[LLVMbugs] [Bug 12284] New: heap-use-after-free in clang::CodeGen::CodeGenVTables

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Fri Mar 16 13:27:14 PDT 2012 

http://llvm.org/bugs/show_bug.cgi?id=12284

             Bug #: 12284
           Summary: heap-use-after-free in clang::CodeGen::CodeGenVTables
           Product: new-bugs
           Version: trunk
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: new bugs
        AssignedTo: unassignedbugs at nondot.org
        ReportedBy: kcc at google.com
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified


The test case is reduced by c_reduce from a real program (not a fuzzer). 

r152934, linux x86_64

clang -c -O1 crash.cc 

The use-after-free can be detected by both AddressSanitizer and valgrind. 

==18887== ERROR: AddressSanitizer heap-use-after-free on address 0x7f6dd4815aa8
at pc 0x1b42897 bp 0x7fff5fdc4e70 sp 0x7fff5fdc4e68
READ of size 8 at 0x7f6dd4815aa8 thread T0
   #0 0x1b42897 in llvm::Value::getType include/llvm/Value.h:107
   #1 0x102038ef in llvm::CastInst::castIsValid
lib/VMCore/Instructions.cpp:2597
   #2 0xfdfe483 in llvm::ConstantExpr::getBitCast lib/VMCore/Constants.cpp:1573
   #3 0x266ca6a in clang::CodeGen::CodeGenVTables::CreateVTableInitializer
tools/clang/lib/CodeGen/CGVTables.cpp:597
   #4 0x266f1a0 in clang::CodeGen::CodeGenVTables::EmitVTableDefinition
tools/clang/lib/CodeGen/CGVTables.cpp:652
   #5 0x2670c0b in clang::CodeGen::CodeGenVTables::GenerateClassData
tools/clang/lib/CodeGen/CGVTables.cpp:717
   #6 0x19dad8a in clang::CodeGen::CodeGenModule::EmitDeferred
tools/clang/lib/CodeGen/CodeGenModule.cpp:650
   #7 0x19da55d in clang::CodeGen::CodeGenModule::Release
tools/clang/lib/CodeGen/CodeGenModule.cpp:152
   #8 0x19be65a in ::CodeGeneratorImpl::HandleTranslationUnit
tools/clang/lib/CodeGen/ModuleBuilder.cpp:102

0x7f6dd4815aa8 is located 40 bytes inside of 80-byte region
[0x7f6dd4815a80,0x7f6dd4815ad0)
freed by thread T0 here:
   #0 0x1085c1f2 in operator delete ??:0
   #1 0x10430547 in llvm::User::operator delete lib/VMCore/User.cpp:79
   #2 0x1025a148 in llvm::UnaryConstantExpr::~UnaryConstantExpr
lib/VMCore/ConstantsContext.h:34
   #3 0xfdd19bc in llvm::Constant::destroyConstantImpl
lib/VMCore/Constants.cpp:216
   #4 0xfe08971 in llvm::ConstantExpr::destroyConstant
lib/VMCore/Constants.cpp:2015
   #5 0xfe13a1f in llvm::ConstantExpr::replaceUsesOfWithOnConstant
lib/VMCore/Constants.cpp:2575
   #6 0x104375e7 in llvm::Value::replaceAllUsesWith lib/VMCore/Value.cpp:309
   #7 0x2668034 in clang::CodeGen::CodeGenVTables::EmitThunk
tools/clang/lib/CodeGen/CGVTables.cpp:434
   #8 0x2669782 in
clang::CodeGen::CodeGenVTables::MaybeEmitThunkAvailableExternally
tools/clang/lib/CodeGen/CGVTables.cpp:484
   #9 0x266c62e in clang::CodeGen::CodeGenVTables::CreateVTableInitializer
tools/clang/lib/CodeGen/CGVTables.cpp:590
   #10 0x266f1a0 in clang::CodeGen::CodeGenVTables::EmitVTableDefinition
tools/clang/lib/CodeGen/CGVTables.cpp:652
   #11 0x2670c0b in clang::CodeGen::CodeGenVTables::GenerateClassData
tools/clang/lib/CodeGen/CGVTables.cpp:717
   #12 0x19dad8a in clang::CodeGen::CodeGenModule::EmitDeferred
tools/clang/lib/CodeGen/CodeGenModule.cpp:650
   #13 0x19da55d in clang::CodeGen::CodeGenModule::Release
tools/clang/lib/CodeGen/CodeGenModule.cpp:152
   #14 0x19be65a in ::CodeGeneratorImpl::HandleTranslationUnit
tools/clang/lib/CodeGen/ModuleBuilder.cpp:102

previously allocated by thread T0 here:
   #0 0x1085c072 in operator new ??:0
   #1 0x1042fe3e in llvm::User::operator new lib/VMCore/User.cpp:59
   #2 0xfe5b178 in llvm::UnaryConstantExpr::operator new
lib/VMCore/ConstantsContext.h:40
   #3 0xfe522b0 in llvm::ConstantCreator<llvm::ConstantExpr, llvm::Type,
llvm::ExprMapKeyType>::create lib/VMCore/ConstantsContext.h:433
   #4 0xfe51880 in llvm::ConstantUniqueMap<llvm::ExprMapKeyType,
llvm::ExprMapKeyType const&, llvm::Type, llvm::ConstantExpr, false>::Create
lib/VMCore/ConstantsContext.h:575
   #5 0xfe1c5b1 in llvm::ConstantUniqueMap<llvm::ExprMapKeyType,
llvm::ExprMapKeyType const&, llvm::Type, llvm::ConstantExpr,
false>::getOrCreate lib/VMCore/ConstantsContext.h:600
   #6 0xfe00b48 in getFoldedCast lib/VMCore/Constants.cpp:1359
   #7 0xfdfe5de in llvm::ConstantExpr::getBitCast lib/VMCore/Constants.cpp:1580
   #8 0x19f3b70 in clang::CodeGen::CodeGenModule::GetOrCreateLLVMFunction
tools/clang/lib/CodeGen/CodeGenModule.cpp:1005
   #9 0x265b2fd in clang::CodeGen::CodeGenModule::GetAddrOfThunk
tools/clang/lib/CodeGen/CGVTables.cpp:76
   #10 0x266c46d in clang::CodeGen::CodeGenVTables::CreateVTableInitializer
tools/clang/lib/CodeGen/CGVTables.cpp:587
   #11 0x266f1a0 in clang::CodeGen::CodeGenVTables::EmitVTableDefinition
tools/clang/lib/CodeGen/CGVTables.cpp:652
   #12 0x2670c0b in clang::CodeGen::CodeGenVTables::GenerateClassData
tools/clang/lib/CodeGen/CGVTables.cpp:717
   #13 0x19dad8a in clang::CodeGen::CodeGenModule::EmitDeferred
tools/clang/lib/CodeGen/CodeGenModule.cpp:650
   #14 0x19da55d in clang::CodeGen::CodeGenModule::Release
tools/clang/lib/CodeGen/CodeGenModule.cpp:152
   #15 0x19be65a in ::CodeGeneratorImpl::HandleTranslationUnit
tools/clang/lib/CodeGen/ModuleBuilder.cpp:102


======================== test case: 

template < typename _Tp > struct new_allocator
{
  typedef _Tp *pointer;
  template < typename > struct rebind {
    typedef new_allocator other;
  };
};
template < typename _Tp > struct allocator:new_allocator < _Tp > {
};
template < typename _Tp, typename _Alloc > struct _Vector_base {
  typedef typename _Alloc::template rebind < _Tp >::other _Tp_alloc_type;
  struct _Vector_impl {
    typename _Tp_alloc_type::pointer _M_end_of_storage;
  };
  _Vector_base () {
    foo((int *) this->_M_impl._M_end_of_storage);
  }
  void foo(int *);
  _Vector_impl _M_impl;
};
template < typename _Tp, typename _Alloc =
allocator < _Tp > >struct vector:_Vector_base < _Tp, _Alloc > { };


template < class T> struct HHH {};
struct DDD { int x_;};
struct Data;
struct X1;
struct CCC:DDD {   virtual void xxx (HHH < X1 >); };
template < class SSS > struct EEE:vector < HHH < SSS > > { };
template < class SSS, class = EEE < SSS > >class FFF { };
template < class SSS, class GGG = EEE < SSS > >class AAA:FFF <GGG> { };
class BBB:virtual CCC {
  void xxx (HHH < X1 >);
  vector < HHH < X1 > >aaa;
};
class ZZZ:AAA < Data >, BBB { virtual ZZZ *ppp () ; };
ZZZ * ZZZ::ppp () { return new ZZZ; }

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list