[LLVMbugs] [Bug 5097] New: Buffer overflow in LoopSimplify
bugzilla-daemon at cs.uiuc.edu
bugzilla-daemon at cs.uiuc.edu
Tue Sep 29 04:44:39 PDT 2009
http://llvm.org/bugs/show_bug.cgi?id=5097
Summary: Buffer overflow in LoopSimplify
Product: new-bugs
Version: unspecified
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: new bugs
AssignedTo: unassignedbugs at nondot.org
ReportedBy: baldrick at free.fr
CC: llvmbugs at cs.uiuc.edu
Created an attachment (id=3583)
--> (http://llvm.org/bugs/attachment.cgi?id=3583)
testcase .ll
Reproduce by building with expensive checking and doing:
opt bugpoint-reduced-simplified.ll -loop-unswitch -loopsimplify -iv-users
The problem seems to be that in lines 275...282 of LoopSimplify.cpp
const std::vector<DomTreeNodeBase<BasicBlock> *> &Children =
Node->getChildren();
for (unsigned k = 0, g = Children.size(); k != g; ++k) {
DT->changeImmediateDominator(Children[k], Node->getIDom());
if (DF) DF->changeImmediateDominator(Children[k]->getBlock(),
Node->getIDom()->getBlock(),
DT);
}
the code inside the loop mutates the Node->getChildren() vector.
Since Children is a reference to this vector, it can change as the
loop is executed. In the testcase Children has length 1, so the
loop is entered. It looks like the first line resizes Children to
be empty. Then the second line accesses off the end of Children.
--
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the llvm-bugs
mailing list