<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=http://email.email.llvm.org/c/eJytVl2P4jYU_TXhxSKCMAHywANlZ7cjrdrRzrR9rJz4hrhy7NQfUObX99gBZpjdVqq6EvlwbJ977rnnJtRGnDbPHVli0jHOgqMpbz3ZaWspPnMBZ80-Bt14afTTQI3kSr7wOHrkzuXsQbNsOfP29Gy-0KB4Q79J3-2Mdp5rj6ms2LFtBGW-I2bHNT1pzzrucAwDaRJxVZxvjCAmSJEnlx5oOqrT9LxNgI3zNiQ2OfvRHOlANu4VXO-V1Hs2GKkRDJtN2j9i3WwEiZ4jLZmoP-12jw-Y_FU66Y3NFlv8tpqrk5PuC7mgvMOyPK79-vEoXM8H1lrTxzUXsVhWbOOCMw87bmGmZQdupQnYd0ZjA5QkaLl1bwG-VjvCNUZ7qQOlBG3QMXnpweDEuPfUDz5OCNS0xaEbQnSEeK9Pzp6vpCKntCjlAkFPzHJ4wtG-5ZjPs9mHbLYdzw8tKPSDTGAG0Y4oN-NCAMsxx7X08mWsCccI00qxhvumSzLcWgz2yYrVgSJ13nQoEwcnEWKls2JdB8-Cbo31QXNP6sScj3Bd2FNWVKyWPvkFXvGI4WKu3MfQx450YoeURrpAhC4In2ilNREKxrImBkzskuOjNNh2Ab-ucN9IAGBTkxTpUQTUpyyb1bypiDdV3azaqlzyWdnyqijXLRd37XpZLsu7cpYc9RDRBKvDPlUlVZTOZMDgmlYSUwtkhTwSC2PlXsI-Y9bvKF77tjYoTX9iwhyj-4n3F6QwjOOo0aX1LsK_qqkNU0bv0br_FOEGfKwmRA2DMlzcEn1Fle1NuPRMGCBr479dj4exVlw5c3bKiB38EJJ7k9NMotNjVmq68WzsxGL7-Pl--3TPfvr5-T42eXo2lvoNNxdbRx7AK_Xzq9U_7XZnYyRXuM4EJRLleuRa89jKMCsEPr2z5NmG8IgffRg3INE_qPEgHxs4ZQgozj49fmYHaVRq-9s8yh9ipr-L0A-5_8tn5Qd0Sef94FJGH_Hbox1DnSMaBkodLpfpORyGLVzkcF2tylWxWODuFrWoruGu1jxXK3-Rw3eJeoe7C3j-FvxN8BuTf7fIJe4uyPkVuagmYrMQ1aLiEx58Z-ym6ax0nqK18RKc_hlkMwlWbf5z_OTiSKAs1sV80m3mS7wcqvVsKZZ3qwIvDdzMqGoWi3pVNzWfKF6TchtokBUFZMI5diku3hgVg6e-LSDI5P8TkptiVsznBQ4MF_OcyoYXfDmfE82EaFfZ3Sx-MVUecXJj9xO7SZCg5jCpoJN7ncSXSu41UeIPhl56RZtf3v25-Le_FZPEcJPo_Q0HC_Y1>52821</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Use-after-free in FunctionSpecializationPass
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            bug,
            tools:opt
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          christetreault-quic
      </td>
    </tr>
</table>

<pre>
    There is a use-after-free issue in FunctionSpecializationPass. In `tryToReplaceWithConstant`, After the replacement has happened, the code deletes the newly-replaced instruction. However, dangling pointers to the deleted instruction remain in `SCCPInstVisitor::AnalysisResults`. `AnalysisResults` is a map from `Function *` to the results of various analysis passes. As `FunctionSpecializationPass` continues to run, it may attempt to dereference this dangling pointer. The result of this is a very rare segfault.

If compiling opt with address sanitizer, asan will catch the use-after-free. I've attached a reduced (but unfortunately still huge) bitcode test case that, when opt is compiled to use asan, will reproduce the issue. This bitcode reproduces the use-after-free as-of commit `55c71c9eac9bc7f956a05fa9258fad4f86565450`. I used bugpoint to reduce this test case, and while the original case reproduces the issue in both my downstream, and upstream opt, the reduced test case no longer reproduces the issue in my downstream. I'll upload the original test case if the reduced case does not reproduce the issue. I will also attach the output of asan on my machine.

**PLEASE NOTE:** This test case is derived from compiling GCC. This code should not be the basis for any test case that is committed to the project as it will be a GPL violation.

[asan_dump.txt](https://github.com/llvm/llvm-project/files/7757233/asan_dump.txt)
[bugpoint reduced.zip](https://github.com/llvm/llvm-project/files/7757234/bugpoint.reduced.zip)
[original case.zip](https://github.com/llvm/llvm-project/files/7757235/original.case.zip)
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJytVV2P4jYU_TXhxSKCQCbwwANlZ7cjrdrRzmz7WDnxDXHl2Kk_oMyv77EDzDC7rVRpJfLhr3PPPfdcUhtx2jx3ZIlJxzgLjqa89WSnraU45wLumn0MuvHS6KeBGsmVfOFx9Midy9mDZtndzNvTs_lCg-IN_S59tzPaea49lrJix7YRlPmOmB339KQ967jDNQykScRdcb0xgpggRZ5cmtB0VKfp-ZgAG-dtSGxy9rM50oFsPCu43iup92wwUiMYDpt0fsS6OQgSPUdaMlF_2u0eH7D4m3TSG5sttvhtNVcnJ90XckF5h2153Pvt9ChczwfWWtPHPRexWFZs44YzDzseYaZlB26lCTh3RmMDlCRouXVvAb5VO8I1RnupA6UEbdAxeenB4MS499QPPi4I1LTFpRtCdIR4r0_Onq-kIqe0KeUCQU_McnjC0b7lWM-z2Ydsth3vDy0o9INMYAbRjig340IAyzHHtfTyZawJxwjLSrGG-6ZLMtxaDPbJiupAkTpvOpSJg5MIsdJZsaqDZ0G3xvqguSd1Ys5HuC7sKSvWrJY--QVe8YjhYq7cx9DHjnRih5RGukCELgifaKU9EQrGsiYGTOyS46M0OHYBv-5w30kAYFOTFOlRBNSnLJtq3qyJN-u6qdp1ecdnZcvXRblquVi2q7vyrlyWs-Soh4gmWB32qSqponQmAwbXtJKYWiAr5JFYGCv3EvYZs35H8dq3tUFp-hMT5hjdT7y_IIVhHEeNLq13Ef5VTW2YMnqP1v23CDfgYzUhahiU4eKW6CuqbG_CpTlhgKyN_349HsZaceXM2SkjdvBDSO5NTjOJTo9VqenGs7ETi-3j5_vt0z375dfn-9jkaW4s9RtuLraOPIBX6udXq3_a7c7GSK5wnQlKJMr1yLXmsZVhVgh8emfJsw3hET_6MB5Aon9S40E-NnDKEFCcfXr8zA7SqNT2t3mUP8VM_xChH3L_t8_KD-iSzvvBpYw-4rdHO4Y6RzQMlDpcHtNzOAxbuMjhWVVlVSwWeLtFLdbXcFdrnquVv8jhh0Rd4u0Cnr8FfxP8xuQ_LHKJtwtyfkUu1hOxWYj1Ys0nXnpFm6_vPob_9RmcBKs2_5tXcnckVharYj7pNiT4sp1XYt0s22VVr3gtqno5n1WLmgSYTxSvSbkNtMmKAvLhHrsXD2-MisFTPxcQaiI3xayYzwtcQF_McyobXvC7-ZxoJkRbZctZ_A6qPNLKjd1P7CYxBLDDopLOu9dFpCn3mihFBz4PvjN203QW-yj-AeBTMf0ryGaSEtukrP4BgJbhfQ">