir::ValueRange, llvm::function_ref<void (mlir::OpBuilder&, mlir::ModuleOp, mlir::func::FuncOp, unsigned long long, unsigned long long, bool)>) + 764 5 mlir-opt 0x00000001016f0300 mlir::LogicalResult matchAndRewriteSortOp<mlir::sparse_tensor::SortOp>(mlir::sparse_tensor::SortOp, mlir::ValueRange, unsigned long long, unsigned long long, bool, mlir::PatternRewriter&) + 692 6 mlir-opt 0x00000001016efff4 (anonymous namespace)::SortRewriter::matchAndRewrite(mlir::sparse_tensor::SortOp, mlir::PatternRewriter&) const + 676 7 mlir-opt 0x0000000102217bd0 mlir::PatternApplicator::matchAndRewrite(mlir::Operation*, mlir::PatternRewriter&, llvm::function_ref<bool (mlir::Pattern const&)>, llvm::function_ref<void (mlir::Pattern const&)>, llvm::function_ref<mlir::LogicalResult (mlir::Pattern const&)>) + 1440 8 mlir-opt 0x0000000101fd2328 mlir::applyPatternsAndFoldGreedily(llvm::MutableArrayRef<mlir::Region>, mlir::FrozenRewritePatternSet const&, mlir::GreedyRewriteConfig) + 3808 9 mlir-opt 0x0000000101714fb8 (anonymous namespace)::SparseBufferRewritePass::runOnOperation() + 292 10 mlir-opt 0x0000000101f834dc mlir::detail::OpToOpPassAdaptor::run(mlir::Pass*, mlir::Operation*, mlir::AnalysisManager, bool, unsigned int) + 420 11 mlir-opt 0x0000000101f83a0c mlir::detail::OpToOpPassAdaptor::runPipeline(mlir::OpPassManager&, mlir::Operation*, mlir::AnalysisManager, bool, unsigned int, mlir::PassInstrumentor*, mlir::PassInstrumentation::PipelineParentInfo const*) + 320 12 mlir-opt 0x0000000101f85388 mlir::PassManager::run(mlir::Operation*) + 1148 13 mlir-opt 0x0000000101f7e840 performActions(llvm::raw_ostream&, bool, bool, std::__1::shared_ptr<llvm::SourceMgr> const&, mlir::MLIRContext*, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, bool, bool) + 504 14 mlir-opt 0x0000000101f7e410 mlir::LogicalResult llvm::function_ref<mlir::LogicalResult (std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&)>::callback_fn<mlir::MlirOptMain(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$_0>(long, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&) + 704 15 mlir-opt 0x0000000101fe902c mlir::splitAndProcessBuffer(std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&)>, llvm::raw_ostream&, bool, bool) + 656 16 mlir-opt 0x0000000101f7c838 mlir::MlirOptMain(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool) + 216 17 mlir-opt 0x0000000101f7cd2c mlir::MlirOptMain(int, char**, llvm::StringRef, mlir::DialectRegistry&, bool) + 1208 18 mlir-opt 0x0000000100c1b0a0 main + 108 19 dyld 0x00000001053fd088 start + 516