<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Memory access error in MetadataTracking::untrack"
   href="https://bugs.llvm.org/show_bug.cgi?id=33327">33327</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Memory access error in MetadataTracking::untrack
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>new-bugs
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>4.0
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>MacOS X
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>new bugs
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>akokins@whitecryption.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=18581" name="attach_18581" title="bug reproduction kit">attachment 18581</a> <a href="attachment.cgi?id=18581&action=edit" title="bug reproduction kit">[details]</a></span>
bug reproduction kit

opt sometimes crashes when processing files with metadata in them, when a
custom plugin is used that deletes and recreates certain instructions.

Even if it doesn't crash, the issue can still be seen when opt is run under
Valgrind.

>From what I could tell, the bug was triggered by deleting and replacing an
instruction that had metadata. The attached example plugin removes metadata
from all instructions, and takes each "br" instruction, adding metadata and
then replacing it with an otherwise identical instruction. In the end, opt
crashes during LLVMContext destruction.

I have reproduced the issue on both macOS 10.11.6 and Ubuntu 14.

To reproduce the bug, unzip the attachment, adjust path to LLVM in makefile and
run "make".
(path to LLVM must contain both headers to include and a library for the plugin
to link to)

This is the most important part of the expected output:

Invalid read of size 2
   at 0x100216864: llvm::MetadataTracking::untrack(void*, llvm::Metadata&) (in
/opt/llvm-4.0.0/lib/libLLVM.dylib)
   by 0x100201745: llvm::LLVMContextImpl::~LLVMContextImpl() (in
/opt/llvm-4.0.0/lib/libLLVM.dylib)
   by 0x1001FC8C5: llvm::LLVMContext::~LLVMContext() (in
/opt/llvm-4.0.0/lib/libLLVM.dylib)
   by 0x10000B497: main (in /opt/llvm-4.0.0/bin/opt)
 Address 0x102c54208 is 8 bytes inside a block of size 32 free'd
   at 0x100046ABD: free (in
/usr/local/Cellar/valgrind/3.12.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)
   by 0x1001FF4A2: llvm::LLVMContextImpl::~LLVMContextImpl() (in
/opt/llvm-4.0.0/lib/libLLVM.dylib)
   by 0x1001FC8C5: llvm::LLVMContext::~LLVMContext() (in
/opt/llvm-4.0.0/lib/libLLVM.dylib)
   by 0x10000B497: main (in /opt/llvm-4.0.0/bin/opt)
 Block was alloc'd at
   at 0x100046681: malloc (in
/usr/local/Cellar/valgrind/3.12.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)
   by 0x1021197DD: operator new(unsigned long) (in /usr/lib/libc++.1.dylib)
   by 0x10021E4B3: llvm::MDTuple::getImpl(llvm::LLVMContext&,
llvm::ArrayRef<llvm::Metadata*>, llvm::Metadata::StorageType, bool) (in
/opt/llvm-4.0.0/lib/libLLVM.dylib)
   by 0x1031CB77C: llvm::MDTuple::get(llvm::LLVMContext&,
llvm::ArrayRef<llvm::Metadata*>) (in
/Users/akokins/Desktop/llvm-bug-metadata/mdfp.so)
   by 0x1031CB014: llvm::MDNode::get(llvm::LLVMContext&,
llvm::ArrayRef<llvm::Metadata*>) (in
/Users/akokins/Desktop/llvm-bug-metadata/mdfp.so)
   by 0x1031CAB82: MetadataFauxPass::runOnFunction(llvm::Function&) (in
/Users/akokins/Desktop/llvm-bug-metadata/mdfp.so)
   by 0x10020B371: llvm::FPPassManager::runOnFunction(llvm::Function&) (in
/opt/llvm-4.0.0/lib/libLLVM.dylib)
   by 0x10020B572: llvm::FPPassManager::runOnModule(llvm::Module&) (in
/opt/llvm-4.0.0/lib/libLLVM.dylib)
   by 0x10020B9F3: llvm::legacy::PassManagerImpl::run(llvm::Module&) (in
/opt/llvm-4.0.0/lib/libLLVM.dylib)
   by 0x10000B050: main (in /opt/llvm-4.0.0/bin/opt)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>