<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - DependenceAnalysis memory allocation crash"
href="https://bugs.llvm.org/show_bug.cgi?id=33568">33568</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>DependenceAnalysis memory allocation crash
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Global Analyses
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>stanislav.manilov@gmail.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>DependenceAnalysis results in a memory crash for the following code:
```
foo.c:
void f(int *A, int n) {
int i, j;
for (i = n - 1; i >= 0; i--) {
for (j = i + 1; j < n; j++)
A[j - 1] = A[j];
A[j - 1] = n;
}
}
```
With LLVM 3.9.1 the following results in a crash:
```
clang foo.c -c -emit-llvm -o foo.bc && opt -mem2reg -da -analyze foo.bc
```
The output is this:
```
Printing analysis 'Promote Memory to Register' for function 'f':
Pass::print not implemented for pass: 'Promote Memory to Register'!
Printing analysis 'Dependence Analysis' for function 'f':
da analyze - input [* *]!
da analyze - anti [* *|<]!
da analyze - anti [*|<]!
da analyze - output [* *]!
da analyze - *** Error in `opt': free(): invalid next size (fast):
0x0000000001d2e600 ***
```
If -mem2reg is not performed before -da there is no crash.
With LLVM trunk (f066646d) it seems that -mem2reg does not change the bitcode
for me (could be my bad setup) and thus initially I couldn't reproduce the
crash. So I generate the .ll code with LLVM 3.9 first like this:
```
clang foo.c -c -emit-llvm -o foo.bc && opt -mem2reg foo.bc -o foo.mem2reg.bc
```
And then after switching to LLVM trunk I do:
```
opt -da -analyze foo.mem2reg.bc
```
The output is this:
```
Printing analysis 'Dependence Analysis' for function 'f':
da analyze - input [* *]!
da analyze - anti [* *|<]!
da analyze - anti [*|<]!
da analyze - output [* *]!
da analyze -
```
where opt blocks (doesn't terminate, but it seems all CPUs are idle).
Here's foo.mem2reg.ll after disassembling:
```
; ModuleID = 'foo.mem2reg.bc'
source_filename = "foo.c"
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
; Function Attrs: nounwind uwtable
define void @f(i32*, i32) {
%3 = sub nsw i32 %1, 1
br label %4
; <label>:4: ; preds = %23, %2
%.01 = phi i32 [ %3, %2 ], [ %24, %23 ]
%5 = icmp sge i32 %.01, 0
br i1 %5, label %6, label %25
; <label>:6: ; preds = %4
%7 = add nsw i32 %.01, 1
br label %8
; <label>:8: ; preds = %17, %6
%.0 = phi i32 [ %7, %6 ], [ %18, %17 ]
%9 = icmp slt i32 %.0, %1
br i1 %9, label %10, label %19
; <label>:10: ; preds = %8
%11 = sext i32 %.0 to i64
%12 = getelementptr inbounds i32, i32* %0, i64 %11
%13 = load i32, i32* %12, align 4
%14 = sub nsw i32 %.0, 1
%15 = sext i32 %14 to i64
%16 = getelementptr inbounds i32, i32* %0, i64 %15
store i32 %13, i32* %16, align 4
br label %17
; <label>:17: ; preds = %10
%18 = add nsw i32 %.0, 1
br label %8
; <label>:19: ; preds = %8
%20 = sub nsw i32 %.0, 1
%21 = sext i32 %20 to i64
%22 = getelementptr inbounds i32, i32* %0, i64 %21
store i32 %1, i32* %22, align 4
br label %23
; <label>:23: ; preds = %19
%24 = add nsw i32 %.01, -1
br label %4
; <label>:25: ; preds = %4
ret void
}
```
Tested bug on LLVM 3.9 on two different machines, tested trunk only on one
machine.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>