[LLVMbugs] [Bug 2225] New: Use-after-free in removeIntervalIfEmpty

bugzilla-daemon at cs.uiuc.edu bugzilla-daemon at cs.uiuc.edu
Tue Apr 15 12:38:24 PDT 2008 

http://llvm.org/bugs/show_bug.cgi?id=2225

           Summary: Use-after-free in removeIntervalIfEmpty
           Product: new-bugs
           Version: unspecified
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: new bugs
        AssignedTo: unassignedbugs at nondot.org
        ReportedBy: baldrick at free.fr
                CC: llvmbugs at cs.uiuc.edu


Running the testcase 2007-03-27-RegScavengerAssert.ll under valgrind shows
removeIntervalIfEmpty (SimpleRegisterCoalescing.cpp:557) reading from memory
freed by removeInterval (LiveIntervalAnalysis.h:227):

$ llvm-as < 2007-03-27-RegScavengerAssert.ll -o - | valgrind
~/LLVM/llvm-objects/Debug/bin/llc -march=arm -mtriple=arm-linux-gnueabi
...
Invalid read of size 4
   at 0x88F896E: removeIntervalIfEmpty(llvm::LiveInterval&,
llvm::LiveIntervals*, llvm::TargetRegisterInfo const*)
(SimpleRegisterCoalescing.cpp:557)
   by 0x88FB6A8:
llvm::SimpleRegisterCoalescing::ShortenDeadCopySrcLiveRange(llvm::LiveInterval&,
llvm::MachineInstr*) (SimpleRegisterCoalescing.cpp:670)
   by 0x88FF162:
llvm::SimpleRegisterCoalescing::runOnMachineFunction(llvm::MachineFunction&)
(SimpleRegisterCoalescing.cpp:1940)
   by 0x842728B: llvm::MachineFunctionPass::runOnFunction(llvm::Function&)
(MachineFunctionPass.h:41)
   by 0x8A3AAD6: llvm::FPPassManager::runOnFunction(llvm::Function&)
(PassManager.cpp:1178)
   by 0x8A3AD33: llvm::FunctionPassManagerImpl::run(llvm::Function&)
(PassManager.cpp:1133)
   by 0x8A3AE8A: llvm::FunctionPassManager::run(llvm::Function&)
(PassManager.cpp:1078)
   by 0x83D50CA: main (llc.cpp:296)

 Address 0x430eb88 is 32 bytes inside a block of size 144 free'd
   at 0x402231C: operator delete(void*) (vg_replace_malloc.c:342)
   by 0x89025A2: __gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<unsigned
const, llvm::LiveInterval> >
>::deallocate(std::_Rb_tree_node<std::pair<unsigned const, llvm::LiveInterval>
>*, unsigned) (new_allocator.h:97)
   by 0x89025C7: std::_Rb_tree<unsigned, std::pair<unsigned const,
llvm::LiveInterval>, std::_Select1st<std::pair<unsigned const,
llvm::LiveInterval> >, std::less<unsigned>, std::allocator<std::pair<unsigned
const, llvm::LiveInterval> >
>::_M_put_node(std::_Rb_tree_node<std::pair<unsigned const, llvm::LiveInterval>
>*) (stl_tree.h:371)
   by 0x890294B: std::_Rb_tree<unsigned, std::pair<unsigned const,
llvm::LiveInterval>, std::_Select1st<std::pair<unsigned const,
llvm::LiveInterval> >, std::less<unsigned>, std::allocator<std::pair<unsigned
const, llvm::LiveInterval> >
>::_M_destroy_node(std::_Rb_tree_node<std::pair<unsigned const,
llvm::LiveInterval> >*) (stl_tree.h:401)
   by 0x8904CBD: std::_Rb_tree<unsigned, std::pair<unsigned const,
llvm::LiveInterval>, std::_Select1st<std::pair<unsigned const,
llvm::LiveInterval> >, std::less<unsigned>, std::allocator<std::pair<unsigned
const, llvm::LiveInterval> > >::erase(std::_Rb_tree_iterator<std::pair<unsigned
const, llvm::LiveInterval> >) (stl_tree.h:1248)
   by 0x8905AD1: std::_Rb_tree<unsigned, std::pair<unsigned const,
llvm::LiveInterval>, std::_Select1st<std::pair<unsigned const,
llvm::LiveInterval> >, std::less<unsigned>, std::allocator<std::pair<unsigned
const, llvm::LiveInterval> > >::erase(std::_Rb_tree_iterator<std::pair<unsigned
const, llvm::LiveInterval> >, std::_Rb_tree_iterator<std::pair<unsigned const,
llvm::LiveInterval> >) (stl_tree.h:1340)
   by 0x8905B32: std::_Rb_tree<unsigned, std::pair<unsigned const,
llvm::LiveInterval>, std::_Select1st<std::pair<unsigned const,
llvm::LiveInterval> >, std::less<unsigned>, std::allocator<std::pair<unsigned
const, llvm::LiveInterval> > >::erase(unsigned const&) (stl_tree.h:1274)
   by 0x8905B5F: std::map<unsigned, llvm::LiveInterval, std::less<unsigned>,
std::allocator<std::pair<unsigned const, llvm::LiveInterval> >
>::erase(unsigned const&) (stl_map.h:469)
   by 0x8905B7C: llvm::LiveIntervals::removeInterval(unsigned)
(LiveIntervalAnalysis.h:227)
   by 0x88F896A: removeIntervalIfEmpty(llvm::LiveInterval&,
llvm::LiveIntervals*, llvm::TargetRegisterInfo const*)
(SimpleRegisterCoalescing.cpp:556)
   by 0x88FB6A8:
llvm::SimpleRegisterCoalescing::ShortenDeadCopySrcLiveRange(llvm::LiveInterval&,
llvm::MachineInstr*) (SimpleRegisterCoalescing.cpp:670)
   by 0x88FF162:
llvm::SimpleRegisterCoalescing::runOnMachineFunction(llvm::MachineFunction&)
(SimpleRegisterCoalescing.cpp:1940)


-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list