<html>
    <head>
      <base href="https://llvm.org/bugs/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - Heap-use-after-free detected by AddressSanitizer in GVNHoist"
   href="https://llvm.org/bugs/show_bug.cgi?id=29144">29144</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Heap-use-after-free detected by AddressSanitizer in GVNHoist
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>libraries
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>trunk
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Scalar Optimizations
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>sebpop@gmail.com
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>rtrieu@google.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr></table>
      <p>
        <div>
        <pre>AddressSanitizer has detected a heap-use-after-free when compiling the
following code.  With non-instrumented Clang, this would cause a crash in
larger inputs, but go undetected for smaller input sizes.

$ cat reduce.c
extern int Foo(int x) __attribute__((pure));

void Create(int n1, int n2) {
  if (Foo(1) == 0 && n1 == n2) {}
  else if (Foo(1) == 0 && n1 == n2) {}
  else if (Foo(1) == 0 && n1 == n2) {}
  else if (Foo(1) == 0) {}
}
$ ./clang-asan -cc1 -emit-obj -O2 reduce.c
=================================================================
==9788==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000ae88
at pc 0x000000720f2c bp 0x7ffef9a87c60 sp 0x7ffef9a87c58
READ of size 1 at 0x60c00000ae88 thread T0
    #0 0x720f2b in llvm::Value::getValueID() const
llvm/include/llvm/IR/Value.h:425:12
    #1 0x747fa8 in llvm::Instruction::getOpcode() const
llvm/include/llvm/IR/Instruction.h:103:39
    #2 0x7743c8 in llvm::CallInst::classof(llvm::Instruction const*)
llvm/include/llvm/IR/Instructions.h:1817:15
    #3 0x7742ba in llvm::isa_impl_wrap<llvm::CallInst, llvm::Instruction*
const, llvm::Instruction const*>::doit(llvm::Instruction* const&)
llvm/include/llvm/Support/Casting.h:112:12
    #4 0x9ad5d6 in llvm::cast_retty<llvm::CallInst,
llvm::Instruction*>::ret_type llvm::dyn_cast<llvm::CallInst,
llvm::Instruction>(llvm::Instruction*)
llvm/include/llvm/Support/Casting.h:298:10
    #5 0x5247731 in llvm::GVN::ValueTable::lookupOrAddCall(llvm::CallInst*)
llvm/lib/Transforms/Scalar/GVN.cpp:427:35
    #6 0x5246069 in llvm::GVN::ValueTable::lookupOrAdd(llvm::Value*)
llvm/lib/Transforms/Scalar/GVN.cpp:485:14
    #7 0x5234b01 in (anonymous namespace)::CallInfo::insert(llvm::CallInst*,
llvm::GVN::ValueTable&) llvm/lib/Transforms/Scalar/GVNHoist.cpp:166:21
    #8 0x5234338 in (anonymous
namespace)::GVNHoist::hoistExpressions(llvm::Function&)
llvm/lib/Transforms/Scalar/GVNHoist.cpp:898:14
    #9 0x5233b21 in (anonymous namespace)::GVNHoist::run(llvm::Function&)
llvm/lib/Transforms/Scalar/GVNHoist.cpp:227:24
    #10 0x523b918 in (anonymous
namespace)::GVNHoistLegacyPass::runOnFunction(llvm::Function&)
llvm/lib/Transforms/Scalar/GVNHoist.cpp:936:14
    #11 0x5ccf581 in llvm::FPPassManager::runOnFunction(llvm::Function&)
llvm/lib/IR/LegacyPassManager.cpp:1522:27
    #12 0x5ccecb4 in
llvm::legacy::FunctionPassManagerImpl::run(llvm::Function&)
llvm/lib/IR/LegacyPassManager.cpp:1471:44
    #13 0x5ccebb3 in llvm::legacy::FunctionPassManager::run(llvm::Function&)
llvm/lib/IR/LegacyPassManager.cpp:1395:15
    #14 0x6cb8a9 in (anonymous
namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction,
std::unique_ptr<llvm::raw_pwrite_stream,
std::default_delete<llvm::raw_pwrite_stream> >)
llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:712:27
    #15 0x6ca596 in clang::EmitBackendOutput(clang::DiagnosticsEngine&,
clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions
const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction,
std::unique_ptr<llvm::raw_pwrite_stream,
std::default_delete<llvm::raw_pwrite_stream> >)
llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:808:13
    #16 0x5e3713 in
clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&)
llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:193:7
    #17 0x1e229bd in clang::ParseAST(clang::Sema&, bool, bool)
llvm/tools/clang/lib/Parse/ParseAST.cpp:167:13
    #18 0x5deb89 in clang::CodeGenAction::ExecuteAction()
llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:867:28
    #19 0x18e4041 in clang::FrontendAction::Execute()
llvm/tools/clang/lib/Frontend/FrontendAction.cpp:458:8
    #20 0x16888e6 in
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:871:11
    #21 0x5c4cc7 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:246:25
    #22 0x59eeab in cc1_main(llvm::ArrayRef<char const*>, char const*, void*)
llvm/tools/clang/tools/driver/cc1_main.cpp:183:13
    #23 0x5b9188 in ExecuteCC1Tool(llvm::ArrayRef<char const*>,
llvm::StringRef) llvm/tools/clang/tools/driver/driver.cpp:299:12
    #24 0x5b8064 in main llvm/tools/clang/tools/driver/driver.cpp:380:12

AddressSanitizer can not describe address in more detail (wild memory access
suspected).
SUMMARY: AddressSanitizer: heap-use-after-free
llvm/include/llvm/IR/Value.h:425:12 in llvm::Value::getValueID() const
Shadow bytes around the buggy address:
Shadow bytes around the buggy address:
  0x0c187fff9580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff95b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c187fff95d0: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff95e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff95f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff9600: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fff9610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c187fff9620: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9788==ABORTING</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>