<html>
<head>
<base href="http://llvm.org/bugs/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - Code in SimplifyCFGOpt::SimplifyParallelAndOr dereferences BasicBlock::end()"
href="http://llvm.org/bugs/show_bug.cgi?id=16732">16732</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Code in SimplifyCFGOpt::SimplifyParallelAndOr dereferences BasicBlock::end()
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Transformation Utilities
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>eugeni.stepanov@gmail.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvmbugs@cs.uiuc.edu
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr></table>
<p>
<div>
<pre>In the code added in r187278, r187291:
in SimplifyCFG.cpp:4293:
BasicBlock::iterator ItOld = Builder.GetInsertPoint();
returns an end iterator in Builder.GetInsertBlock().
A few lines below, the code in
Builder.SetInsertPoint(ItOld);
reads DebugLoc from *ItOld.
This triggers an AddressSanitizer report, because the instruction list sentinel
points somewhere inside the BasicBlock object itself and lacks debugging checks
for this kind of situation.
To reproduce, build with -DLLVM_USE_SANITIZER=Address and run any of the
following tests:
LLVM :: Transforms/SimplifyCFG/R600/parallelandifcollapse.ll
LLVM :: Transforms/SimplifyCFG/R600/parallelorifcollapse.ll
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000deb0 at pc
0x1ba7bed bp 0x7fff957c89b0 sp 0x7fff957c89a8
READ of size 8 at 0x60700000deb0 thread T0
#0 0x1ba7bec in llvm::IRBuilderBase::SetCurrentDebugLocation(llvm::DebugLoc
const&) /code/llvm/build-debug/../include/llvm/IR/IRBuilder.h:115
#1 0x1ba7918 in llvm::IRBuilderBase::SetInsertPoint(llvm::Instruction*)
/code/llvm/build-debug/../include/llvm/IR/IRBuilder.h:90
#2 0x713b9bd in (anonymous
namespace)::SimplifyCFGOpt::SimplifyParallelAndOr(llvm::BasicBlock*,
llvm::IRBuilder<true, llvm::ConstantFolder,
llvm::IRBuilderDefaultInserter<true> >&, llvm::Pass*)
/code/llvm/build-debug/../lib/Transforms/Utils/SimplifyCFG.cpp:4323
#3 0x7136c92 in (anonymous
namespace)::SimplifyCFGOpt::run(llvm::BasicBlock*)
/code/llvm/build-debug/../lib/Transforms/Utils/SimplifyCFG.cpp:4587
#4 0x7135ea0 in llvm::SimplifyCFG(llvm::BasicBlock*,
llvm::TargetTransformInfo const&, llvm::DataLayout const*,
llvm::AliasAnalysis*)
/code/llvm/build-debug/../lib/Transforms/Utils/SimplifyCFG.cpp:4630
#5 0x6b5ecef in iterativelySimplifyCFG(llvm::Function&,
llvm::TargetTransformInfo const&, llvm::DataLayout const*,
llvm::AliasAnalysis*)
/code/llvm/build-debug/../lib/Transforms/Scalar/SimplifyCFGPass.cpp:346
#6 0x6b5b2a0 in (anonymous
namespace)::CFGSimplifyPass::runOnFunction(llvm::Function&)
/code/llvm/build-debug/../lib/Transforms/Scalar/SimplifyCFGPass.cpp:368
#7 0x832d470 in llvm::FPPassManager::runOnFunction(llvm::Function&)
/code/llvm/build-debug/../lib/IR/PassManager.cpp:1530
#8 0x832e5e5 in llvm::FPPassManager::runOnModule(llvm::Module&)
/code/llvm/build-debug/../lib/IR/PassManager.cpp:1550
#9 0x83300c2 in llvm::MPPassManager::runOnModule(llvm::Module&)
/code/llvm/build-debug/../lib/IR/PassManager.cpp:1608
#10 0x8332870 in llvm::PassManagerImpl::run(llvm::Module&)
/code/llvm/build-debug/../lib/IR/PassManager.cpp:1703
#11 0x8333657 in llvm::PassManager::run(llvm::Module&)
/code/llvm/build-debug/../lib/IR/PassManager.cpp:1738
#12 0x78cc8a in main /code/llvm/build-debug/../tools/opt/opt.cpp:827
#13 0x7fdbbc66076c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
#14 0x725384 in _start (/code/llvm/build-debug/bin/opt+0x725384)
0x60700000deb0 is located 0 bytes to the right of 80-byte region
[0x60700000de60,0x60700000deb0)
allocated by thread T0 here:
#0 0x710c35 in operator new(unsigned long)
/code/llvm/build0/../projects/compiler-rt/lib/asan/asan_new_delete.cc:52
#1 0x173fd82 in llvm::BasicBlock::Create(llvm::LLVMContext&, llvm::Twine
const&, llvm::Function*, llvm::BasicBlock*)
/code/llvm/build-debug/../include/llvm/IR/BasicBlock.h:111
#2 0x3cc6eed in llvm::LLParser::PerFunctionState::GetVal(std::string
const&, llvm::Type*, llvm::SMLoc)
/code/llvm/build-debug/../lib/AsmParser/LLParser.cpp:2063
#3 0x3cd0fc3 in llvm::LLParser::ConvertValIDToValue(llvm::Type*,
llvm::ValID&, llvm::Value*&, llvm::LLParser::PerFunctionState*)
/code/llvm/build-debug/../lib/AsmParser/LLParser.cpp:2785
#4 0x3cd6f03 in llvm::LLParser::ParseValue(llvm::Type*, llvm::Value*&,
llvm::LLParser::PerFunctionState*)
/code/llvm/build-debug/../lib/AsmParser/LLParser.cpp:2898
#5 0x3cd728e in llvm::LLParser::ParseTypeAndValue(llvm::Value*&,
llvm::LLParser::PerFunctionState*)
/code/llvm/build-debug/../lib/AsmParser/LLParser.cpp:2904
#6 0x3d1803d in llvm::LLParser::ParseTypeAndValue(llvm::Value*&,
llvm::LLParser::PerFunctionState&)
/code/llvm/build-debug/../lib/AsmParser/LLParser.h:319
#7 0x3cd78a4 in llvm::LLParser::ParseTypeAndBasicBlock(llvm::BasicBlock*&,
llvm::SMLoc&, llvm::LLParser::PerFunctionState&)
/code/llvm/build-debug/../lib/AsmParser/LLParser.cpp:2911
#8 0x3cde715 in llvm::LLParser::ParseBr(llvm::Instruction*&,
llvm::LLParser::PerFunctionState&)
/code/llvm/build-debug/../lib/AsmParser/LLParser.cpp:3428
#9 0x3cda0a9 in llvm::LLParser::ParseInstruction(llvm::Instruction*&,
llvm::BasicBlock*, llvm::LLParser::PerFunctionState&)
/code/llvm/build-debug/../lib/AsmParser/LLParser.cpp:3243
#10 0x3cd896a in
llvm::LLParser::ParseBasicBlock(llvm::LLParser::PerFunctionState&)
/code/llvm/build-debug/../lib/AsmParser/LLParser.cpp:3194
#11 0x3c93b94 in llvm::LLParser::ParseFunctionBody(llvm::Function&)
/code/llvm/build-debug/../lib/AsmParser/LLParser.cpp:3147
#12 0x3c7e64f in llvm::LLParser::ParseDefine()
/code/llvm/build-debug/../lib/AsmParser/LLParser.cpp:424
#13 0x3c745c8 in llvm::LLParser::ParseTopLevelEntities()
/code/llvm/build-debug/../lib/AsmParser/LLParser.cpp:226
#14 0x3c73f6b in llvm::LLParser::Run()
/code/llvm/build-debug/../lib/AsmParser/LLParser.cpp:41
#15 0x3c28a9f in llvm::ParseAssembly(llvm::MemoryBuffer*, llvm::Module*,
llvm::SMDiagnostic&, llvm::LLVMContext&)
/code/llvm/build-debug/../lib/AsmParser/Parser.cpp:38
#16 0x32d1fd9 in llvm::ParseIR(llvm::MemoryBuffer*, llvm::SMDiagnostic&,
llvm::LLVMContext&) /code/llvm/build-debug/../lib/IRReader/IRReader.cpp:76
#17 0x32d29b2 in llvm::ParseIRFile(std::string const&, llvm::SMDiagnostic&,
llvm::LLVMContext&) /code/llvm/build-debug/../lib/IRReader/IRReader.cpp:88
#18 0x789ddd in main /code/llvm/build-debug/../tools/opt/opt.cpp:593
#19 0x7fdbbc66076c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/code/llvm/build-debug/../include/llvm/IR/IRBuilder.h:115
llvm::IRBuilderBase::SetCurrentDebugLocation(llvm::DebugLoc const&)
Shadow bytes around the buggy address:
0x0c0e7fff9b80: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff9b90: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
0x0c0e7fff9ba0: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0e7fff9bb0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fd fd
0x0c0e7fff9bc0: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
=>0x0c0e7fff9bd0: 00 00 00 00 00 00[fa]fa fa fa 00 00 00 00 00 00
0x0c0e7fff9be0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff9bf0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>