<html>
<head>
<base href="https://llvm.org/bugs/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - Segfault/Memory corruption in DependenceAnalysis"
href="https://llvm.org/bugs/show_bug.cgi?id=31848">31848</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Segfault/Memory corruption in DependenceAnalysis
</td>
</tr>
<tr>
<th>Product</th>
<td>new-bugs
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>new bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>philip.pfaffe@gmail.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=17927" name="attach_17927" title="lit testcase triggering the bug">attachment 17927</a> <a href="attachment.cgi?id=17927&action=edit" title="lit testcase triggering the bug">[details]</a></span>
lit testcase triggering the bug
It's possible for DependenceAnalysis to run into a heap buffer overflow. The
attached testcase triggers the bug for current trunk, but I'm positive this has
been defective in previous versions as well.
The bug occurs within the banerjeeMIV-test, in the function collectCoeffInfo().
This function allocates a new array on the heap with MaxLevels+1 elements.
MaxLevels is the maximum loop depth either of the two Instructions being tested
are found in. This array is then filled by walking the AddRecExprs in the
SCEV-Expr describing the access subscript. The problem with this is that the
SCEV-Expr can contain AddRecExprs that do not correspond to loops surrounding
the tested Instruction. And if those AddRecExprs belong to a loop that's deeper
than MaxLevels, we're accessing the array outside of its bounds.
In summary, I don't think that this is really a problem with the
banerjeeMIV-test, and I strongly suspect there are other inputs for which
AddRecExprs are being treated as index variables even if they actually are not.
The fix for the memory corruption could be straightforward, by (correctly)
classifying the subscript pair as NonLinear. However I am not sure whether this
is overly pessimistic or even sound in general.
- Philip</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>