Skip to content

Use after scope in CLRJIT #54649

New issue
New issue
Closed
#54702
Closed
Use after scope in CLRJIT#54649
#54702
Labels
area-CodeGen-coreclrCLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMIuntriagedNew issue has not been triaged by the area owner
@jkoritzinsky

Description

@jkoritzinsky
jkoritzinsky
opened on Jun 23, 2021

Detected as part of #54580

The mac parameter is assigned the address of the defMAC local at line 6142 of morph.cpp.

runtime/src/coreclr/jit/morph.cpp

Lines 6137 to 6143 in d7a5b89

// NULL mac means we encounter the GT_FIELD first. This denotes a dereference of the field,
// and thus is equivalent to a MACK_Ind with zero offset.
MorphAddrContext defMAC(MACK_Ind);
if (mac == nullptr)
{
mac = &defMAC;
}

The defMAC local goes out of scope at line 6313.

The mac parameter is passed down to fgMorphSmpOp at line 6513.

runtime/src/coreclr/jit/morph.cpp

Line 6513 in d7a5b89

GenTree* result = fgMorphSmpOp(tree, mac);

The mac parameter in fgMorphSmpOp dereferences the mac pointer to the out-of-scope local at line 12963

runtime/src/coreclr/jit/morph.cpp

Line 12963 in d7a5b89

if (subMac1 == nullptr || subMac1->m_kind == MACK_Ind)

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-CodeGen-coreclrCLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMIuntriagedNew issue has not been triaged by the area owner

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions