[LLVMbugs] [Bug 4180] New: MDNodes may be used after being destroyed

bugzilla-daemon at cs.uiuc.edu bugzilla-daemon at cs.uiuc.edu
Fri May 8 05:09:28 PDT 2009 

http://llvm.org/bugs/show_bug.cgi?id=4180

           Summary: MDNodes may be used after being destroyed
           Product: new-bugs
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: new bugs
        AssignedTo: unassignedbugs at nondot.org
        ReportedBy: fvbommel at wxs.nl
                CC: llvmbugs at cs.uiuc.edu


Created an attachment (id=2975)
 --> (http://llvm.org/bugs/attachment.cgi?id=2975)
Valgrind output for example program

I'm seeing crashes due to invalid pointer accesses from
==24533==    at 0x498DDF:
llvm::FoldingSetImpl::FindNodeOrInsertPos(llvm::FoldingSetNodeID const&,
void*&) (in /home/urxae/tmp/llvm-test/mdnode/test)
==24533==    by 0x40C9C1: llvm::MDNode::get(llvm::Constant* const*, unsigned)
(in /home/urxae/tmp/llvm-test/mdnode/test)

These seem to be because MDNodes don't get removed from the MDNodeSet global
upon destruction.

I'm attaching full valgrind output for the following program:
=====
#include "llvm/Module.h"
#include "llvm/Type.h"
#include "llvm/DerivedTypes.h"
#include "llvm/Constants.h"
#include "llvm/GlobalVariable.h"

using namespace llvm;

int main() {
    const Type* Ty = Type::Int32Ty;
    char buf[20];
    const unsigned MAX = 100;
    for (unsigned i = 0; i < MAX; i++) {
        snprintf(buf, 20, "var_%u", i);

        Module* M = new Module("test");
        Constant* vals[] = {
            new GlobalVariable(Ty, true, GlobalValue::WeakODRLinkage,
UndefValue::get(Ty), buf, M),
        };
        Constant* node = MDNode::get(vals, sizeof(vals) / sizeof(vals[0]));

        delete M;
    }
    return 0;
}
=====
(If you can't reproduce, try increasing the loop count)

The patch is extremely trivial, once problem is diagnosed:
######
Index: lib/VMCore/Constants.cpp
===================================================================
--- lib/VMCore/Constants.cpp    (revision 71118)
+++ lib/VMCore/Constants.cpp    (working copy)
@@ -1714,6 +1714,7 @@
 }

 void MDNode::destroyConstant() {
+  MDNodeSet->RemoveNode(this);
   destroyConstantImpl();
 }

######


-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list