[LLVMbugs] [Bug 24301] New: NVPTX: NaryReassociate.cpp : heap-use-after-free

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Wed Jul 29 08:07:25 PDT 2015


https://llvm.org/bugs/show_bug.cgi?id=24301

            Bug ID: 24301
           Summary: NVPTX: NaryReassociate.cpp : heap-use-after-free
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Backend: PTX
          Assignee: unassignedbugs at nondot.org
          Reporter: tobias at grosser.es
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified

Created attachment 14663
  --> https://llvm.org/bugs/attachment.cgi?id=14663&action=edit
Test input to reproduce this example.

If I compile llc (r243247) with address sanitizer and run it on the attached
input I get the following report:

READ of size 8 at 0x60b00012c2d0 thread T0
    #0 0x153a3a3 in getParent
/home/grosser/Projects/polly/git/include/llvm/IR/Instruction.h:72:55
    #1 0x153a3a3 in llvm::DominatorTree::dominates(llvm::Instruction const*,
llvm::Instruction const*) const
/home/grosser/Projects/polly/git/lib/IR/Dominators.cpp:80
    #2 0x1946381 in (anonymous
namespace)::NaryReassociate::findClosestMatchingDominator(llvm::SCEV const*,
llvm::Instruction*)
/home/grosser/Projects/polly/git/lib/Transforms/Scalar/NaryReassociate.cpp:500:9
    #3 0x1946d80 in (anonymous
namespace)::NaryReassociate::tryReassociatedAdd(llvm::SCEV const*,
llvm::Value*, llvm::Instruction*)
/home/grosser/Projects/polly/git/lib/Transforms/Scalar/NaryReassociate.cpp:477:15
    #4 0x1946a5f in (anonymous
namespace)::NaryReassociate::tryReassociateAdd(llvm::Value*, llvm::Value*,
llvm::Instruction*)
/home/grosser/Projects/polly/git/lib/Transforms/Scalar/NaryReassociate.cpp:461:24
    #5 0x1941b6f in tryReassociateAdd
/home/grosser/Projects/polly/git/lib/Transforms/Scalar/NaryReassociate.cpp:440:20
    #6 0x1941b6f in tryReassociate
/home/grosser/Projects/polly/git/lib/Transforms/Scalar/NaryReassociate.cpp:278
    #7 0x1941b6f in doOneIteration
/home/grosser/Projects/polly/git/lib/Transforms/Scalar/NaryReassociate.cpp:238
    #8 0x1941b6f in (anonymous
namespace)::NaryReassociate::runOnFunction(llvm::Function&)
/home/grosser/Projects/polly/git/lib/Transforms/Scalar/NaryReassociate.cpp:210
    #9 0x1687d2b in llvm::FPPassManager::runOnFunction(llvm::Function&)
/home/grosser/Projects/polly/git/lib/IR/LegacyPassManager.cpp:1520:23
    #10 0x16881b5 in llvm::FPPassManager::runOnModule(llvm::Module&)
/home/grosser/Projects/polly/git/lib/IR/LegacyPassManager.cpp:1540:16
    #11 0x1688e39 in runOnModule
/home/grosser/Projects/polly/git/lib/IR/LegacyPassManager.cpp:1596:23
    #12 0x1688e39 in llvm::legacy::PassManagerImpl::run(llvm::Module&)
/home/grosser/Projects/polly/git/lib/IR/LegacyPassManager.cpp:1698
    #13 0x64e0f9 in compileModule
/home/grosser/Projects/polly/git/tools/llc/llc.cpp:381:5
    #14 0x64e0f9 in main /home/grosser/Projects/polly/git/tools/llc/llc.cpp:204
    #15 0x7fdd2ae26ec4 in __libc_start_main
/build/buildd/glibc-2.19/csu/libc-start.c:287
    #16 0x59d50e in _start
(/home/grosser/Projects/polly/build_sanitize/bin/llc+0x59d50e)

0x60b00012c2d0 is located 96 bytes inside of 112-byte region
[0x60b00012c270,0x60b00012c2e0)
freed by thread T0 here:
    #0 0x643f62 in operator delete(void*)
(/home/grosser/Projects/polly/build_sanitize/bin/llc+0x643f62)
    #1 0x162b2f7 in deleteNode
/home/grosser/Projects/polly/git/include/llvm/ADT/ilist.h:113:39
    #2 0x162b2f7 in erase
/home/grosser/Projects/polly/git/include/llvm/ADT/ilist.h:466
    #3 0x162b2f7 in llvm::Instruction::eraseFromParent()
/home/grosser/Projects/polly/git/lib/IR/Instruction.cpp:71
    #4 0x2237a97 in
llvm::RecursivelyDeleteTriviallyDeadInstructions(llvm::Value*,
llvm::TargetLibraryInfo const*)
/home/grosser/Projects/polly/git/lib/Transforms/Utils/Local.cpp:368:5
    #5 0x19424aa in doOneIteration
/home/grosser/Projects/polly/git/lib/Transforms/Scalar/NaryReassociate.cpp:242:11
    #6 0x19424aa in (anonymous
namespace)::NaryReassociate::runOnFunction(llvm::Function&)
/home/grosser/Projects/polly/git/lib/Transforms/Scalar/NaryReassociate.cpp:210
    #7 0x1687d2b in llvm::FPPassManager::runOnFunction(llvm::Function&)
/home/grosser/Projects/polly/git/lib/IR/LegacyPassManager.cpp:1520:23
    #8 0x16881b5 in llvm::FPPassManager::runOnModule(llvm::Module&)
/home/grosser/Projects/polly/git/lib/IR/LegacyPassManager.cpp:1540:16
    #9 0x1688e39 in runOnModule
/home/grosser/Projects/polly/git/lib/IR/LegacyPassManager.cpp:1596:23
    #10 0x1688e39 in llvm::legacy::PassManagerImpl::run(llvm::Module&)
/home/grosser/Projects/polly/git/lib/IR/LegacyPassManager.cpp:1698
    #11 0x64e0f9 in compileModule
/home/grosser/Projects/polly/git/tools/llc/llc.cpp:381:5
    #12 0x64e0f9 in main /home/grosser/Projects/polly/git/tools/llc/llc.cpp:204
    #13 0x7fdd2ae26ec4 in __libc_start_main
/build/buildd/glibc-2.19/csu/libc-start.c:287

previously allocated by thread T0 here:
    #0 0x6439a2 in operator new(unsigned long)
(/home/grosser/Projects/polly/build_sanitize/bin/llc+0x6439a2)
    #1 0x16faa12 in llvm::User::operator new(unsigned long, unsigned int)
/home/grosser/Projects/polly/git/lib/IR/User.cpp:96:19
    #2 0x16461d4 in operator new
/home/grosser/Projects/polly/git/include/llvm/IR/InstrTypes.h:150:12
    #3 0x16461d4 in llvm::BinaryOperator::Create(llvm::Instruction::BinaryOps,
llvm::Value*, llvm::Value*, llvm::Twine const&, llvm::Instruction*)
/home/grosser/Projects/polly/git/lib/IR/Instructions.cpp:1701
    #4 0x24b3e68 in llvm::LLParser::ParseArithmetic(llvm::Instruction*&,
llvm::LLParser::PerFunctionState&, unsigned int, unsigned int)
/home/grosser/Projects/polly/git/lib/AsmParser/LLParser.cpp:4969:10
    #5 0x24ac288 in llvm::LLParser::ParseInstruction(llvm::Instruction*&,
llvm::BasicBlock*, llvm::LLParser::PerFunctionState&)
/home/grosser/Projects/polly/git/lib/AsmParser/LLParser.cpp:4545:9
    #6 0x24aad0f in
llvm::LLParser::ParseBasicBlock(llvm::LLParser::PerFunctionState&)
/home/grosser/Projects/polly/git/lib/AsmParser/LLParser.cpp:4482:13
    #7 0x2462e69 in llvm::LLParser::ParseFunctionBody(llvm::Function&)
/home/grosser/Projects/polly/git/lib/AsmParser/LLParser.cpp:4430:9
    #8 0x24506dc in llvm::LLParser::ParseDefine()
/home/grosser/Projects/polly/git/lib/AsmParser/LLParser.cpp:391:10
    #9 0x244cdf7 in llvm::LLParser::ParseTopLevelEntities()
/home/grosser/Projects/polly/git/lib/AsmParser/LLParser.cpp:197:33
    #10 0x244c8c1 in llvm::LLParser::Run()
/home/grosser/Projects/polly/git/lib/AsmParser/LLParser.cpp:47:10
    #11 0x243ee75 in llvm::parseAssemblyInto(llvm::MemoryBufferRef,
llvm::Module&, llvm::SMDiagnostic&, llvm::SlotMapping*)
/home/grosser/Projects/polly/git/lib/AsmParser/Parser.cpp:31:10
    #12 0x243f65d in llvm::parseAssembly(llvm::MemoryBufferRef,
llvm::SMDiagnostic&, llvm::LLVMContext&, llvm::SlotMapping*)
/home/grosser/Projects/polly/git/lib/AsmParser/Parser.cpp:41:7
    #13 0x1791125 in llvm::parseIR(llvm::MemoryBufferRef, llvm::SMDiagnostic&,
llvm::LLVMContext&)
/home/grosser/Projects/polly/git/lib/IRReader/IRReader.cpp:80:10
    #14 0x1791ce3 in llvm::parseIRFile(llvm::StringRef, llvm::SMDiagnostic&,
llvm::LLVMContext&)
/home/grosser/Projects/polly/git/lib/IRReader/IRReader.cpp:93:10
    #15 0x64a78f in compileModule
/home/grosser/Projects/polly/git/tools/llc/llc.cpp:228:11
    #16 0x64a78f in main /home/grosser/Projects/polly/git/tools/llc/llc.cpp:204
    #17 0x7fdd2ae26ec4 in __libc_start_main
/build/buildd/glibc-2.19/csu/libc-start.c:287

I unfortunately can not reduce this input as bugpoint finds someother bugs in
NVPTX that get reduced instead.

Regarding the bug itself. It seems we delete an instruction without
removing it from the dominator tree, but still query the dominator tree after.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20150729/09b70e83/attachment.html>


More information about the llvm-bugs mailing list