[LLVMbugs] [Bug 191] NEW: [licm] Memory read after free causes infrequent crash

[bugzilla-daemon at zion.cs.uiuc.edu]

http://llvm.cs.uiuc.edu/bugs/show_bug.cgi?id=191

           Summary: [licm] Memory read after free causes infrequent crash
           Product: libraries
           Version: 1.1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Scalar Optimizations
        AssignedTo: sabre at nondot.org
        ReportedBy: sabre at nondot.org


The 1.1 LICM pass can read memory after it has been released.  The flow of
events looks like this:

1. LICM analyzes the body of a loop for aliases, building up an AliasSetTracker
   object which contains an entry for each pointer in the loop body.
2. LICM loops through the instructions in the loop body, an chooses to sink a
   pointer expression, such as a getelementptr
3. There are no exits from the loop, or the getelementptr does not dominate any
   exits.  For this reason, LICM will just delete the expression, because it is
   dead.
4. After the body of the loop has been hoisted/sunk, LICM loops through the
   AliasSetTracker, promoting must-aliased sets.  Because the instruction was
   deleted but never removed from the AliasSetTracker, it can read memory that
   was freed, but only if it is the leader pointer for the set.

This can cause _extremely_ infrequent crashes in the LICM pass, when compiling
177.mesa for example.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.