<html>
    <head>
      <base href="http://llvm.org/bugs/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - ASan reports a use-after-free in llvm::Metadata::getMetadataID() when running opt"
   href="http://llvm.org/bugs/show_bug.cgi?id=22280">22280</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>ASan reports a use-after-free in llvm::Metadata::getMetadataID() when running opt
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>libraries
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>trunk
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>LLVM assembly language parser
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>glider@google.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvmbugs@cs.uiuc.edu
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr></table>
      <p>
        <div>
        <pre>To reproduce, build opt with AddressSanitizer instrumentation.
The test case has been extracted from
llvm/test/Transforms/LoopUnroll/unroll-pragmas.ll

$ cat temp.ll
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"

define void @unroll_1M(i32* nocapture %a, i32 %b) {
entry:
  br label %for.body

for.body:                                         ; preds = %for.body, %entry
  %indvars.iv = phi i64 [ 0, %entry ], [ %indvars.iv.next, %for.body ]
  %arrayidx = getelementptr inbounds i32* %a, i64 %indvars.iv
  %0 = load i32* %arrayidx, align 4
  %inc = add nsw i32 %0, 1
  store i32 %inc, i32* %arrayidx, align 4
  %indvars.iv.next = add nuw nsw i64 %indvars.iv, 1
  %exitcond = icmp eq i64 %indvars.iv.next, 1000000
  br i1 %exitcond, label %for.end, label %for.body, !llvm.loop !12

for.end:                                          ; preds = %for.body
  ret void
}
!12 = !{!12, !4}

$ llvm/opt temp.ll 
=================================================================
==18735==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000005680
at pc 0x00000132d10b bp 0x7fff08988050 sp 0x7fff08988048
READ of size 1 at 0x603000005680 thread T0
    #0 0x132d10a in llvm::Metadata::getMetadataID() const
third_party/llvm/llvm/include/llvm/IR/Metadata.h:85:43
    #1 0x132d3c8 in llvm::MDNode::classof(llvm::Metadata const*)
third_party/llvm/llvm/include/llvm/IR/Metadata.h:867:12
    #2 0x1c9697c in llvm::isa_impl_wrap<llvm::MDNode, llvm::Metadata* const,
llvm::Metadata const*>::doit(llvm::Metadata* const&)
third_party/llvm/llvm/include/llvm/Support/Casting.h:112:12
    #3 0x2a39e30 in llvm::cast_retty<llvm::MDNode, llvm::Metadata*>::ret_type
llvm::dyn_cast<llvm::MDNode, llvm::Metadata>(llvm::Metadata*)
third_party/llvm/llvm/include/llvm/Support/Casting.h:298:10
    #4 0x2f6e67d in llvm::ReplaceableMetadataImpl::get(llvm::Metadata&)
third_party/llvm/llvm/lib/IR/MetadataTracking.cpp:20:17
    #5 0x2f6e895 in llvm::MetadataTracking::untrack(void*, llvm::Metadata&)
third_party/llvm/llvm/lib/IR/MetadataTracking.cpp:38:17
    #6 0x27751af in void
std::_Destroy_aux<false>::__destroy<llvm::TypedTrackingMDRef<llvm::MDNode>*>(llvm::TypedTrackingMDRef<llvm::MDNode>*,
llvm::TypedTrackingMDRef<llvm::MDNode>*) ..../bits/stl_construct.h:103:6
    #7 0x277504d in std::vector<llvm::TypedTrackingMDRef<llvm::MDNode>,
std::allocator<llvm::TypedTrackingMDRef<llvm::MDNode> > >::~vector()
..../bits/stl_vector.h:468:9
    #8 0x2d88e44 in llvm::LLParser::~LLParser()
third_party/llvm/llvm/lib/AsmParser/LLParser.h:108:9
    #9 0x2d882bb in llvm::parseAssemblyInto(llvm::MemoryBufferRef,
llvm::Module&, llvm::SMDiagnostic&)
third_party/llvm/llvm/lib/AsmParser/Parser.cpp:29:3
    #10 0x2d8846f in llvm::parseAssembly(llvm::MemoryBufferRef,
llvm::SMDiagnostic&, llvm::LLVMContext&)
third_party/llvm/llvm/lib/AsmParser/Parser.cpp:38:7
    #11 0x2d85f58 in llvm::parseIR(llvm::MemoryBufferRef, llvm::SMDiagnostic&,
llvm::LLVMContext&) third_party/llvm/llvm/lib/IRReader/IRReader.cpp:79:10
    #12 0x2d86461 in llvm::parseIRFile(llvm::StringRef, llvm::SMDiagnostic&,
llvm::LLVMContext&) third_party/llvm/llvm/lib/IRReader/IRReader.cpp:92:10
    #13 0x1386be3 in main third_party/llvm/llvm/tools/opt/opt.cpp:341:31
    #14 0x7f4d1dd5ace7 in __libc_start_main (..../lib64/libc.so.6+0x38ce7)
    #15 0x1277038 in _start ..../sysdeps/x86_64/start.S:118

0x603000005680 is located 0 bytes inside of 24-byte region
[0x603000005680,0x603000005698)
freed by thread T0 here:
    #0 0x13202a2 in operator delete(void*)
third_party/llvm/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:94:3
    #1 0x2aedad6 in std::unique_ptr<llvm::MDTuple,
llvm::TempMDNodeDeleter>::~unique_ptr() ..../bits/unique_ptr.h:236:4
    #2 0x2d895ca in std::_Rb_tree<unsigned int, std::pair<unsigned int const,
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
<span class="quote">>, std::_Select1st<std::pair<unsigned int const,</span >
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
<span class="quote">> >, std::less<unsigned int>, std::allocator<std::pair<unsigned int const,</span >
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
<span class="quote">> > >::_M_destroy_node(std::_Rb_tree_node<std::pair<unsigned int const,</span >
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
<span class="quote">> >*) ..../bits/stl_tree.h:436:2</span >
    #3 0x2d894e8 in std::_Rb_tree<unsigned int, std::pair<unsigned int const,
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
<span class="quote">>, std::_Select1st<std::pair<unsigned int const,</span >
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
<span class="quote">> >, std::less<unsigned int>, std::allocator<std::pair<unsigned int const,</span >
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
<span class="quote">> > >::_M_erase(std::_Rb_tree_node<std::pair<unsigned int const,</span >
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
<span class="quote">> >*) ..../bits/stl_tree.h:1287:4</span >
    #4 0x2d88e38 in llvm::LLParser::~LLParser()
third_party/llvm/llvm/lib/AsmParser/LLParser.h:108:9
    #5 0x2d882bb in llvm::parseAssemblyInto(llvm::MemoryBufferRef,
llvm::Module&, llvm::SMDiagnostic&)
third_party/llvm/llvm/lib/AsmParser/Parser.cpp:29:3
    #6 0x2d8846f in llvm::parseAssembly(llvm::MemoryBufferRef,
llvm::SMDiagnostic&, llvm::LLVMContext&)
third_party/llvm/llvm/lib/AsmParser/Parser.cpp:38:7
    #7 0x2d85f58 in llvm::parseIR(llvm::MemoryBufferRef, llvm::SMDiagnostic&,
llvm::LLVMContext&) third_party/llvm/llvm/lib/IRReader/IRReader.cpp:79:10
    #8 0x2d86461 in llvm::parseIRFile(llvm::StringRef, llvm::SMDiagnostic&,
llvm::LLVMContext&) third_party/llvm/llvm/lib/IRReader/IRReader.cpp:92:10
    #9 0x1386be3 in main third_party/llvm/llvm/tools/opt/opt.cpp:341:31
    #10 0x7f4d1dd5ace7 in __libc_start_main (..../lib64/libc.so.6+0x38ce7)
    #11 0x1277038 in _start ..../sysdeps/x86_64/start.S:118

previously allocated by thread T0 here:
    #0 0x131fce2 in operator new(unsigned long)
third_party/llvm/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:62:35
    #1 0x2f71955 in llvm::MDNode::operator new(unsigned long, unsigned int)
third_party/llvm/llvm/lib/IR/Metadata.cpp:384:15
    #2 0x2f736a6 in llvm::MDTuple::getImpl(llvm::LLVMContext&,
llvm::ArrayRef<llvm::Metadata*>, llvm::Metadata::StorageType, bool)
third_party/llvm/llvm/lib/IR/Metadata.cpp:704:20
    #3 0x2aeda74 in llvm::MDTuple::getTemporary(llvm::LLVMContext&,
llvm::ArrayRef<llvm::Metadata*>)
third_party/llvm/llvm/include/llvm/IR/Metadata.h:934:24
    #4 0x2d9e767 in llvm::LLParser::ParseMDNodeID(llvm::MDNode*&)
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:535:27
    #5 0x2daed24 in llvm::LLParser::ParseMDNodeTail(llvm::MDNode*&)
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:2921:10
    #6 0x2daf303 in llvm::LLParser::ParseMetadata(llvm::Metadata*&,
llvm::LLParser::PerFunctionState*)
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:3114:7
    #7 0x2daec4c in
llvm::LLParser::ParseMDNodeVector(llvm::SmallVectorImpl<llvm::Metadata*>&)
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:4820:9
    #8 0x2d9ed96 in llvm::LLParser::ParseMDTuple(llvm::MDNode*&, bool)
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:2896:7
    #9 0x2d97ab4 in llvm::LLParser::ParseStandaloneMetadata()
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:594:14
    #10 0x2d93e85 in llvm::LLParser::ParseTopLevelEntities()
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:182:33
    #11 0x2d93a19 in llvm::LLParser::Run()
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:43:10
    #12 0x2d882b0 in llvm::parseAssemblyInto(llvm::MemoryBufferRef,
llvm::Module&, llvm::SMDiagnostic&)
third_party/llvm/llvm/lib/AsmParser/Parser.cpp:29:10
    #13 0x2d8846f in llvm::parseAssembly(llvm::MemoryBufferRef,
llvm::SMDiagnostic&, llvm::LLVMContext&)
third_party/llvm/llvm/lib/AsmParser/Parser.cpp:38:7
    #14 0x2d85f58 in llvm::parseIR(llvm::MemoryBufferRef, llvm::SMDiagnostic&,
llvm::LLVMContext&) third_party/llvm/llvm/lib/IRReader/IRReader.cpp:79:10
    #15 0x2d86461 in llvm::parseIRFile(llvm::StringRef, llvm::SMDiagnostic&,
llvm::LLVMContext&) third_party/llvm/llvm/lib/IRReader/IRReader.cpp:92:10
    #16 0x1386be3 in main third_party/llvm/llvm/tools/opt/opt.cpp:341:31
    #17 0x7f4d1dd5ace7 in __libc_start_main (..../lib64/libc.so.6+0x38ce7)
    #18 0x1277038 in _start ..../sysdeps/x86_64/start.S:118

SUMMARY: AddressSanitizer: heap-use-after-free
third_party/llvm/llvm/include/llvm/IR/Metadata.h:85
llvm::Metadata::getMetadataID() const
Shadow bytes around the buggy address:
  0x0c067fff8a80: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8a90: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8aa0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8ab0: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa fd fd
  0x0c067fff8ac0: fd fd fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
=>0x0c067fff8ad0:[fd]fd fd fa fa fa fd fd fd fa fa fa 00 00 02 fa
  0x0c067fff8ae0: fa fa 00 00 00 fa fa fa 00 00 00 01 fa fa 00 00
  0x0c067fff8af0: 00 00 fa fa fd fd fd fd fa fa 00 00 04 fa fa fa
  0x0c067fff8b00: 00 00 00 01 fa fa fd fd fd fd fa fa 00 00 00 03
  0x0c067fff8b10: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
  0x0c067fff8b20: 00 01 fa fa 00 00 06 fa fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18735==ABORTING</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>