[mlir][bufferization] Fix use-after-free in ownership-based buffer deallocation (#184118)
When `handleInterface(RegionBranchOpInterface)` processes an op such as
`scf.for`, it calls `appendOpResults` to clone the op with extra
ownership result types and erase the original. The `Liveness` analysis
is computed once before the transformation begins and may still
reference the old (now-freed) result values.
If the same block contains a `BranchOpInterface` terminator (e.g.,
`cf.br`) after the structured loop, `handleInterface(BranchOpInterface)`
calls `getMemrefsToRetain`, which iterates `liveness.getLiveOut()`. That
set may contain stale `Value` objects pointing to the erased op's
results. Calling `isMemref()` on such a value dereferences freed memory,
triggering a crash.
Fix by adding a `valueMapping` map to `DeallocationState`. Before
erasing the old op in `handleInterface(RegionBranchOpInterface)`, record
the old-to-new result mapping via `state.mapValue`. The
`getLiveMemrefsIn` and `getMemrefsToRetain` helpers translate stale
liveness values through this map before calling `isMemref`, so they
always operate on live pointers.
Fixes #119863
Assisted-by: Claude Code
llvm-project
839dc4f7 - [mlir][bufferization] Fix use-after-free in ownership-based buffer deallocation (#184118)
