[llvm-bugs] [Bug 34490] New: r312318 causing null dereference crash

via llvm-bugs llvm-bugs at lists.llvm.org
Tue Sep 5 17:19:56 PDT 2017 

https://bugs.llvm.org/show_bug.cgi?id=34490

            Bug ID: 34490
           Summary: r312318 causing null dereference crash
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Interprocedural Optimizations
          Assignee: unassignedbugs at nondot.org
          Reporter: rtrieu at google.com
                CC: llvm-bugs at lists.llvm.org

>From r312318,

lib/Transforms/IPO/GlobalOpt.cpp:1616
+    ConstantInt *CIInit = dyn_cast<ConstantInt>(GV->getInitializer());
+    uint64_t ValInit = CIInit->getZExtValue();
+    uint64_t ValOther = CI->getZExtValue();
+    uint64_t ValMinus = ValOther - ValInit;

CIInit is the result of a dyn_cast call, but not checked for nullness.  Its use
on the next line will crash when it is null.  The following code will trigger
that case:

$ cat test.c
a[];
static long b = a;
fn1() {
  a > b;
  b = 0;
}
$ clang -w -O2 test.c
#0 0x0000000001e191e4 PrintStackTraceSignalHandler(void*)
(/usr/local/bin/clang-3.5+0x1e191e4)
#1 0x0000000001e19546 SignalHandler(int) (/usr/local/bin/clang-3.5+0x1e19546)
#2 0x00007f3c5707b330 __restore_rt
(/lib/x86_64-linux-gnu/libpthread.so.0+0x10330)
#3 0x00000000019dd260 processInternalGlobal(llvm::GlobalVariable*,
llvm::GlobalStatus const&, llvm::TargetLibraryInfo*,
llvm::function_ref<llvm::DominatorTree& (llvm::Function&)>)
(/usr/local/bin/clang-3.5+0x19dd260)
#4 0x00000000019dac4c processGlobal(llvm::GlobalValue&,
llvm::TargetLibraryInfo*, llvm::function_ref<llvm::DominatorTree&
(llvm::Function&)>) (/usr/local/bin/clang-3.5+0x19dac4c)
#5 0x00000000019d8b25 optimizeGlobalsInModule(llvm::Module&, llvm::DataLayout
const&, llvm::TargetLibraryInfo*, llvm::function_ref<llvm::DominatorTree&
(llvm::Function&)>) (/usr/local/bin/clang-3.5+0x19d8b25)
#6 0x00000000019e5d4c (anonymous
namespace)::GlobalOptLegacyPass::runOnModule(llvm::Module&)
(/usr/local/bin/clang-3.5+0x19e5d4c)
#7 0x0000000001940ad6 llvm::legacy::PassManagerImpl::run(llvm::Module&)
(/usr/local/bin/clang-3.5+0x1940ad6)
#8 0x0000000001fbaa2b clang::EmitBackendOutput(clang::DiagnosticsEngine&,
clang::HeaderSearchOptions const&, clang::CodeGenOptions const&,
clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout
const&, llvm::Module*, clang::BackendAction,
std::unique_ptr<llvm::raw_pwrite_stream,
std::default_delete<llvm::raw_pwrite_stream> >)
(/usr/local/bin/clang-3.5+0x1fbaa2b)
#9 0x000000000274d434
clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&)
(/usr/local/bin/clang-3.5+0x274d434)
#10 0x0000000002c38a36 clang::ParseAST(clang::Sema&, bool, bool)
(/usr/local/bin/clang-3.5+0x2c38a36)
#11 0x00000000023da5a0 clang::FrontendAction::Execute()
(/usr/local/bin/clang-3.5+0x23da5a0)
#12 0x0000000002387031
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
(/usr/local/bin/clang-3.5+0x2387031)
#13 0x000000000247078c
clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
(/usr/local/bin/clang-3.5+0x247078c)
#14 0x000000000086b66b cc1_main(llvm::ArrayRef<char const*>, char const*,
void*) (/usr/local/bin/clang-3.5+0x86b66b)
#15 0x0000000000868ec6 main (/usr/local/bin/clang-3.5+0x868ec6)
#16 0x00007f3c55f59f45 __libc_start_main
/build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:321:0
#17 0x0000000000865e39 _start (/usr/local/bin/clang-3.5+0x865e39)
Stack dump:
0.      Program arguments: /usr/local/bin/clang-3.5 -cc1 -triple
x86_64-unknown-linux-gnu -emit-obj -disable-free -main-file-name test.c
-mrelocation-model static -mthread-model posix -fmath-errno -masm-verbose
-mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64
-dwarf-column-info -debugger-tuning=gdb -momit-leaf-frame-pointer -resource-dir
/usr/local/lib/clang/6.0.0 -internal-isystem /usr/local/include
-internal-isystem /usr/local/lib/clang/6.0.0/include -internal-externc-isystem
/usr/include/x86_64-linux-gnu -internal-externc-isystem /include
-internal-externc-isystem /usr/include -O2 -w -fdebug-compilation-dir
/usr/local/google/home/rtrieu/test/kernel -ferror-limit 19 -fmessage-length 80
-fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-diagnostics
-vectorize-loops -vectorize-slp -o /tmp/test-ce80f5.o -x c test.c 
1.      <eof> parser at end of file
2.      Per-module optimization passes
3.      Running pass 'Global Variable Optimizer' on module 'test.c'.
clang-3.5: error: unable to execute command: Segmentation fault (core dumped)
clang-3.5: error: clang frontend command failed due to signal (use -v to see
invocation)
clang version 6.0.0 (trunk 312575)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin
clang-3.5: note: diagnostic msg: PLEASE submit a bug report to
http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and
associated run script.
clang-3.5: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-3.5: note: diagnostic msg: /tmp/test-b0a540.c
clang-3.5: note: diagnostic msg: /tmp/test-b0a540.sh
clang-3.5: note: diagnostic msg: 

********************

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20170906/212e7b39/attachment-0001.html>

More information about the llvm-bugs mailing list