[LLVMbugs] [Bug 13972] New: heap-use-after-free in CorrelatedValuePropagation
bugzilla-daemon at llvm.org
bugzilla-daemon at llvm.org
Fri Sep 28 03:06:42 PDT 2012
http://llvm.org/bugs/show_bug.cgi?id=13972
Bug #: 13972
Summary: heap-use-after-free in CorrelatedValuePropagation
Product: libraries
Version: trunk
Platform: PC
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P
Component: Interprocedural Analyses
AssignedTo: unassignedbugs at nondot.org
ReportedBy: kcc at google.com
CC: llvmbugs at cs.uiuc.edu
Classification: Unclassified
clang r164813, 64-bit linux; test case by csmith+creduce
Either build clang with -faddress-sanitizer or use valgrind.
clang -cc1 -triple x86_64-unknown-linux-gnu -emit-obj -disable-free
-main-file-name 4183743056.i -mrelocation-model static -fmath-errno
-masm-verbose -mconstructor-aliases -munwind-tables -target-cpu x86-64
-target-linker-version 2.20.1 -momit-leaf-frame-pointer -v -O3 -w -ferror-limit
19 -fmessage-length 196 -mstackrealign -fobjc-runtime=gcc
-fdiagnostics-show-option -fcolor-diagnostics -o 4183743056.o -x cpp-output
4183743056.i
a;
b;
c;
d;
fn1 () {
int e;
for (; d; ++d)
if (e != -3L) {
if (e)
for (;;) {
}
e = -8;
for (; e >= 0; e++) {
}
} else
c;
}
void
fn2 () {
b = 0;
for (; b <= 0;) {
a = 0;
for (; a <= 0;)
return;
}
fn1 ();
}
==12218== ERROR: AddressSanitizer heap-use-after-free on address 0x7f9529059888
at pc 0x1e41237 bp 0x7fff35a29910 sp 0x7fff35a29908
READ of size 1 at 0x7f9529059888 thread T0
#0 0x1e41236 in llvm::Value::getValueID() const include/llvm/Value.h:229
#1 0x1ec3396 in llvm::isa_impl<llvm::Constant,
llvm::Value>::doit(llvm::Value const&) include/llvm/Value.h:342
#2 0x1ec328a in llvm::isa_impl_cl<llvm::Constant,
llvm::Value*>::doit(llvm::Value const*) include/llvm/Support/Casting.h:69
#3 0x1ec311a in llvm::isa_impl_wrap<llvm::Constant, llvm::Value*,
llvm::Value*>::doit(llvm::Value* const&) include/llvm/Support/Casting.h:102
#4 0x1ec2e36 in bool llvm::isa<llvm::Constant, llvm::Value*>(llvm::Value*
const&) include/llvm/Support/Casting.h:113
#5 0x1f6fc56 in llvm::cast_retty<llvm::Constant, llvm::Value*>::ret_type
llvm::dyn_cast<llvm::Constant, llvm::Value*>(llvm::Value* const&)
include/llvm/Support/Casting.h:223
#6 0x104de7ce in (anonymous
namespace)::LazyValueInfoCache::getEdgeValue(llvm::Value*, llvm::BasicBlock*,
llvm::BasicBlock*, (anonymous namespace)::LVILatticeVal&)
lib/Analysis/LazyValueInfo.cpp:869
#7 0x104c1f50 in (anonymous
namespace)::LazyValueInfoCache::getValueOnEdge(llvm::Value*, llvm::BasicBlock*,
llvm::BasicBlock*) lib/Analysis/LazyValueInfo.cpp:926
#8 0x104c285d in llvm::LazyValueInfo::getPredicateOnEdge(unsigned int,
llvm::Value*, llvm::Constant*, llvm::BasicBlock*, llvm::BasicBlock*)
lib/Analysis/LazyValueInfo.cpp:1067
#9 0xf462090 in (anonymous
namespace)::CorrelatedValuePropagation::processSwitch(llvm::SwitchInst*)
lib/Transforms/Scalar/CorrelatedValuePropagation.cpp:212
#10 0xf45e44b in (anonymous
namespace)::CorrelatedValuePropagation::runOnFunction(llvm::Function&)
lib/Transforms/Scalar/CorrelatedValuePropagation.cpp:289
#11 0x11548346 in llvm::FPPassManager::runOnFunction(llvm::Function&)
lib/VMCore/PassManager.cpp:1498
#12 0x10215d55 in (anonymous
namespace)::CGPassManager::RunPassOnSCC(llvm::Pass*, llvm::CallGraphSCC&,
llvm::CallGraph&, bool&, bool&) lib/Analysis/IPA/CallGraphSCCPass.cpp:145
#13 0x102133fc in (anonymous
namespace)::CGPassManager::RunAllPassesOnSCC(llvm::CallGraphSCC&,
llvm::CallGraph&, bool&) lib/Analysis/IPA/CallGraphSCCPass.cpp:401
#14 0x10210e0a in (anonymous
namespace)::CGPassManager::runOnModule(llvm::Module&)
lib/Analysis/IPA/CallGraphSCCPass.cpp:457
#15 0x1154a5ae in llvm::MPPassManager::runOnModule(llvm::Module&)
lib/VMCore/PassManager.cpp:1572
#16 0x1154c62c in llvm::PassManagerImpl::run(llvm::Module&)
lib/VMCore/PassManager.cpp:1655
#17 0x1154d11a in llvm::PassManager::run(llvm::Module&)
lib/VMCore/PassManager.cpp:1684
#18 0x1ca1419 in (anonymous
namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction,
llvm::raw_ostream*) tools/clang/lib/CodeGen/BackendUtil.cpp:473
#19 0x1ca06ed in clang::EmitBackendOutput(clang::DiagnosticsEngine&,
clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions
const&, llvm::Module*, clang::BackendAction, llvm::raw_ostream*)
tools/clang/lib/CodeGen/BackendUtil.cpp:490
#20 0x1c876f6 in
clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&)
tools/clang/lib/CodeGen/CodeGenAction.cpp:160
#21 0x2abd8f1 in clang::ParseAST(clang::Sema&, bool, bool)
tools/clang/lib/Parse/ParseAST.cpp:111
#22 0xb1ca42 in clang::ASTFrontendAction::ExecuteAction()
tools/clang/lib/Frontend/FrontendAction.cpp:422
#23 0x1c815c7 in clang::CodeGenAction::ExecuteAction()
tools/clang/lib/CodeGen/CodeGenAction.cpp:421
#24 0xb1b80b in clang::FrontendAction::Execute()
tools/clang/lib/Frontend/FrontendAction.cpp:339
#25 0x9e0744 in
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
tools/clang/lib/Frontend/CompilerInstance.cpp:672
#26 0x81d685 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:189
#27 0x7758f3 in cc1_main(char const**, char const**, char const*, void*)
tools/clang/tools/driver/cc1_main.cpp:165
#28 0x7ed14d in main tools/clang/tools/driver/driver.cpp:357
#29 0x7f9529196c4c in __libc_start_main
/build/buildd/eglibc-2.11.1/csu/libc-start.c:226
0x7f9529059888 is located 8 bytes inside of 96-byte region
[0x7f9529059880,0x7f95290598e0)
freed by thread T0 here:
#0 0x11a88bc0 in operator delete(void*) ??:0
#1 0x11660a4b in llvm::User::operator delete(void*) lib/VMCore/User.cpp:78
#2 0x113da58b in llvm::PHINode::~PHINode() lib/VMCore/Instructions.cpp:95
#3 0x9eafc48 in
llvm::ilist_node_traits<llvm::Instruction>::deleteNode(llvm::Instruction*)
include/llvm/ADT/ilist.h:113
#4 0x9eaf4cd in llvm::iplist<llvm::Instruction,
llvm::ilist_traits<llvm::Instruction>
>::erase(llvm::ilist_iterator<llvm::Instruction>) include/llvm/ADT/ilist.h:464
#5 0xef63315 in llvm::iplist<llvm::Instruction,
llvm::ilist_traits<llvm::Instruction> >::pop_front()
include/llvm/ADT/ilist.h:540
#6 0x1108ad71 in llvm::BasicBlock::removePredecessor(llvm::BasicBlock*,
bool) lib/VMCore/BasicBlock.cpp:261
#7 0xf462488 in (anonymous
namespace)::CorrelatedValuePropagation::processSwitch(llvm::SwitchInst*)
lib/Transforms/Scalar/CorrelatedValuePropagation.cpp:236
#8 0xf45e44b in (anonymous
namespace)::CorrelatedValuePropagation::runOnFunction(llvm::Function&)
lib/Transforms/Scalar/CorrelatedValuePropagation.cpp:289
#9 0x11548346 in llvm::FPPassManager::runOnFunction(llvm::Function&)
lib/VMCore/PassManager.cpp:1498
#10 0x10215d55 in (anonymous
namespace)::CGPassManager::RunPassOnSCC(llvm::Pass*, llvm::CallGraphSCC&,
llvm::CallGraph&, bool&, bool&) lib/Analysis/IPA/CallGraphSCCPass.cpp:145
#11 0x102133fc in (anonymous
namespace)::CGPassManager::RunAllPassesOnSCC(llvm::CallGraphSCC&,
llvm::CallGraph&, bool&) lib/Analysis/IPA/CallGraphSCCPass.cpp:401
#12 0x10210e0a in (anonymous
namespace)::CGPassManager::runOnModule(llvm::Module&)
lib/Analysis/IPA/CallGraphSCCPass.cpp:457
#13 0x1154a5ae in llvm::MPPassManager::runOnModule(llvm::Module&)
lib/VMCore/PassManager.cpp:1572
#14 0x1154c62c in llvm::PassManagerImpl::run(llvm::Module&)
lib/VMCore/PassManager.cpp:1655
#15 0x1154d11a in llvm::PassManager::run(llvm::Module&)
lib/VMCore/PassManager.cpp:1684
#16 0x1ca1419 in (anonymous
namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction,
llvm::raw_ostream*) tools/clang/lib/CodeGen/BackendUtil.cpp:473
#17 0x1ca06ed in clang::EmitBackendOutput(clang::DiagnosticsEngine&,
clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions
const&, llvm::Module*, clang::BackendAction, llvm::raw_ostream*)
tools/clang/lib/CodeGen/BackendUtil.cpp:490
#18 0x1c876f6 in
clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&)
tools/clang/lib/CodeGen/CodeGenAction.cpp:160
#19 0x2abd8f1 in clang::ParseAST(clang::Sema&, bool, bool)
tools/clang/lib/Parse/ParseAST.cpp:111
#20 0xb1ca42 in clang::ASTFrontendAction::ExecuteAction()
tools/clang/lib/Frontend/FrontendAction.cpp:422
#21 0x1c815c7 in clang::CodeGenAction::ExecuteAction()
tools/clang/lib/CodeGen/CodeGenAction.cpp:421
#22 0xb1b80b in clang::FrontendAction::Execute()
tools/clang/lib/Frontend/FrontendAction.cpp:339
#23 0x9e0744 in
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
tools/clang/lib/Frontend/CompilerInstance.cpp:672
#24 0x81d685 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:189
#25 0x7758f3 in cc1_main(char const**, char const**, char const*, void*)
tools/clang/tools/driver/cc1_main.cpp:165
#26 0x7ed14d in main tools/clang/tools/driver/driver.cpp:357
#27 0x7f9529196c4c in __libc_start_main
/build/buildd/eglibc-2.11.1/csu/libc-start.c:226
previously allocated by thread T0 here:
#0 0x11a88a40 in operator new(unsigned long) ??:0
#1 0x11660375 in llvm::User::operator new(unsigned long, unsigned int)
lib/VMCore/User.cpp:59
#2 0x1fa8f0b in llvm::PHINode::operator new(unsigned long)
include/llvm/Instructions.h:1980
#3 0x1143ef05 in llvm::PHINode::clone_impl() const
lib/VMCore/Instructions.cpp:3502
#4 0x113d6fbe in llvm::Instruction::clone() const
lib/VMCore/Instruction.cpp:433
#5 0xfefcd2b in (anonymous
namespace)::PruningFunctionCloner::CloneBlock(llvm::BasicBlock const*,
std::vector<llvm::BasicBlock const*, std::allocator<llvm::BasicBlock const*>
>&) lib/Transforms/Utils/CloneFunction.cpp:261
#6 0xfef72b3 in llvm::CloneAndPruneFunctionInto(llvm::Function*,
llvm::Function const*, llvm::ValueMap<llvm::Value const*, llvm::WeakVH,
llvm::ValueMapConfig<llvm::Value const*> >&, bool,
llvm::SmallVectorImpl<llvm::ReturnInst*>&, char const*, llvm::ClonedCodeInfo*,
llvm::TargetData const*, llvm::Instruction*)
lib/Transforms/Utils/CloneFunction.cpp:387
#7 0xff50529 in llvm::InlineFunction(llvm::CallSite,
llvm::InlineFunctionInfo&, bool) lib/Transforms/Utils/InlineFunction.cpp:603
#8 0xa0103df in InlineCallIfPossible(llvm::CallSite,
llvm::InlineFunctionInfo&, llvm::DenseMap<llvm::ArrayType*,
std::vector<llvm::AllocaInst*, std::allocator<llvm::AllocaInst*> >,
llvm::DenseMapInfo<llvm::ArrayType*> >&, int, bool)
lib/Transforms/IPO/Inliner.cpp:91
#9 0xa00dacf in llvm::Inliner::runOnSCC(llvm::CallGraphSCC&)
lib/Transforms/IPO/Inliner.cpp:451
#10 0x102154d1 in (anonymous
namespace)::CGPassManager::RunPassOnSCC(llvm::Pass*, llvm::CallGraphSCC&,
llvm::CallGraph&, bool&, bool&) lib/Analysis/IPA/CallGraphSCCPass.cpp:121
#11 0x102133fc in (anonymous
namespace)::CGPassManager::RunAllPassesOnSCC(llvm::CallGraphSCC&,
llvm::CallGraph&, bool&) lib/Analysis/IPA/CallGraphSCCPass.cpp:401
#12 0x10210e0a in (anonymous
namespace)::CGPassManager::runOnModule(llvm::Module&)
lib/Analysis/IPA/CallGraphSCCPass.cpp:457
#13 0x1154a5ae in llvm::MPPassManager::runOnModule(llvm::Module&)
lib/VMCore/PassManager.cpp:1572
#14 0x1154c62c in llvm::PassManagerImpl::run(llvm::Module&)
lib/VMCore/PassManager.cpp:1655
#15 0x1154d11a in llvm::PassManager::run(llvm::Module&)
lib/VMCore/PassManager.cpp:1684
#16 0x1ca1419 in (anonymous
namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction,
llvm::raw_ostream*) tools/clang/lib/CodeGen/BackendUtil.cpp:473
#17 0x1ca06ed in clang::EmitBackendOutput(clang::DiagnosticsEngine&,
clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions
const&, llvm::Module*, clang::BackendAction, llvm::raw_ostream*)
tools/clang/lib/CodeGen/BackendUtil.cpp:490
#18 0x1c876f6 in
clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&)
tools/clang/lib/CodeGen/CodeGenAction.cpp:160
#19 0x2abd8f1 in clang::ParseAST(clang::Sema&, bool, bool)
tools/clang/lib/Parse/ParseAST.cpp:111
#20 0xb1ca42 in clang::ASTFrontendAction::ExecuteAction()
tools/clang/lib/Frontend/FrontendAction.cpp:422
#21 0x1c815c7 in clang::CodeGenAction::ExecuteAction()
tools/clang/lib/CodeGen/CodeGenAction.cpp:421
#22 0xb1b80b in clang::FrontendAction::Execute()
tools/clang/lib/Frontend/FrontendAction.cpp:339
#23 0x9e0744 in
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
tools/clang/lib/Frontend/CompilerInstance.cpp:672
#24 0x81d685 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:189
#25 0x7758f3 in cc1_main(char const**, char const**, char const*, void*)
tools/clang/tools/driver/cc1_main.cpp:165
Shadow byte and word:
0x1ff2a520b311: fd
0x1ff2a520b310: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1ff2a520b2f0: 00 00 00 04 fb fb fb fb
0x1ff2a520b2f8: fb fb fb fb fb fb fb fb
0x1ff2a520b300: fa fa fa fa fa fa fa fa
0x1ff2a520b308: fa fa fa fa fa fa fa fa
=>0x1ff2a520b310: fd fd fd fd fd fd fd fd
0x1ff2a520b318: fd fd fd fd fd fd fd fd
0x1ff2a520b320: fa fa fa fa fa fa fa fa
0x1ff2a520b328: fa fa fa fa fa fa fa fa
0x1ff2a520b330: fd fd fd fd fd fd fd fd
--
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the llvm-bugs
mailing list