[LLVMbugs] [Bug 3243] New: null ptr dereference

bugzilla-daemon at cs.uiuc.edu bugzilla-daemon at cs.uiuc.edu
Sat Dec 20 09:33:35 PST 2008 

http://llvm.org/bugs/show_bug.cgi?id=3243

           Summary: null ptr dereference
           Product: new-bugs
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: new bugs
        AssignedTo: unassignedbugs at nondot.org
        ReportedBy: regehr at cs.utah.edu
                CC: llvmbugs at cs.uiuc.edu


Seen using r61273 on Ubuntu Hardy on x86.

regehr at john-home:~/volatile/tmp80$ valgrind --trace-children=yes llvm-gcc -Os
small.c
==10892== Memcheck, a memory error detector.
==10892== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==10892== Using LibVEX rev 1804, a library for dynamic binary translation.
==10892== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==10892== Using valgrind-3.3.0, a dynamic binary instrumentation framework.
==10892== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==10892== For more details, rerun with: -v
==10892== 
==10925== Memcheck, a memory error detector.
==10925== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==10925== Using LibVEX rev 1804, a library for dynamic binary translation.
==10925== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==10925== Using valgrind-3.3.0, a dynamic binary instrumentation framework.
==10925== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==10925== For more details, rerun with: -v
==10925== 
==10925== Invalid read of size 4
==10925==    at 0x88E1FB0:
llvm::SimpleRegisterCoalescing::JoinIntervals(llvm::LiveInterval&,
llvm::LiveInterval&, bool&) (in
/home/regehr/libexec/gcc/i686-pc-linux-gnu/4.2.1/cc1)
==10925==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
small.c:52: internal compiler error: Segmentation fault
Please submit a full bug report,
with preprocessed source if appropriate.
See <URL:http://developer.apple.com/bugreporter> for instructions.
==10925== 
==10925== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 21 from 1)
==10925== malloc/free: in use at exit: 510,974 bytes in 1,800 blocks.
==10925== malloc/free: 9,729 allocs, 7,929 frees, 1,812,954 bytes allocated.
==10925== For counts of detected errors, rerun with: -v
==10925== searching for pointers to 1,800 not-freed blocks.
==10925== checked 1,696,948 bytes.
==10925== 
==10925== LEAK SUMMARY:
==10925==    definitely lost: 0 bytes in 0 blocks.
==10925==      possibly lost: 871 bytes in 16 blocks.
==10925==    still reachable: 510,103 bytes in 1,784 blocks.
==10925==         suppressed: 0 bytes in 0 blocks.
==10925== Rerun with --leak-check=full to see details of leaked memory.
==10892== 
==10892== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 21 from 1)
==10892== malloc/free: in use at exit: 18,634 bytes in 73 blocks.
==10892== malloc/free: 479 allocs, 406 frees, 40,652 bytes allocated.
==10892== For counts of detected errors, rerun with: -v
==10892== searching for pointers to 73 not-freed blocks.
==10892== checked 145,304 bytes.
==10892== 
==10892== LEAK SUMMARY:
==10892==    definitely lost: 4,224 bytes in 32 blocks.
==10892==      possibly lost: 0 bytes in 0 blocks.
==10892==    still reachable: 14,410 bytes in 41 blocks.
==10892==         suppressed: 0 bytes in 0 blocks.
==10892== Rerun with --leak-check=full to see details of leaked memory.

regehr at john-home:~/volatile/tmp80$ cat small.c


typedef short int int16_t;
__extension__ typedef int int64_t;
typedef unsigned char uint8_t;
typedef unsigned short int uint16_t;
typedef int uint32_t;
__extension__ typedef int uint64_t;
int16_t
safe_mul_func_int16_t_s_s (int16_t _si1, uint32_t _si2)
{
  return _si1 && _si2 && _si1 + _si2 || _si1 && _si2 && _si2 < +_si1 || _si1
    && _si2 && _si1 < +_si2 || _si1 && _si2 && _si1
    && _si2 < (1 / _si1) ? : _si1 * _si2;
}

uint32_t
safe_mod_func_uint8_t_u_u (uint8_t _ui1, uint8_t _ui2)
{
  return _ui2 == 0 ? : (_ui1 % _ui2);
}

uint32_t
safe_mod_func_uint16_t_u_u (uint16_t _ui1, uint16_t _ui2)
{
  return _ui2 == 0 ? : (_ui1 % _ui2);
}

uint32_t g_30;
uint32_t
func_5 (uint64_t p_7, uint32_t p_8, uint32_t p_10)
{
  uint32_t l_11 = 0xC39BL;
  return l_11;
}

uint32_t
func_120 (uint64_t p_121)
{
  uint32_t l_168 = -1L;
  uint32_t l_170;
  if (safe_mul_func_int16_t_s_s
      (safe_mod_func_uint8_t_u_u
       ((1 > 0 && p_121 > 0 > 127 - p_121 || 1 < 0
         && p_121 < 0 < -128 - p_121 ? 1 : 1)
        || sizeof (int64_t) * 8 ? safe_mod_func_uint16_t_u_u (p_121,
                                                              func_5 (l_168,
                                                                      p_121,
                                                                      1)) : 1
        >> p_121, l_168), 1))
    {
      func_5 (p_121, g_30, 0 ? 1 : safe_mul_ (l_170, 1));
    }
}


-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list