[LLVMbugs] [Bug 2225] Use-after-free in removeIntervalIfEmpty

Wed Apr 16 13:11:05 PDT 2008

http://llvm.org/bugs/show_bug.cgi?id=2225

Duncan Sands <baldrick at free.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |

--- Comment #2 from Duncan Sands <baldrick at free.fr>  2008-04-16 15:11:04 ---
Memory freed by removeInterval is still being used, but now by
FindLiveRangeContaining, so it seems best to re-open this bug.

Invalid read of size 4
   at 0x8852766: llvm::SmallVectorImpl<llvm::LiveRange>::end()
(SmallVector.h:106)
   by 0x885277F: llvm::LiveInterval::end() (LiveInterval.h:118)
   by 0x88940DF: llvm::LiveInterval::FindLiveRangeContaining(unsigned)
(LiveInterval.cpp:351)
   by 0x886BEC9:
llvm::SimpleRegisterCoalescing::ShortenDeadCopyLiveRange(llvm::LiveInterval&,
llvm::MachineInstr*) (SimpleRegisterCoalescing.cpp:585)
   by 0x886FABA:
llvm::SimpleRegisterCoalescing::runOnMachineFunction(llvm::MachineFunction&)
(SimpleRegisterCoalescing.cpp:1956)
   by 0x8421FEB: llvm::MachineFunctionPass::runOnFunction(llvm::Function&)
(MachineFunctionPass.h:41)
   by 0x89AB822: llvm::FPPassManager::runOnFunction(llvm::Function&)
(PassManager.cpp:1178)
   by 0x89ABA7F: llvm::FunctionPassManagerImpl::run(llvm::Function&)
(PassManager.cpp:1133)
   by 0x89ABBD6: llvm::FunctionPassManager::run(llvm::Function&)
(PassManager.cpp:1078)
   by 0x83D35F1: main (llc.cpp:297)
 Address 0x4306c6c is 52 bytes inside a block of size 144 free'd
   at 0x402231C: operator delete(void*) (vg_replace_malloc.c:342)
   by 0x8872EDE: __gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<unsigned
const, llvm::LiveInterval> >
>::deallocate(std::_Rb_tree_node<std::pair<unsigned const, llvm::LiveInterval>
>*, unsigned) (new_allocator.h:97)
   by 0x8872F03: std::_Rb_tree<unsigned, std::pair<unsigned const,
llvm::LiveInterval>, std::_Select1st<std::pair<unsigned const,
llvm::LiveInterval> >, std::less<unsigned>, std::allocator<std::pair<unsigned
const, llvm::LiveInterval> >
>::_M_put_node(std::_Rb_tree_node<std::pair<unsigned const, llvm::LiveInterval>
>*) (stl_tree.h:371)
   by 0x8873287: std::_Rb_tree<unsigned, std::pair<unsigned const,
llvm::LiveInterval>, std::_Select1st<std::pair<unsigned const,
llvm::LiveInterval> >, std::less<unsigned>, std::allocator<std::pair<unsigned
const, llvm::LiveInterval> >
>::_M_destroy_node(std::_Rb_tree_node<std::pair<unsigned const,
llvm::LiveInterval> >*) (stl_tree.h:401)
   by 0x88755F9: std::_Rb_tree<unsigned, std::pair<unsigned const,
llvm::LiveInterval>, std::_Select1st<std::pair<unsigned const,
llvm::LiveInterval> >, std::less<unsigned>, std::allocator<std::pair<unsigned
const, llvm::LiveInterval> > >::erase(std::_Rb_tree_iterator<std::pair<unsigned
const, llvm::LiveInterval> >) (stl_tree.h:1248)
   by 0x887640D: std::_Rb_tree<unsigned, std::pair<unsigned const,
llvm::LiveInterval>, std::_Select1st<std::pair<unsigned const,
llvm::LiveInterval> >, std::less<unsigned>, std::allocator<std::pair<unsigned
const, llvm::LiveInterval> > >::erase(std::_Rb_tree_iterator<std::pair<unsigned
const, llvm::LiveInterval> >, std::_Rb_tree_iterator<std::pair<unsigned const,
llvm::LiveInterval> >) (stl_tree.h:1340)
   by 0x887646E: std::_Rb_tree<unsigned, std::pair<unsigned const,
llvm::LiveInterval>, std::_Select1st<std::pair<unsigned const,
llvm::LiveInterval> >, std::less<unsigned>, std::allocator<std::pair<unsigned
const, llvm::LiveInterval> > >::erase(unsigned const&) (stl_tree.h:1274)
   by 0x887649B: std::map<unsigned, llvm::LiveInterval, std::less<unsigned>,
std::allocator<std::pair<unsigned const, llvm::LiveInterval> >
>::erase(unsigned const&) (stl_map.h:469)
   by 0x88764B8: llvm::LiveIntervals::removeInterval(unsigned)
(LiveIntervalAnalysis.h:227)
   by 0x88691CA: removeIntervalIfEmpty(llvm::LiveInterval&,
llvm::LiveIntervals*, llvm::TargetRegisterInfo const*)
(SimpleRegisterCoalescing.cpp:575)
   by 0x886BE88:
llvm::SimpleRegisterCoalescing::ShortenDeadCopySrcLiveRange(llvm::LiveInterval&,
llvm::MachineInstr*) (SimpleRegisterCoalescing.cpp:681)
   by 0x886FA9E:
llvm::SimpleRegisterCoalescing::runOnMachineFunction(llvm::MachineFunction&)
(SimpleRegisterCoalescing.cpp:1955)

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.