[LLVMbugs] [Bug 12245] New: heap-use-after-free in Reassociate::OptimizeExpression
bugzilla-daemon at llvm.org
bugzilla-daemon at llvm.org
Sun Mar 11 19:59:45 PDT 2012
http://llvm.org/bugs/show_bug.cgi?id=12245
Bug #: 12245
Summary: heap-use-after-free in Reassociate::OptimizeExpression
Product: new-bugs
Version: unspecified
Platform: PC
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P
Component: new bugs
AssignedTo: unassignedbugs at nondot.org
ReportedBy: kcc at google.com
CC: llvmbugs at cs.uiuc.edu
Classification: Unclassified
r152547, x86_64 linux.
Test case (from csmith+creduce):
int a, d;
int fn2 () {
d = --a - d;
d = --a - d;
d = --a - d;
d = --a - d;
d = --a - d;
return 0;
}
int fn1 () {
return fn2 ();
}
% clang -O3 uaf.c
<may or may not fail. If fails, the output looks like this:
1. <eof> parser at end of file
2. Per-module optimization passes
3. Running pass 'CallGraph Pass Manager' on module 'uaf.c'.
4. Running pass 'Reassociate expressions' on function '@fn1'>
<build clang with AddressSanitizer,
http://code.google.com/p/address-sanitizer/wiki/HowToBuild>
% clang -O3 uaf.c
==8192== ERROR: AddressSanitizer heap-use-after-free on address 0x7fd3b70e54c0
at pc 0x1b42897 bp 0x7fff48b3a9d0 sp 0x7fff48b3a9c8
READ of size 8 at 0x7fd3b70e54c0 thread T0
#0 0x1b42897 in llvm::Value::getType const Value.h:107
#1 0x101f8d93 in llvm::BinaryOperator::Create
lib/VMCore/Instructions.cpp:1824
#2 0xe53c239 in llvm::BinaryOperator::CreateAdd Instruction.def:108
#3 0xe877901 in EmitAddTreeOfValues
lib/Transforms/Scalar/Reassociate.cpp:568
#4 0xe870e23 in ::Reassociate::OptimizeAdd::ValueEntry>&)
lib/Transforms/Scalar/Reassociate.cpp:861
#5 0xe865a92 in ::Reassociate::OptimizeExpression::ValueEntry>&)
lib/Transforms/Scalar/Reassociate.cpp:954
#6 0xe8650f4 in ::Reassociate::OptimizeExpression::ValueEntry>&)
lib/Transforms/Scalar/Reassociate.cpp:904
#7 0xe8650f4 in ::Reassociate::OptimizeExpression::ValueEntry>&)
lib/Transforms/Scalar/Reassociate.cpp:904
#8 0xe8650f4 in ::Reassociate::OptimizeExpression::ValueEntry>&)
lib/Transforms/Scalar/Reassociate.cpp:904
#9 0xe861676 in ::Reassociate::ReassociateExpression
lib/Transforms/Scalar/Reassociate.cpp:1053
#10 0xe85ede1 in ::Reassociate::ReassociateInst
lib/Transforms/Scalar/Reassociate.cpp:1031
#11 0xe85d0b8 in ::Reassociate::runOnFunction
lib/Transforms/Scalar/Reassociate.cpp:1103
#12 0x10335b4b in llvm::FPPassManager::runOnFunction
lib/VMCore/PassManager.cpp:1497
#13 0xef9e7fd in ::CGPassManager::RunPassOnSCC
lib/Analysis/IPA/CallGraphSCCPass.cpp:145
#14 0xef9bf03 in ::CGPassManager::RunAllPassesOnSCC
lib/Analysis/IPA/CallGraphSCCPass.cpp:399
#15 0xef99c44 in ::CGPassManager::runOnModule
lib/Analysis/IPA/CallGraphSCCPass.cpp:455
#16 0x10337fbd in llvm::MPPassManager::runOnModule
lib/VMCore/PassManager.cpp:1573
#17 0x10339dc8 in llvm::PassManagerImpl::run
lib/VMCore/PassManager.cpp:1657
#18 0x1033a999 in llvm::PassManager::run lib/VMCore/PassManager.cpp:1686
#19 0x19c7ce6 in ::EmitAssemblyHelper::EmitAssembly
tools/clang/lib/CodeGen/BackendUtil.cpp:441
#20 0x19c70cc in clang::EmitBackendOutput
tools/clang/lib/CodeGen/BackendUtil.cpp:458
#21 0x19ae3a6 in clang::BackendConsumer::HandleTranslationUnit
tools/clang/lib/CodeGen/CodeGenAction.cpp:161
#22 0x27bb06e in clang::ParseAST tools/clang/lib/Parse/ParseAST.cpp:108
#23 0xb9bef0 in clang::ASTFrontendAction::ExecuteAction
tools/clang/lib/Frontend/FrontendAction.cpp:416
#24 0x19a74c1 in clang::CodeGenAction::ExecuteAction
tools/clang/lib/CodeGen/CodeGenAction.cpp:412
#25 0xb9aea5 in clang::FrontendAction::Execute
tools/clang/lib/Frontend/FrontendAction.cpp:336
#26 0xa80374 in clang::CompilerInstance::ExecuteAction
tools/clang/lib/Frontend/CompilerInstance.cpp:672
#27 0x8c4517 in clang::ExecuteCompilerInvocation
tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:183
#28 0x8232bc in cc1_main tools/clang/tools/driver/cc1_main.cpp:165
#29 0x89455c in main tools/clang/tools/driver/driver.cpp:352
#30 0x7fd3b7511c4d in __libc_start_main
/build/buildd/eglibc-2.11.1/csu/libc-start.c:258
0x7fd3b70e54c0 is located 64 bytes inside of 136-byte region
[0x7fd3b70e5480,0x7fd3b70e5508)
freed by thread T0 here:
#0 0x1085c1f2 in operator delete ??:0
#1 0x10430547 in llvm::User::operator delete lib/VMCore/User.cpp:79
#2 0x10237208 in llvm::BinaryOperator::~BinaryOperator InstrTypes.h:140
#3 0x9103022 in llvm::ilist_node_traits<llvm::Instruction>::deleteNode
ADT/ilist.h:112
#4 0x9102880 in llvm::iplist<llvm::Instruction,
llvm::ilist_traits<llvm::Instruction> >::erase ADT/ilist.h:464
#5 0x101b9993 in llvm::Instruction::eraseFromParent
lib/VMCore/Instruction.cpp:72
#6 0xe861125 in LowerNegateToMultiply
lib/Transforms/Scalar/Reassociate.cpp:222
#7 0xe862a4c in ::Reassociate::LinearizeExprTree::ValueEntry>&)
lib/Transforms/Scalar/Reassociate.cpp:285
#8 0xe863420 in ::Reassociate::LinearizeExprTree::ValueEntry>&)
lib/Transforms/Scalar/Reassociate.cpp:335
#9 0xe876343 in ::Reassociate::RemoveFactorFromExpression
lib/Transforms/Scalar/Reassociate.cpp:581
#10 0xe8708e2 in ::Reassociate::OptimizeAdd::ValueEntry>&)
lib/Transforms/Scalar/Reassociate.cpp:843
#11 0xe865a92 in ::Reassociate::OptimizeExpression::ValueEntry>&)
lib/Transforms/Scalar/Reassociate.cpp:954
#12 0xe8650f4 in ::Reassociate::OptimizeExpression::ValueEntry>&)
lib/Transforms/Scalar/Reassociate.cpp:904
#13 0xe8650f4 in ::Reassociate::OptimizeExpression::ValueEntry>&)
lib/Transforms/Scalar/Reassociate.cpp:904
#14 0xe8650f4 in ::Reassociate::OptimizeExpression::ValueEntry>&)
lib/Transforms/Scalar/Reassociate.cpp:904
#15 0xe861676 in ::Reassociate::ReassociateExpression
lib/Transforms/Scalar/Reassociate.cpp:1053
#16 0xe85ede1 in ::Reassociate::ReassociateInst
lib/Transforms/Scalar/Reassociate.cpp:1031
#17 0xe85d0b8 in ::Reassociate::runOnFunction
lib/Transforms/Scalar/Reassociate.cpp:1103
#18 0x10335b4b in llvm::FPPassManager::runOnFunction
lib/VMCore/PassManager.cpp:1497
#19 0xef9e7fd in ::CGPassManager::RunPassOnSCC
lib/Analysis/IPA/CallGraphSCCPass.cpp:145
#20 0xef9bf03 in ::CGPassManager::RunAllPassesOnSCC
lib/Analysis/IPA/CallGraphSCCPass.cpp:399
#21 0xef99c44 in ::CGPassManager::runOnModule
lib/Analysis/IPA/CallGraphSCCPass.cpp:455
#22 0x10337fbd in llvm::MPPassManager::runOnModule
lib/VMCore/PassManager.cpp:1573
#23 0x10339dc8 in llvm::PassManagerImpl::run
lib/VMCore/PassManager.cpp:1657
#24 0x1033a999 in llvm::PassManager::run lib/VMCore/PassManager.cpp:1686
#25 0x19c7ce6 in ::EmitAssemblyHelper::EmitAssembly
tools/clang/lib/CodeGen/BackendUtil.cpp:441
#26 0x19c70cc in clang::EmitBackendOutput
tools/clang/lib/CodeGen/BackendUtil.cpp:458
#27 0x19ae3a6 in clang::BackendConsumer::HandleTranslationUnit
tools/clang/lib/CodeGen/CodeGenAction.cpp:161
#28 0x27bb06e in clang::ParseAST tools/clang/lib/Parse/ParseAST.cpp:108
#29 0xb9bef0 in clang::ASTFrontendAction::ExecuteAction
tools/clang/lib/Frontend/FrontendAction.cpp:416
previously allocated by thread T0 here:
#0 0x1085c072 in operator new ??:0
#1 0x1042fe3e in llvm::User::operator new lib/VMCore/User.cpp:59
#2 0x10230148 in llvm::BinaryOperator::operator new InstrTypes.h:152
#3 0x101f9760 in llvm::BinaryOperator::CreateNeg
lib/VMCore/Instructions.cpp:1840
#4 0xe88aa8e in NegateValue lib/Transforms/Scalar/Reassociate.cpp:465
#5 0xe889f3a in NegateValue lib/Transforms/Scalar/Reassociate.cpp:418
#6 0xe8603e4 in BreakUpSubtract lib/Transforms/Scalar/Reassociate.cpp:502
#7 0xe85e790 in ::Reassociate::ReassociateInst
lib/Transforms/Scalar/Reassociate.cpp:998
#8 0xe85d0b8 in ::Reassociate::runOnFunction
lib/Transforms/Scalar/Reassociate.cpp:1103
#9 0x10335b4b in llvm::FPPassManager::runOnFunction
lib/VMCore/PassManager.cpp:1497
#10 0xef9e7fd in ::CGPassManager::RunPassOnSCC
lib/Analysis/IPA/CallGraphSCCPass.cpp:145
#11 0xef9bf03 in ::CGPassManager::RunAllPassesOnSCC
lib/Analysis/IPA/CallGraphSCCPass.cpp:399
#12 0xef99c44 in ::CGPassManager::runOnModule
lib/Analysis/IPA/CallGraphSCCPass.cpp:455
#13 0x10337fbd in llvm::MPPassManager::runOnModule
lib/VMCore/PassManager.cpp:1573
#14 0x10339dc8 in llvm::PassManagerImpl::run
lib/VMCore/PassManager.cpp:1657
#15 0x1033a999 in llvm::PassManager::run lib/VMCore/PassManager.cpp:1686
#16 0x19c7ce6 in ::EmitAssemblyHelper::EmitAssembly
tools/clang/lib/CodeGen/BackendUtil.cpp:441
#17 0x19c70cc in clang::EmitBackendOutput
tools/clang/lib/CodeGen/BackendUtil.cpp:458
#18 0x19ae3a6 in clang::BackendConsumer::HandleTranslationUnit
tools/clang/lib/CodeGen/CodeGenAction.cpp:161
#19 0x27bb06e in clang::ParseAST tools/clang/lib/Parse/ParseAST.cpp:108
#20 0xb9bef0 in clang::ASTFrontendAction::ExecuteAction
tools/clang/lib/Frontend/FrontendAction.cpp:416
#21 0x19a74c1 in clang::CodeGenAction::ExecuteAction
tools/clang/lib/CodeGen/CodeGenAction.cpp:412
#22 0xb9aea5 in clang::FrontendAction::Execute
tools/clang/lib/Frontend/FrontendAction.cpp:336
#23 0xa80374 in clang::CompilerInstance::ExecuteAction
tools/clang/lib/Frontend/CompilerInstance.cpp:672
The same bug can also be confirmed by valgrind/memcheck.
--
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the llvm-bugs
mailing list