[LLVMbugs] [Bug 8522] New: Use-after-free in VMCore library (ConstantUniqueMap::refineAbstractType)

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Mon Nov 1 08:21:10 PDT 2010


           Summary: Use-after-free in VMCore library
           Product: new-bugs
           Version: trunk
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: new bugs
        AssignedTo: unassignedbugs at nondot.org
        ReportedBy: Tim.Deegan at citrix.com
                CC: llvmbugs at cs.uiuc.edu

Created an attachment (id=5713)
 --> (http://llvm.org/bugs/attachment.cgi?id=5713)
Possible fix?

When ConstantUniqueMap::refineAbstractType() deletes an InlineAsm constant, it
seems like it can find the same constant again later in its main loop.

I was able to repro this (on trunk and on 2.8) when linking parts of the Xen
hypervisor, which would cause llvm-ld to segfault:

whitby:link$ llvm-ld -r -o test.o domain.o memory.o 
0  llvm-ld         0x0000000000c42ff2
1  llvm-ld         0x0000000000c42de5
2  libpthread.so.0 0x00007f9b55b3ef60
3  libpthread.so.0 0x00000000025394d0
Stack dump:
0.      Program arguments: llvm-ld -r -o test.o domain.o memory.o 
Segmentation fault

I can supply the actual .o files if needed.

The problem seems to be that other constant types make an effort to remove
themselves cleanly from datastructures but InlineAsms just delete themselves. 
By cargo-culting other constant types  I found the attached patch fixes the
crash but I have no great faith in its correctness. :)



Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list