<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - r312318 causing null dereference crash"
href="https://bugs.llvm.org/show_bug.cgi?id=34490">34490</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>r312318 causing null dereference crash
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Interprocedural Optimizations
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>rtrieu@google.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>From r312318,
lib/Transforms/IPO/GlobalOpt.cpp:1616
+ ConstantInt *CIInit = dyn_cast<ConstantInt>(GV->getInitializer());
+ uint64_t ValInit = CIInit->getZExtValue();
+ uint64_t ValOther = CI->getZExtValue();
+ uint64_t ValMinus = ValOther - ValInit;
CIInit is the result of a dyn_cast call, but not checked for nullness. Its use
on the next line will crash when it is null. The following code will trigger
that case:
$ cat test.c
a[];
static long b = a;
fn1() {
a > b;
b = 0;
}
$ clang -w -O2 test.c
#0 0x0000000001e191e4 PrintStackTraceSignalHandler(void*)
(/usr/local/bin/clang-3.5+0x1e191e4)
#1 0x0000000001e19546 SignalHandler(int) (/usr/local/bin/clang-3.5+0x1e19546)
#2 0x00007f3c5707b330 __restore_rt
(/lib/x86_64-linux-gnu/libpthread.so.0+0x10330)
#3 0x00000000019dd260 processInternalGlobal(llvm::GlobalVariable*,
llvm::GlobalStatus const&, llvm::TargetLibraryInfo*,
llvm::function_ref<llvm::DominatorTree& (llvm::Function&)>)
(/usr/local/bin/clang-3.5+0x19dd260)
#4 0x00000000019dac4c processGlobal(llvm::GlobalValue&,
llvm::TargetLibraryInfo*, llvm::function_ref<llvm::DominatorTree&
(llvm::Function&)>) (/usr/local/bin/clang-3.5+0x19dac4c)
#5 0x00000000019d8b25 optimizeGlobalsInModule(llvm::Module&, llvm::DataLayout
const&, llvm::TargetLibraryInfo*, llvm::function_ref<llvm::DominatorTree&
(llvm::Function&)>) (/usr/local/bin/clang-3.5+0x19d8b25)
#6 0x00000000019e5d4c (anonymous
namespace)::GlobalOptLegacyPass::runOnModule(llvm::Module&)
(/usr/local/bin/clang-3.5+0x19e5d4c)
#7 0x0000000001940ad6 llvm::legacy::PassManagerImpl::run(llvm::Module&)
(/usr/local/bin/clang-3.5+0x1940ad6)
#8 0x0000000001fbaa2b clang::EmitBackendOutput(clang::DiagnosticsEngine&,
clang::HeaderSearchOptions const&, clang::CodeGenOptions const&,
clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout
const&, llvm::Module*, clang::BackendAction,
std::unique_ptr<llvm::raw_pwrite_stream,
std::default_delete<llvm::raw_pwrite_stream> >)
(/usr/local/bin/clang-3.5+0x1fbaa2b)
#9 0x000000000274d434
clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&)
(/usr/local/bin/clang-3.5+0x274d434)
#10 0x0000000002c38a36 clang::ParseAST(clang::Sema&, bool, bool)
(/usr/local/bin/clang-3.5+0x2c38a36)
#11 0x00000000023da5a0 clang::FrontendAction::Execute()
(/usr/local/bin/clang-3.5+0x23da5a0)
#12 0x0000000002387031
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
(/usr/local/bin/clang-3.5+0x2387031)
#13 0x000000000247078c
clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
(/usr/local/bin/clang-3.5+0x247078c)
#14 0x000000000086b66b cc1_main(llvm::ArrayRef<char const*>, char const*,
void*) (/usr/local/bin/clang-3.5+0x86b66b)
#15 0x0000000000868ec6 main (/usr/local/bin/clang-3.5+0x868ec6)
#16 0x00007f3c55f59f45 __libc_start_main
/build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:321:0
#17 0x0000000000865e39 _start (/usr/local/bin/clang-3.5+0x865e39)
Stack dump:
0. Program arguments: /usr/local/bin/clang-3.5 -cc1 -triple
x86_64-unknown-linux-gnu -emit-obj -disable-free -main-file-name test.c
-mrelocation-model static -mthread-model posix -fmath-errno -masm-verbose
-mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64
-dwarf-column-info -debugger-tuning=gdb -momit-leaf-frame-pointer -resource-dir
/usr/local/lib/clang/6.0.0 -internal-isystem /usr/local/include
-internal-isystem /usr/local/lib/clang/6.0.0/include -internal-externc-isystem
/usr/include/x86_64-linux-gnu -internal-externc-isystem /include
-internal-externc-isystem /usr/include -O2 -w -fdebug-compilation-dir
/usr/local/google/home/rtrieu/test/kernel -ferror-limit 19 -fmessage-length 80
-fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-diagnostics
-vectorize-loops -vectorize-slp -o /tmp/test-ce80f5.o -x c test.c
1. <eof> parser at end of file
2. Per-module optimization passes
3. Running pass 'Global Variable Optimizer' on module 'test.c'.
clang-3.5: error: unable to execute command: Segmentation fault (core dumped)
clang-3.5: error: clang frontend command failed due to signal (use -v to see
invocation)
clang version 6.0.0 (trunk 312575)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin
clang-3.5: note: diagnostic msg: PLEASE submit a bug report to
<a href="http://llvm.org/bugs/">http://llvm.org/bugs/</a> and include the crash backtrace, preprocessed source, and
associated run script.
clang-3.5: note: diagnostic msg:
********************
PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-3.5: note: diagnostic msg: /tmp/test-b0a540.c
clang-3.5: note: diagnostic msg: /tmp/test-b0a540.sh
clang-3.5: note: diagnostic msg:
********************</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>