[LLVMbugs] [Bug 6858] New: Use of freed memory in InlineCostAnalyzer::getInlineCost

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Sat Apr 17 08:55:31 PDT 2010 

http://llvm.org/bugs/show_bug.cgi?id=6858

           Summary: Use of freed memory in
                    InlineCostAnalyzer::getInlineCost
           Product: new-bugs
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: new bugs
        AssignedTo: unassignedbugs at nondot.org
        ReportedBy: baldrick at free.fr
                CC: llvmbugs at cs.uiuc.edu


Created an attachment (id=4691)
 --> (http://llvm.org/bugs/attachment.cgi?id=4691)
testcase .ll

This is the reason changing std::map into ValueMap broke the dragonegg build.
It looks like the memory was freed when growing the ValueMap:

$ valgrind opt -inline -disable-output use_after_free.ll
==31149== Memcheck, a memory error detector
==31149== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==31149== Using Valgrind-3.6.0.SVN and LibVEX; rerun with -h for copyright info
==31149== Command: opt -inline -disable-output use_after_free.ll
==31149== 
==31149== Invalid read of size 4
==31149==    at 0x9D1081:
llvm::InlineCostAnalyzer::getInlineCost(llvm::CallSite,
llvm::SmallPtrSet<llvm::Function const*, 16u>&) (InlineCost.cpp:366)
==31149==    by 0x8039EF: (anonymous
namespace)::SimpleInliner::getInlineCost(llvm::CallSite) (InlineSimple.cpp:40)
==31149==    by 0x8046D4: llvm::Inliner::shouldInline(llvm::CallSite)
(Inliner.cpp:204)
==31149==    by 0x8053D4: llvm::Inliner::runOnSCC(llvm::CallGraphSCC&)
(Inliner.cpp:380)
==31149==    by 0x9985A2: (anonymous
namespace)::CGPassManager::RunPassOnSCC(llvm::Pass*, llvm::CallGraphSCC&,
llvm::CallGraph&, bool&) (CallGraphSCCPass.cpp:109)
==31149==    by 0x9994E8: (anonymous
namespace)::CGPassManager::runOnModule(llvm::Module&)
(CallGraphSCCPass.cpp:355)
==31149==    by 0xB7CF12: llvm::MPPassManager::runOnModule(llvm::Module&)
(PassManager.cpp:1492)
==31149==    by 0xB7D452: llvm::PassManagerImpl::run(llvm::Module&)
(PassManager.cpp:1573)
==31149==    by 0xB7D98A: llvm::PassManager::run(llvm::Module&)
(PassManager.cpp:1610)
==31149==    by 0x7B46A5: main (opt.cpp:544)
==31149==  Address 0x62d73c0 is 7,280 bytes inside a block of size 7,680 free'd
==31149==    at 0x4C26E54: operator delete(void*) (vg_replace_malloc.c:387)
==31149==    by 0x802856:
llvm::DenseMap<llvm::ValueMapCallbackVH<llvm::Function const*,
llvm::InlineCostAnalyzer::FunctionInfo, llvm::ValueMapConfig<llvm::Function
const*>, llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo> >,
llvm::InlineCostAnalyzer::FunctionInfo,
llvm::DenseMapInfo<llvm::ValueMapCallbackVH<llvm::Function const*,
llvm::InlineCostAnalyzer::FunctionInfo, llvm::ValueMapConfig<llvm::Function
const*>, llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo> > >,
llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo> >::grow(unsigned
int) (DenseMap.h:402)
==31149==    by 0x8022EC:
llvm::DenseMap<llvm::ValueMapCallbackVH<llvm::Function const*,
llvm::InlineCostAnalyzer::FunctionInfo, llvm::ValueMapConfig<llvm::Function
const*>, llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo> >,
llvm::InlineCostAnalyzer::FunctionInfo,
llvm::DenseMapInfo<llvm::ValueMapCallbackVH<llvm::Function const*,
llvm::InlineCostAnalyzer::FunctionInfo, llvm::ValueMapConfig<llvm::Function
const*>, llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo> > >,
llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo>
>::InsertIntoBucket(llvm::ValueMapCallbackVH<llvm::Function const*,
llvm::InlineCostAnalyzer::FunctionInfo, llvm::ValueMapConfig<llvm::Function
const*>, llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo> > const&,
llvm::InlineCostAnalyzer::FunctionInfo const&,
std::pair<llvm::ValueMapCallbackVH<llvm::Function const*,
llvm::InlineCostAnalyzer::FunctionInfo, llvm::ValueMapConfig<llvm::Function
const*>, llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo> >,
llvm::InlineCostAnalyzer::FunctionInfo>*) (DenseMap.h:282)
==31149==    by 0x801B30:
llvm::DenseMap<llvm::ValueMapCallbackVH<llvm::Function const*,
llvm::InlineCostAnalyzer::FunctionInfo, llvm::ValueMapConfig<llvm::Function
const*>, llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo> >,
llvm::InlineCostAnalyzer::FunctionInfo,
llvm::DenseMapInfo<llvm::ValueMapCallbackVH<llvm::Function const*,
llvm::InlineCostAnalyzer::FunctionInfo, llvm::ValueMapConfig<llvm::Function
const*>, llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo> > >,
llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo>
>::FindAndConstruct(llvm::ValueMapCallbackVH<llvm::Function const*,
llvm::InlineCostAnalyzer::FunctionInfo, llvm::ValueMapConfig<llvm::Function
const*>, llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo> > const&)
(DenseMap.h:207)
==31149==    by 0x80132E:
llvm::DenseMap<llvm::ValueMapCallbackVH<llvm::Function const*,
llvm::InlineCostAnalyzer::FunctionInfo, llvm::ValueMapConfig<llvm::Function
const*>, llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo> >,
llvm::InlineCostAnalyzer::FunctionInfo,
llvm::DenseMapInfo<llvm::ValueMapCallbackVH<llvm::Function const*,
llvm::InlineCostAnalyzer::FunctionInfo, llvm::ValueMapConfig<llvm::Function
const*>, llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo> > >,
llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo>
>::operator[](llvm::ValueMapCallbackVH<llvm::Function const*,
llvm::InlineCostAnalyzer::FunctionInfo, llvm::ValueMapConfig<llvm::Function
const*>, llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo> > const&)
(DenseMap.h:211)
==31149==    by 0x800E1F: llvm::ValueMap<llvm::Function const*,
llvm::InlineCostAnalyzer::FunctionInfo, llvm::ValueMapConfig<llvm::Function
const*>, llvm::DenseMapInfo<llvm::InlineCostAnalyzer::FunctionInfo>
>::operator[](llvm::Function const* const&) (ValueMap.h:161)
==31149==    by 0x9D0F40:
llvm::InlineCostAnalyzer::getInlineCost(llvm::CallSite,
llvm::SmallPtrSet<llvm::Function const*, 16u>&) (InlineCost.cpp:319)
==31149==    by 0x8039EF: (anonymous
namespace)::SimpleInliner::getInlineCost(llvm::CallSite) (InlineSimple.cpp:40)
==31149==    by 0x8046D4: llvm::Inliner::shouldInline(llvm::CallSite)
(Inliner.cpp:204)
==31149==    by 0x8053D4: llvm::Inliner::runOnSCC(llvm::CallGraphSCC&)
(Inliner.cpp:380)
==31149==    by 0x9985A2: (anonymous
namespace)::CGPassManager::RunPassOnSCC(llvm::Pass*, llvm::CallGraphSCC&,
llvm::CallGraph&, bool&) (CallGraphSCCPass.cpp:109)
==31149==    by 0x9994E8: (anonymous
namespace)::CGPassManager::runOnModule(llvm::Module&)
(CallGraphSCCPass.cpp:355)

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list