[LLVMbugs] [Bug 4707] New: Use after free in thumb2 tests

bugzilla-daemon at cs.uiuc.edu bugzilla-daemon at cs.uiuc.edu
Tue Aug 11 12:36:25 PDT 2009 

http://llvm.org/bugs/show_bug.cgi?id=4707

           Summary: Use after free in thumb2 tests
           Product: libraries
           Version: trunk
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Backend: ARM
        AssignedTo: unassignedbugs at nondot.org
        ReportedBy: benny.kra at gmail.com
                CC: llvmbugs at cs.uiuc.edu


the following tests show errors in valgrind:
test/CodeGen/Thumb2/thumb2-ldr.ll
test/CodeGen/Thumb2/thumb2-ldrb.ll
test/CodeGen/Thumb2/thumb2-ldrh.ll
test/CodeGen/Thumb2/thumb2-mov3.ll
test/CodeGen/Thumb2/thumb2-str.ll
test/CodeGen/Thumb2/thumb2-strb.ll
test/CodeGen/Thumb2/thumb2-strh.ll

example valgrind log (thumb2-str.ll) on osx 10.5.8:
 Invalid read of size 1
    at 0x3B183D: llvm::MachineOperand::isReg() const (MachineOperand.h:144)
    by 0x388A64: UpdateCPSRLiveness(llvm::MachineInstr&, bool)
(Thumb2SizeReduction.cpp:446)
    by 0x38A087: (anonymous
namespace)::Thumb2SizeReduce::ReduceMBB(llvm::MachineBasicBlock&)
(Thumb2SizeReduction.cpp:513)
    by 0x38A17E: (anonymous
namespace)::Thumb2SizeReduce::runOnMachineFunction(llvm::MachineFunction&)
(Thumb2SizeReduction.cpp:528)
    by 0x579D74: llvm::MachineFunctionPass::runOnFunction(llvm::Function&)
(MachineFunctionPass.cpp:31)
    by 0x7AA35B: llvm::FPPassManager::runOnFunction(llvm::Function&)
(PassManager.cpp:1372)
    by 0x7AA5CB: llvm::FunctionPassManagerImpl::run(llvm::Function&)
(PassManager.cpp:1324)
    by 0x7AA6DF: llvm::FunctionPassManager::run(llvm::Function&)
(PassManager.cpp:1254)
    by 0x33B9: main (llc.cpp:394)
  Address 0x1966dd0 is 0 bytes inside a block of size 120 free'd
    at 0x1598B1A: operator delete(void*) (vg_replace_malloc.c:346)
    by 0x52A292:
__gnu_cxx::new_allocator<llvm::MachineOperand>::deallocate(llvm::MachineOperand*,
unsigned long) (ext/new_allocator.h:94)
    by 0x52A2BC: std::_Vector_base<llvm::MachineOperand,
std::allocator<llvm::MachineOperand> >::_M_deallocate(llvm::MachineOperand*,
unsigned long) (stl_vector.h:123)
    by 0x52A2FB: std::_Vector_base<llvm::MachineOperand,
std::allocator<llvm::MachineOperand> >::~_Vector_base() (stl_vector.h:109)
    by 0x52A372: std::vector<llvm::MachineOperand,
std::allocator<llvm::MachineOperand> >::~vector() (stl_vector.h:273)
    by 0x57CD76: llvm::MachineInstr::~MachineInstr() (MachineInstr.cpp:438)
    by 0x5727A4: llvm::MachineFunction::DeleteMachineInstr(llvm::MachineInstr*)
(MachineFunction.cpp:198)
    by 0x568092:
llvm::ilist_traits<llvm::MachineInstr>::deleteNode(llvm::MachineInstr*)
(MachineBasicBlock.cpp:120)
    by 0x4B502E: llvm::iplist<llvm::MachineInstr,
llvm::ilist_traits<llvm::MachineInstr>
>::erase(llvm::ilist_iterator<llvm::MachineInstr>) (ilist.h:463)
    by 0x4B504E:
llvm::MachineBasicBlock::erase(llvm::ilist_iterator<llvm::MachineInstr>)
(MachineBasicBlock.h:272)
    by 0x3892D4: (anonymous
namespace)::Thumb2SizeReduce::ReduceToNarrow(llvm::MachineBasicBlock&,
llvm::MachineInstr*, (anonymous namespace)::ReduceEntry const&, bool)
(Thumb2SizeReduction.cpp:437)
    by 0x38A057: (anonymous
namespace)::Thumb2SizeReduce::ReduceMBB(llvm::MachineBasicBlock&)
(Thumb2SizeReduction.cpp:508)

 Invalid read of size 1
    at 0x3B183D: llvm::MachineOperand::isReg() const (MachineOperand.h:144)
    by 0x5427E9: llvm::MachineOperand::isUndef() const (MachineOperand.h:205)
    by 0x388A76: UpdateCPSRLiveness(llvm::MachineInstr&, bool)
(Thumb2SizeReduction.cpp:446)
    by 0x38A087: (anonymous
namespace)::Thumb2SizeReduce::ReduceMBB(llvm::MachineBasicBlock&)
(Thumb2SizeReduction.cpp:513)
    by 0x38A17E: (anonymous
namespace)::Thumb2SizeReduce::runOnMachineFunction(llvm::MachineFunction&)
(Thumb2SizeReduction.cpp:528)
    by 0x579D74: llvm::MachineFunctionPass::runOnFunction(llvm::Function&)
(MachineFunctionPass.cpp:31)
    by 0x7AA35B: llvm::FPPassManager::runOnFunction(llvm::Function&)
(PassManager.cpp:1372)
    by 0x7AA5CB: llvm::FunctionPassManagerImpl::run(llvm::Function&)
(PassManager.cpp:1324)
    by 0x7AA6DF: llvm::FunctionPassManager::run(llvm::Function&)
(PassManager.cpp:1254)
    by 0x33B9: main (llc.cpp:394)
  Address 0x1966dd0 is 0 bytes inside a block of size 120 free'd
    at 0x1598B1A: operator delete(void*) (vg_replace_malloc.c:346)
    by 0x52A292:
__gnu_cxx::new_allocator<llvm::MachineOperand>::deallocate(llvm::MachineOperand*,
unsigned long) (ext/new_allocator.h:94)
    by 0x52A2BC: std::_Vector_base<llvm::MachineOperand,
std::allocator<llvm::MachineOperand> >::_M_deallocate(llvm::MachineOperand*,
unsigned long) (stl_vector.h:123)
    by 0x52A2FB: std::_Vector_base<llvm::MachineOperand,
std::allocator<llvm::MachineOperand> >::~_Vector_base() (stl_vector.h:109)
    by 0x52A372: std::vector<llvm::MachineOperand,
std::allocator<llvm::MachineOperand> >::~vector() (stl_vector.h:273)
    by 0x57CD76: llvm::MachineInstr::~MachineInstr() (MachineInstr.cpp:438)
    by 0x5727A4: llvm::MachineFunction::DeleteMachineInstr(llvm::MachineInstr*)
(MachineFunction.cpp:198)
    by 0x568092:
llvm::ilist_traits<llvm::MachineInstr>::deleteNode(llvm::MachineInstr*)
(MachineBasicBlock.cpp:120)
    by 0x4B502E: llvm::iplist<llvm::MachineInstr,
llvm::ilist_traits<llvm::MachineInstr>
>::erase(llvm::ilist_iterator<llvm::MachineInstr>) (ilist.h:463)
    by 0x4B504E:
llvm::MachineBasicBlock::erase(llvm::ilist_iterator<llvm::MachineInstr>)
(MachineBasicBlock.h:272)
    by 0x3892D4: (anonymous
namespace)::Thumb2SizeReduce::ReduceToNarrow(llvm::MachineBasicBlock&,
llvm::MachineInstr*, (anonymous namespace)::ReduceEntry const&, bool)
(Thumb2SizeReduction.cpp:437)
    by 0x38A057: (anonymous
namespace)::Thumb2SizeReduce::ReduceMBB(llvm::MachineBasicBlock&)
(Thumb2SizeReduction.cpp:508)

 Invalid read of size 4
    at 0x542830: llvm::MachineOperand::isUndef() const (MachineOperand.h:206)
    by 0x388A76: UpdateCPSRLiveness(llvm::MachineInstr&, bool)
(Thumb2SizeReduction.cpp:446)
    by 0x38A087: (anonymous
namespace)::Thumb2SizeReduce::ReduceMBB(llvm::MachineBasicBlock&)
(Thumb2SizeReduction.cpp:513)
    by 0x38A17E: (anonymous
namespace)::Thumb2SizeReduce::runOnMachineFunction(llvm::MachineFunction&)
(Thumb2SizeReduction.cpp:528)
    by 0x579D74: llvm::MachineFunctionPass::runOnFunction(llvm::Function&)
(MachineFunctionPass.cpp:31)
    by 0x7AA35B: llvm::FPPassManager::runOnFunction(llvm::Function&)
(PassManager.cpp:1372)
    by 0x7AA5CB: llvm::FunctionPassManagerImpl::run(llvm::Function&)
(PassManager.cpp:1324)
    by 0x7AA6DF: llvm::FunctionPassManager::run(llvm::Function&)
(PassManager.cpp:1254)
    by 0x33B9: main (llc.cpp:394)
  Address 0x1966dd0 is 0 bytes inside a block of size 120 free'd
    at 0x1598B1A: operator delete(void*) (vg_replace_malloc.c:346)
    by 0x52A292:
__gnu_cxx::new_allocator<llvm::MachineOperand>::deallocate(llvm::MachineOperand*,
unsigned long) (ext/new_allocator.h:94)
    by 0x52A2BC: std::_Vector_base<llvm::MachineOperand,
std::allocator<llvm::MachineOperand> >::_M_deallocate(llvm::MachineOperand*,
unsigned long) (stl_vector.h:123)
    by 0x52A2FB: std::_Vector_base<llvm::MachineOperand,
std::allocator<llvm::MachineOperand> >::~_Vector_base() (stl_vector.h:109)
    by 0x52A372: std::vector<llvm::MachineOperand,
std::allocator<llvm::MachineOperand> >::~vector() (stl_vector.h:273)
    by 0x57CD76: llvm::MachineInstr::~MachineInstr() (MachineInstr.cpp:438)
    by 0x5727A4: llvm::MachineFunction::DeleteMachineInstr(llvm::MachineInstr*)
(MachineFunction.cpp:198)
    by 0x568092:
llvm::ilist_traits<llvm::MachineInstr>::deleteNode(llvm::MachineInstr*)
(MachineBasicBlock.cpp:120)
    by 0x4B502E: llvm::iplist<llvm::MachineInstr,
llvm::ilist_traits<llvm::MachineInstr>
>::erase(llvm::ilist_iterator<llvm::MachineInstr>) (ilist.h:463)
    by 0x4B504E:
llvm::MachineBasicBlock::erase(llvm::ilist_iterator<llvm::MachineInstr>)
(MachineBasicBlock.h:272)
    by 0x3892D4: (anonymous
namespace)::Thumb2SizeReduce::ReduceToNarrow(llvm::MachineBasicBlock&,
llvm::MachineInstr*, (anonymous namespace)::ReduceEntry const&, bool)
(Thumb2SizeReduction.cpp:437)
    by 0x38A057: (anonymous
namespace)::Thumb2SizeReduce::ReduceMBB(llvm::MachineBasicBlock&)
(Thumb2SizeReduction.cpp:508)

 Invalid read of size 1
    at 0x3B183D: llvm::MachineOperand::isReg() const (MachineOperand.h:144)
    by 0x37026B: llvm::MachineOperand::getReg() const (MachineOperand.h:170)
    by 0x388A97: UpdateCPSRLiveness(llvm::MachineInstr&, bool)
(Thumb2SizeReduction.cpp:448)
    by 0x38A087: (anonymous
namespace)::Thumb2SizeReduce::ReduceMBB(llvm::MachineBasicBlock&)
(Thumb2SizeReduction.cpp:513)
    by 0x38A17E: (anonymous
namespace)::Thumb2SizeReduce::runOnMachineFunction(llvm::MachineFunction&)
(Thumb2SizeReduction.cpp:528)
    by 0x579D74: llvm::MachineFunctionPass::runOnFunction(llvm::Function&)
(MachineFunctionPass.cpp:31)
    by 0x7AA35B: llvm::FPPassManager::runOnFunction(llvm::Function&)
(PassManager.cpp:1372)
    by 0x7AA5CB: llvm::FunctionPassManagerImpl::run(llvm::Function&)
(PassManager.cpp:1324)
    by 0x7AA6DF: llvm::FunctionPassManager::run(llvm::Function&)
(PassManager.cpp:1254)
    by 0x33B9: main (llc.cpp:394)
  Address 0x1966dd0 is 0 bytes inside a block of size 120 free'd
    at 0x1598B1A: operator delete(void*) (vg_replace_malloc.c:346)
    by 0x52A292:
__gnu_cxx::new_allocator<llvm::MachineOperand>::deallocate(llvm::MachineOperand*,
unsigned long) (ext/new_allocator.h:94)
    by 0x52A2BC: std::_Vector_base<llvm::MachineOperand,
std::allocator<llvm::MachineOperand> >::_M_deallocate(llvm::MachineOperand*,
unsigned long) (stl_vector.h:123)
    by 0x52A2FB: std::_Vector_base<llvm::MachineOperand,
std::allocator<llvm::MachineOperand> >::~_Vector_base() (stl_vector.h:109)
    by 0x52A372: std::vector<llvm::MachineOperand,
std::allocator<llvm::MachineOperand> >::~vector() (stl_vector.h:273)
    by 0x57CD76: llvm::MachineInstr::~MachineInstr() (MachineInstr.cpp:438)
    by 0x5727A4: llvm::MachineFunction::DeleteMachineInstr(llvm::MachineInstr*)
(MachineFunction.cpp:198)
    by 0x568092:
llvm::ilist_traits<llvm::MachineInstr>::deleteNode(llvm::MachineInstr*)
(MachineBasicBlock.cpp:120)
    by 0x4B502E: llvm::iplist<llvm::MachineInstr,
llvm::ilist_traits<llvm::MachineInstr>
>::erase(llvm::ilist_iterator<llvm::MachineInstr>) (ilist.h:463)
    by 0x4B504E:
llvm::MachineBasicBlock::erase(llvm::ilist_iterator<llvm::MachineInstr>)
(MachineBasicBlock.h:272)
    by 0x3892D4: (anonymous
namespace)::Thumb2SizeReduce::ReduceToNarrow(llvm::MachineBasicBlock&,
llvm::MachineInstr*, (anonymous namespace)::ReduceEntry const&, bool)
(Thumb2SizeReduction.cpp:437)
    by 0x38A057: (anonymous
namespace)::Thumb2SizeReduce::ReduceMBB(llvm::MachineBasicBlock&)
(Thumb2SizeReduction.cpp:508)

 Invalid read of size 4
    at 0x3702B2: llvm::MachineOperand::getReg() const (MachineOperand.h:171)
    by 0x388A97: UpdateCPSRLiveness(llvm::MachineInstr&, bool)
(Thumb2SizeReduction.cpp:448)
    by 0x38A087: (anonymous
namespace)::Thumb2SizeReduce::ReduceMBB(llvm::MachineBasicBlock&)
(Thumb2SizeReduction.cpp:513)
    by 0x38A17E: (anonymous
namespace)::Thumb2SizeReduce::runOnMachineFunction(llvm::MachineFunction&)
(Thumb2SizeReduction.cpp:528)
    by 0x579D74: llvm::MachineFunctionPass::runOnFunction(llvm::Function&)
(MachineFunctionPass.cpp:31)
    by 0x7AA35B: llvm::FPPassManager::runOnFunction(llvm::Function&)
(PassManager.cpp:1372)
    by 0x7AA5CB: llvm::FunctionPassManagerImpl::run(llvm::Function&)
(PassManager.cpp:1324)
    by 0x7AA6DF: llvm::FunctionPassManager::run(llvm::Function&)
(PassManager.cpp:1254)
    by 0x33B9: main (llc.cpp:394)
  Address 0x1966dd8 is 8 bytes inside a block of size 120 free'd
    at 0x1598B1A: operator delete(void*) (vg_replace_malloc.c:346)
    by 0x52A292:
__gnu_cxx::new_allocator<llvm::MachineOperand>::deallocate(llvm::MachineOperand*,
unsigned long) (ext/new_allocator.h:94)
    by 0x52A2BC: std::_Vector_base<llvm::MachineOperand,
std::allocator<llvm::MachineOperand> >::_M_deallocate(llvm::MachineOperand*,
unsigned long) (stl_vector.h:123)
    by 0x52A2FB: std::_Vector_base<llvm::MachineOperand,
std::allocator<llvm::MachineOperand> >::~_Vector_base() (stl_vector.h:109)
    by 0x52A372: std::vector<llvm::MachineOperand,
std::allocator<llvm::MachineOperand> >::~vector() (stl_vector.h:273)
    by 0x57CD76: llvm::MachineInstr::~MachineInstr() (MachineInstr.cpp:438)
    by 0x5727A4: llvm::MachineFunction::DeleteMachineInstr(llvm::MachineInstr*)
(MachineFunction.cpp:198)
    by 0x568092:
llvm::ilist_traits<llvm::MachineInstr>::deleteNode(llvm::MachineInstr*)
(MachineBasicBlock.cpp:120)
    by 0x4B502E: llvm::iplist<llvm::MachineInstr,
llvm::ilist_traits<llvm::MachineInstr>
>::erase(llvm::ilist_iterator<llvm::MachineInstr>) (ilist.h:463)
    by 0x4B504E:
llvm::MachineBasicBlock::erase(llvm::ilist_iterator<llvm::MachineInstr>)
(MachineBasicBlock.h:272)
    by 0x3892D4: (anonymous
namespace)::Thumb2SizeReduce::ReduceToNarrow(llvm::MachineBasicBlock&,
llvm::MachineInstr*, (anonymous namespace)::ReduceEntry const&, bool)
(Thumb2SizeReduction.cpp:437)
    by 0x38A057: (anonymous
namespace)::Thumb2SizeReduce::ReduceMBB(llvm::MachineBasicBlock&)
(Thumb2SizeReduction.cpp:508)

This might be the cause for test failures on solaris.


-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list