<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - null deref in llvm::ScalarEvolution::getMulExpr"
href="https://bugs.llvm.org/show_bug.cgi?id=34968">34968</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>null deref in llvm::ScalarEvolution::getMulExpr
</td>
</tr>
<tr>
<th>Product</th>
<td>new-bugs
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>new bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>kcc@google.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org, mascasa@google.com, max.kazantsev@azul.com, vitalybuka@google.com
</td>
</tr></table>
<p>
<div>
<pre>at r315916
void foo(int *a) {
while (1) {
a[60] = ((1 + a[60]) + a[0]);
while ((a[60] + a[0])) {
a[0] = (a[0] + 1);
}
}
}
% clang -cc1 -triple x86_64-unknown-linux-gnu -O2 -emit-obj z.cc
Program received signal SIGSEGV, Segmentation fault.
0x0000000001466b90 in llvm::SCEV::getType() const ()
(gdb) bt
#0 0x0000000001466b90 in llvm::SCEV::getType() const ()
#1 0x000000000146c6c9 in
llvm::ScalarEvolution::getMulExpr(llvm::SmallVectorImpl<llvm::SCEV const*>&,
llvm::SCEV::NoWrapFlags, unsigned int) ()
#2 0x000000000146ce97 in
llvm::ScalarEvolution::getMulExpr(llvm::SmallVectorImpl<llvm::SCEV const*>&,
llvm::SCEV::NoWrapFlags, unsigned int) ()
#3 0x000000000146df0d in
llvm::ScalarEvolution::getMulExpr(llvm::SmallVectorImpl<llvm::SCEV const*>&,
llvm::SCEV::NoWrapFlags, unsigned int) ()
#4 0x000000000147c8ec in llvm::ScalarEvolution::getNegativeSCEV(llvm::SCEV
const*, llvm::SCEV::NoWrapFlags) ()
#5 0x0000000001476566 in llvm::ScalarEvolution::getMinusSCEV(llvm::SCEV
const*, llvm::SCEV const*, llvm::SCEV::NoWrapFlags, unsigned int) ()
#6 0x0000000001497dc8 in
llvm::ScalarEvolution::isImpliedCondOperands(llvm::CmpInst::Predicate,
llvm::SCEV const*, llvm::SCEV const*, llvm::SCEV const*, llvm::SCEV const*) ()
#7 0x0000000001497c78 in
llvm::ScalarEvolution::isImpliedCond(llvm::CmpInst::Predicate, llvm::SCEV
const*, llvm::SCEV const*, llvm::CmpInst::Predicate, llvm::SCEV const*,
llvm::SCEV const*) ()
#8 0x0000000001472347 in
llvm::ScalarEvolution::isLoopBackedgeGuardedByCond(llvm::Loop const*,
llvm::CmpInst::Predicate, llvm::SCEV const*, llvm::SCEV const*) ()
#9 0x000000000146fafc in llvm::ScalarEvolution::getZeroExtendExpr(llvm::SCEV
const*, llvm::Type*, unsigned int) ()
#10 0x00000000014c1b6c in
llvm::SCEVExpander::getAddRecExprPHILiterally(llvm::SCEVAddRecExpr const*,
llvm::Loop const*, llvm::Type*, llvm::Type*, llvm::Type*&, bool&) ()
#11 0x00000000014c2980 in
llvm::SCEVExpander::expandAddRecExprLiterally(llvm::SCEVAddRecExpr const*) ()
#12 0x00000000014be62d in llvm::SCEVExpander::expand(llvm::SCEV const*) ()
#13 0x00000000014be009 in llvm::SCEVExpander::expandCodeFor(llvm::SCEV const*,
llvm::Type*) ()
#14 0x0000000001c152c9 in (anonymous namespace)::LSRInstance::Expand((anonymous
namespace)::LSRUse const&, (anonymous namespace)::LSRFixup const&, (anonymous
namespace)::Formula const&,
llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::Instruction, true,
false, void>, false, false>, llvm::SCEVExpander&,
llvm::SmallVectorImpl<llvm::WeakTrackingVH>&) const ()
#15 0x0000000001bf8c3e in (anonymous
namespace)::LSRInstance::LSRInstance(llvm::Loop*, llvm::IVUsers&,
llvm::ScalarEvolution&, llvm::DominatorTree&, llvm::LoopInfo&,
llvm::TargetTransformInfo const&) ()
#16 0x0000000001bf1c2f in ReduceLoopStrength(llvm::Loop*, llvm::IVUsers&,
llvm::ScalarEvolution&, llvm::DominatorTree&, llvm::LoopInfo&,
llvm::TargetTransformInfo const&) ()
#17 0x000000000143014b in llvm::LPPassManager::runOnFunction(llvm::Function&)
()
#18 0x00000000018c1eff in llvm::FPPassManager::runOnFunction(llvm::Function&)
()
#19 0x00000000018c2153 in llvm::FPPassManager::runOnModule(llvm::Module&) ()
#20 0x00000000018c2655 in llvm::legacy::PassManagerImpl::run(llvm::Module&) ()
#21 0x0000000001edbb4f in clang::EmitBackendOutput(clang::DiagnosticsEngine&,
clang::HeaderSearchOptions const&, clang::CodeGenOptions const&,
clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout
const&, llvm::Module*, clang::BackendAction,
std::unique_ptr<llvm::raw_pwrite_stream,
std::default_delete<llvm::raw_pwrite_stream> >) ()
#22 0x000000000260455f in
clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) ()
#23 0x0000000002a9c746 in clang::ParseAST(clang::Sema&, bool, bool) ()
#24 0x00000000022b5eb8 in clang::FrontendAction::Execute() ()
#25 0x0000000002279671 in
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) ()
#26 0x0000000002340b4f in
clang::ExecuteCompilerInvocation(clang::CompilerInstance*) ()
#27 0x00000000008754b5 in cc1_main(llvm::ArrayRef<char const*>, char const*,
void*) ()
#28 0x0000000000873093 in main ()
Found by clang-proto-fuzzer, see
<a href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3661">https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3661</a></pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>