<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - nullptr dereference in pass 'Shadow Stack GC Lowering'"
   href="https://bugs.llvm.org/show_bug.cgi?id=32337">32337</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>nullptr dereference in pass 'Shadow Stack GC Lowering'
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>libraries
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>3.9
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>enhancement
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Common Code Generator Code
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>hristo@venev.name
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=18123" name="attach_18123" title="test.ll">attachment 18123</a> <a href="attachment.cgi?id=18123&action=edit" title="test.ll">[details]</a></span>
test.ll

The pass assumes that gcroot is only called once for every alloca. Even if this
is true for the original source, optimization passes may change this.

I've attached the smallest test case I could find. It causes segfault when
compiled with 'clang -O2' using LLVM 3.8.something and 3.9.1:

#0 0x00007f6b44ac7708 llvm::sys::PrintStackTrace(llvm::raw_ostream&)
(/lib64/libLLVM-3.9.so+0x62c708)
#1 0x00007f6b44ac58a6 llvm::sys::RunSignalHandlers()
(/lib64/libLLVM-3.9.so+0x62a8a6)
#2 0x00007f6b44ac59d4 (/lib64/libLLVM-3.9.so+0x62a9d4)
#3 0x00007f6b42a47260 __restore_rt (/lib64/libpthread.so.0+0x12260)
#4 0x00007f6b44b5f355 llvm::Instruction::eraseFromParent()
(/lib64/libLLVM-3.9.so+0x6c4355)
#5 0x00007f6b44dd1c7b (/lib64/libLLVM-3.9.so+0x936c7b)
#6 0x00007f6b44dd2c48 (/lib64/libLLVM-3.9.so+0x937c48)
#7 0x00007f6b44b86e68 llvm::FPPassManager::runOnFunction(llvm::Function&)
(/lib64/libLLVM-3.9.so+0x6ebe68)
#8 0x00007f6b44b8718b llvm::FPPassManager::runOnModule(llvm::Module&)
(/lib64/libLLVM-3.9.so+0x6ec18b)
#9 0x00007f6b44b8671f llvm::legacy::PassManagerImpl::run(llvm::Module&)
(/lib64/libLLVM-3.9.so+0x6eb71f)
#10 0x00007f6b43b2f6a3 clang::EmitBackendOutput(clang::DiagnosticsEngine&,
clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions
const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction,
std::unique_ptr<llvm::raw_pwrite_stream,
std::default_delete<llvm::raw_pwrite_stream> >)
(/lib64/libclangCodeGen.so+0x6a6a3)
#11 0x00007f6b43cd24fd (/lib64/libclangCodeGen.so+0x20d4fd)
#12 0x00007f6b4353d396 clang::FrontendAction::Execute()
(/lib64/libclangFrontend.so+0xac396)
#13 0x00007f6b4350722c
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
(/lib64/libclangFrontend.so+0x7622c)
#14 0x00007f6b4328e023
clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
(/lib64/libclangFrontendTool.so+0x3023)
#15 0x000055ebf56be8f0 cc1_main(llvm::ArrayRef<char const*>, char const*,
void*) (/usr/bin/clang-3.9+0xe8f0)
#16 0x000055ebf56bb519 main (/usr/bin/clang-3.9+0xb519)
#17 0x00007f6b41bb75fe __libc_start_main
/usr/src/debug/glibc-2.25-4-g69e0a87/csu/../csu/libc-start.c:329:0
#18 0x000055ebf56bcdba _start (/usr/bin/clang-3.9+0xcdba)
Stack dump:
0.      Program arguments: /usr/bin/clang-3.9 -cc1 -triple
x86_64-unknown-linux-gnu -emit-obj -disable-free -disable-llvm-verifier
-discard-value-names -main-file-name test-simple.ll -mrelocation-model static
-mthread-model posix -fmath-errno -masm-verbose -mconstructor-aliases
-munwind-tables -fuse-init-array -target-cpu x86-64 -momit-leaf-frame-pointer
-dwarf-column-info -debugger-tuning=gdb -resource-dir
/usr/bin/../lib64/clang/3.9.1 -O2 -fdebug-compilation-dir /home/hristo/dev/ob1
-ferror-limit 19 -fmessage-length 211 -fobjc-runtime=gcc
-fdiagnostics-show-option -fcolor-diagnostics -vectorize-loops -vectorize-slp
-o /tmp/test-simple-0e9ae0.o -x ir test-simple.ll 
1.      Code generation
2.      Running pass 'Function Pass Manager' on module 'test-simple.ll'.
3.      Running pass 'Shadow Stack GC Lowering' on function '@test'
clang-3.9: error: unable to execute command: Segmentation fault (core dumped)
clang-3.9: error: clang frontend command failed due to signal (use -v to see
invocation)
clang version 3.9.1 (tags/RELEASE_391/final)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
clang-3.9: note: diagnostic msg: PLEASE submit a bug report to  and include the
crash backtrace, preprocessed source, and associated run script.
clang-3.9: note: diagnostic msg: Error generating preprocessed source(s) - no
preprocessable inputs.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>