<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/57282>57282</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
AArch64 GlobalISel double free at `AArch64GenPreLegalizerCombinerHelper::tryCombineAll`
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
DataCorrupted
</td>
</tr>
</table>
<pre>
When compiling the following piece of code, AARch64 will have a double free. It seems when the index is incorrect or invalid it will trigger a double free.
```
; ModuleID = 'PoC.bc'
source_filename = "M"
define void @f() {
BB:
%A = alloca <32 x i8>, align 32
%I = insertelement <32 x i8> <i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127, i8 127>, i8 -128, i64 -1
store <32 x i8> %I, <32 x i8>* %A, align 32
ret void
}
```
```
; ModuleID = 'PoC.bc'
source_filename = "M"
define void @f() {
BB:
%A = alloca <8 x i8>, align 8
%I = insertelement <8 x i8> <i8 16, i8 16, i8 16, i8 16, i8 16, i8 16, i8 16, i8 16>, i8 -1, i1 true
store <8 x i8> %I, <8 x i8>* %A, align 8
ret void
}
```
Here's a report:
```
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0. Program arguments: llc -mtriple=aarch64 -global-isel PoC.ll
1. Running pass 'Function Pass Manager' on module 'PoC.ll'.
2. Running pass 'AArch64PreLegalizerCombiner' on function '@f'
#0 0x000000000231b3e3 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/home/peter/clang+llvm14/bin/llc+0x231b3e3)
#1 0x000000000231933e llvm::sys::RunSignalHandlers() (/home/peter/clang+llvm14/bin/llc+0x231933e)
#2 0x000000000231b76f SignalHandler(int) Signals.cpp:0:0
#3 0x00007f40c591a980 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x12980)
#4 0x00007f40c480ae87 raise /build/glibc-uZu3wS/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:51:0
#5 0x00007f40c480c7f1 abort /build/glibc-uZu3wS/glibc-2.27/stdlib/abort.c:81:0
#6 0x00007f40c4855837 __libc_message /build/glibc-uZu3wS/glibc-2.27/libio/../sysdeps/posix/libc_fatal.c:181:0
#7 0x00007f40c485c8ba /build/glibc-uZu3wS/glibc-2.27/malloc/malloc.c:5342:0
#8 0x00007f40c4863e4a _int_free /build/glibc-uZu3wS/glibc-2.27/malloc/malloc.c:4308:0
#9 0x00007f40c4863e4a free /build/glibc-uZu3wS/glibc-2.27/malloc/malloc.c:3134:0
#10 0x000000000082a37a (anonymous namespace)::AArch64GenPreLegalizerCombinerHelper::tryCombineAll(llvm::GISelChangeObserver&, llvm::MachineInstr&, llvm::MachineIRBuilder&) const AArch64PreLegalizerCombiner.cpp:0:0
#11 0x0000000000826c45 (anonymous namespace)::AArch64PreLegalizerCombinerInfo::combine(llvm::GISelChangeObserver&, llvm::MachineInstr&, llvm::MachineIRBuilder&) const AArch64PreLegalizerCombiner.cpp:0:0
#12 0x0000000002735542 llvm::Combiner::combineMachineInstrs(llvm::MachineFunction&, llvm::GISelCSEInfo*) (/home/peter/clang+llvm14/bin/llc+0x2735542)
#13 0x00000000008267d1 (anonymous namespace)::AArch64PreLegalizerCombiner::runOnMachineFunction(llvm::MachineFunction&) AArch64PreLegalizerCombiner.cpp:0:0
#14 0x0000000001965a8e llvm::MachineFunctionPass::runOnFunction(llvm::Function&) (/home/peter/clang+llvm14/bin/llc+0x1965a8e)
#15 0x0000000001cf6a8d llvm::FPPassManager::runOnFunction(llvm::Function&) (/home/peter/clang+llvm14/bin/llc+0x1cf6a8d)
#16 0x0000000001cfde03 llvm::FPPassManager::runOnModule(llvm::Module&) (/home/peter/clang+llvm14/bin/llc+0x1cfde03)
#17 0x0000000001cf7660 llvm::legacy::PassManagerImpl::run(llvm::Module&) (/home/peter/clang+llvm14/bin/llc+0x1cf7660)
#18 0x00000000006e749e main (/home/peter/clang+llvm14/bin/llc+0x6e749e)
#19 0x00007f40c47edc87 __libc_start_main /build/glibc-uZu3wS/glibc-2.27/csu/../csu/libc-start.c:344:0
#20 0x00000000006e25da _start (/home/peter/clang+llvm14/bin/llc+0x6e25da)
Aborted
```
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJztWFlv4zYQ_jXOC2FDInXQD36wc-wG2KDBpkCBvhiUNLbVUqJAUjn66zukZMdSvN2sUxT7UMPH8Jr55qacqeJl8dsOapKrqillWW-J3QHZKCnVkxs1JeRA1AY3FDChl2S5_Jrvkog8lVKSnXgEIkih2kziKQ0wI7eWGIDKkCfH13Er6wKeSWmQyJXWkFuiNA4ehSwLUtqOl9Xldgt6xG4SXE2CZf-dBP27G7IVuVNFK-H2ikwYfmh6ry5nWY5Et8WoVuew3pQSalFBv4ve4eeYcQGbsgbyqBDOJAo2E8ondE4m6apbX60mrN9K8Hy89IwE2igXSF4ySlA_PmHXzkKo1bYmjB4duPUHytqAtiChgtoOz7lRyUmIwJHD_9QPU53pcTANnfOQxBidhnsfGKs0jE2OfnE7Rw5ceg-fcqQG62OkD5306nRY_tyxyt-GKv9-pHIyCtRkb_tziSOHeSLEAtDCG3_xU-7i3_YWP8dZn0FjbUsN1h4NjdL2YMKTh-6_XC8frolpswqLlyBZu-3PEavIztrGOAb0Bt_b0u7abIblFQdSPu5_po1Wf2AlxGFpTAsGCSLqwtVI2RbgC2euhdmRTOR_Wi3yfTF8sDhBirZqDjCDGfGve622WlRE6G3rXOdwEClzMq2wvDYS0LlCaF_Ap1upMiGnpQFJXCxK2TELe2Zf27r2LUAY4-L1pq1zW6qa3LuJO1ELLNc4T3Cq8rG9j2rkRNMeLf0Gt-XSw7jX8AW26Lu_QF-qKsPY3vPc7OW5FPGR3mcKTrCABM_B_kVZmDFgxNsXbcKW5sV0xL0ua-st9qszIWbL6yYtntbKWA0CvdKFZm19MrmcutmpCvffNGAdpJtcino7oSt3PoxwArF6Z2IKr4LnHgMefwUZjkDOGYNTINE2Dxi8Qn7GCJCgzT6pz8PhxAxw0LGx0mRDBhJRUq97N21meePCK_CfAyPWM0o3UZDH81DMeUDWaw0-X9eYAB1kWWb4_cyTdRJN8VbRPk-3ddstNHaHFi9mRs0CjzikyGWANzoWE_FAAE-JFhipxOnblrJwqYXM8mn7e8ueHg5DOnNt4cZ4LZCYzdzoxRTQuBRr6_K5m3j0aBAZ_nrWsxx1jcOhwvEISZ5uQiIy5TV9HxJbdNbwp7wQPhKSDIXEMWcpWtVxWVdgDObZe6UhXaq3ajfKeL09y42wQnog4RhJOkKS80y8V3Tle8yB6MzJIjqUwIcSEgaRIGuMvbW77n1EVsQCPpQ1PyXro2JYyKJXMS7JB6Uo4FSw1BmNi1rVL5VqDXH93DS-_My7jO-r3yeoTxXAzyAbzEm_0-qXfnrpyupR-fp0-wDycofVAH7JsF8_ujT2Zex1z53Id3j0tsYy983Frytni_70HG_6uJv8Q31-WxucGcKRGZI8it9phlNCbuuN6jbl3czPrPuwwKYsjiN6JOzQ2I71OYZnBsr1K_t--wZ7p_zDtTcRXZ7dKTqch8rrFGFjJ6ZF-AEn9n22rX-p3yj1HYXnP-6F6Bh8OE9iweGty_dS3C3mCN9JYCNE51i5xzGwcjwAmm8SwYsjoDf3Dtv-gvUfQOwQDCAmI4gFBOwdELtnnKFz-6mPwHPSB_DSEbw0SYIjeBIDJn_pb4CvQG-rRh7A_usgHYYBSD5IpgTSaA6kEmV9loTu_EDAsMGlUOT8cHEwVmi77qW9q9vlpt3fHDrSL3o-XeeLho2PBiP9aFxgL_cHztTQcThouHQXJihGj2AXsAiTJKRByoPgoliwYs7m4sKWVsKiLxnkk3-0cWXy-M8kIhBXEpzbe1F2q-Xi_Oe7OKWcXuwWBc_oJuI03QQFTeM0idMU8lBwkQFAyi8kEtIsJvEKH_5reCKehfsjIL66KBc0oBRrM75YEgWzFFiQxWzOGS0ilib4rATodzlzOGZKby_0wkPC51SDi7I01rwuYnrgZRnAi0P-orU7pRdXeEu8VFq3DfrgwgNYeAX-Bg-qzRM">