[LLVMbugs] [Bug 12267] New: heap-use-after-free in GVN::performPRE
bugzilla-daemon at llvm.org
bugzilla-daemon at llvm.org
Wed Mar 14 07:31:03 PDT 2012
http://llvm.org/bugs/show_bug.cgi?id=12267
Bug #: 12267
Summary: heap-use-after-free in GVN::performPRE
Product: new-bugs
Version: unspecified
Platform: PC
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P
Component: new bugs
AssignedTo: unassignedbugs at nondot.org
ReportedBy: kcc at google.com
CC: llvmbugs at cs.uiuc.edu
Classification: Unclassified
Test case from csmith+creduce+AddressSanitizer.
clang r152700, x86_64 linux.
============
char a;
int b, c, d, e, f, g;
void fn2(int);
int fn3(short);
void fn1 (short p1) {
if (b)
fn2 (p1);
lbl_1661:
e = d;
b = 0;
g = fn3 (0);
if ( (a ^= 1 | f) ^ p1) {
} else {
c = 0;
goto lbl_1661;
}
}
============
clang -c uaf.c -O2
==9227== ERROR: AddressSanitizer heap-use-after-free on address 0x7ff48a4fbfa0
at pc 0x1b5cfc4 bp 0x7fff4834db70 sp 0x7fff4834db68
READ of size 1 at 0x7ff48a4fbfa0 thread T0
#0 0x1b5cfc4 in llvm::Value::getValueID() const include/llvm/Value.h:229
#1 0x1c2d223 in llvm::isa_impl<llvm::Constant,
llvm::Value>::doit(llvm::Value const&) include/llvm/Value.h:342
#2 0x1c2d113 in llvm::isa_impl_cl<llvm::Constant,
llvm::Value*>::doit(llvm::Value const*) include/llvm/Support/Casting.h:68
#3 0x1c2cffd in llvm::isa_impl_wrap<llvm::Constant, llvm::Value*,
llvm::Value*>::doit(llvm::Value* const&) include/llvm/Support/Casting.h:99
#4 0x1c2cd23 in bool llvm::isa<llvm::Constant, llvm::Value*>(llvm::Value*
const&) include/llvm/Support/Casting.h:110
#5 0xe459468 in (anonymous namespace)::GVN::findLeader(llvm::BasicBlock*,
unsigned int) lib/Transforms/Scalar/GVN.cpp:1936
#6 0xe4508a8 in (anonymous namespace)::GVN::performPRE(llvm::Function&)
lib/Transforms/Scalar/GVN.cpp:2361
#7 0xe44df9d in (anonymous namespace)::GVN::runOnFunction(llvm::Function&)
lib/Transforms/Scalar/GVN.cpp:2247
0x7ff48a4fbfa0 is located 32 bytes inside of 112-byte region
[0x7ff48a4fbf80,0x7ff48a4fbff0)
freed by thread T0 here:
#0 0x1085c1f2 in operator delete(void*) ??:0
#1 0x10430547 in llvm::User::operator delete(void*) lib/VMCore/User.cpp:79
#2 0x10237898 in llvm::SExtInst::~SExtInst()
include/llvm/Instructions.h:3228
#3 0x9103022 in
llvm::ilist_node_traits<llvm::Instruction>::deleteNode(llvm::Instruction*)
include/llvm/ADT/ilist.h:112
#4 0x9102880 in llvm::iplist<llvm::Instruction,
llvm::ilist_traits<llvm::Instruction>
>::erase(llvm::ilist_iterator<llvm::Instruction>) include/llvm/ADT/ilist.h:464
#5 0x101b9993 in llvm::Instruction::eraseFromParent()
lib/VMCore/Instruction.cpp:72
#6 0xe4525e2 in (anonymous namespace)::GVN::performPRE(llvm::Function&)
lib/Transforms/Scalar/GVN.cpp:2462
#7 0xe44df9d in (anonymous namespace)::GVN::runOnFunction(llvm::Function&)
lib/Transforms/Scalar/GVN.cpp:2247
#8 0x10335b4b in llvm::FPPassManager::runOnFunction(llvm::Function&)
lib/VMCore/PassManager.cpp:1497
--
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the llvm-bugs
mailing list