[LLVMbugs] [Bug 22280] New: ASan reports a use-after-free in llvm::Metadata::getMetadataID() when running opt
bugzilla-daemon at llvm.org
bugzilla-daemon at llvm.org
Wed Jan 21 04:52:01 PST 2015
http://llvm.org/bugs/show_bug.cgi?id=22280
Bug ID: 22280
Summary: ASan reports a use-after-free in
llvm::Metadata::getMetadataID() when running opt
Product: libraries
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P
Component: LLVM assembly language parser
Assignee: unassignedbugs at nondot.org
Reporter: glider at google.com
CC: llvmbugs at cs.uiuc.edu
Classification: Unclassified
To reproduce, build opt with AddressSanitizer instrumentation.
The test case has been extracted from
llvm/test/Transforms/LoopUnroll/unroll-pragmas.ll
$ cat temp.ll
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
define void @unroll_1M(i32* nocapture %a, i32 %b) {
entry:
br label %for.body
for.body: ; preds = %for.body, %entry
%indvars.iv = phi i64 [ 0, %entry ], [ %indvars.iv.next, %for.body ]
%arrayidx = getelementptr inbounds i32* %a, i64 %indvars.iv
%0 = load i32* %arrayidx, align 4
%inc = add nsw i32 %0, 1
store i32 %inc, i32* %arrayidx, align 4
%indvars.iv.next = add nuw nsw i64 %indvars.iv, 1
%exitcond = icmp eq i64 %indvars.iv.next, 1000000
br i1 %exitcond, label %for.end, label %for.body, !llvm.loop !12
for.end: ; preds = %for.body
ret void
}
!12 = !{!12, !4}
$ llvm/opt temp.ll
=================================================================
==18735==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000005680
at pc 0x00000132d10b bp 0x7fff08988050 sp 0x7fff08988048
READ of size 1 at 0x603000005680 thread T0
#0 0x132d10a in llvm::Metadata::getMetadataID() const
third_party/llvm/llvm/include/llvm/IR/Metadata.h:85:43
#1 0x132d3c8 in llvm::MDNode::classof(llvm::Metadata const*)
third_party/llvm/llvm/include/llvm/IR/Metadata.h:867:12
#2 0x1c9697c in llvm::isa_impl_wrap<llvm::MDNode, llvm::Metadata* const,
llvm::Metadata const*>::doit(llvm::Metadata* const&)
third_party/llvm/llvm/include/llvm/Support/Casting.h:112:12
#3 0x2a39e30 in llvm::cast_retty<llvm::MDNode, llvm::Metadata*>::ret_type
llvm::dyn_cast<llvm::MDNode, llvm::Metadata>(llvm::Metadata*)
third_party/llvm/llvm/include/llvm/Support/Casting.h:298:10
#4 0x2f6e67d in llvm::ReplaceableMetadataImpl::get(llvm::Metadata&)
third_party/llvm/llvm/lib/IR/MetadataTracking.cpp:20:17
#5 0x2f6e895 in llvm::MetadataTracking::untrack(void*, llvm::Metadata&)
third_party/llvm/llvm/lib/IR/MetadataTracking.cpp:38:17
#6 0x27751af in void
std::_Destroy_aux<false>::__destroy<llvm::TypedTrackingMDRef<llvm::MDNode>*>(llvm::TypedTrackingMDRef<llvm::MDNode>*,
llvm::TypedTrackingMDRef<llvm::MDNode>*) ..../bits/stl_construct.h:103:6
#7 0x277504d in std::vector<llvm::TypedTrackingMDRef<llvm::MDNode>,
std::allocator<llvm::TypedTrackingMDRef<llvm::MDNode> > >::~vector()
..../bits/stl_vector.h:468:9
#8 0x2d88e44 in llvm::LLParser::~LLParser()
third_party/llvm/llvm/lib/AsmParser/LLParser.h:108:9
#9 0x2d882bb in llvm::parseAssemblyInto(llvm::MemoryBufferRef,
llvm::Module&, llvm::SMDiagnostic&)
third_party/llvm/llvm/lib/AsmParser/Parser.cpp:29:3
#10 0x2d8846f in llvm::parseAssembly(llvm::MemoryBufferRef,
llvm::SMDiagnostic&, llvm::LLVMContext&)
third_party/llvm/llvm/lib/AsmParser/Parser.cpp:38:7
#11 0x2d85f58 in llvm::parseIR(llvm::MemoryBufferRef, llvm::SMDiagnostic&,
llvm::LLVMContext&) third_party/llvm/llvm/lib/IRReader/IRReader.cpp:79:10
#12 0x2d86461 in llvm::parseIRFile(llvm::StringRef, llvm::SMDiagnostic&,
llvm::LLVMContext&) third_party/llvm/llvm/lib/IRReader/IRReader.cpp:92:10
#13 0x1386be3 in main third_party/llvm/llvm/tools/opt/opt.cpp:341:31
#14 0x7f4d1dd5ace7 in __libc_start_main (..../lib64/libc.so.6+0x38ce7)
#15 0x1277038 in _start ..../sysdeps/x86_64/start.S:118
0x603000005680 is located 0 bytes inside of 24-byte region
[0x603000005680,0x603000005698)
freed by thread T0 here:
#0 0x13202a2 in operator delete(void*)
third_party/llvm/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:94:3
#1 0x2aedad6 in std::unique_ptr<llvm::MDTuple,
llvm::TempMDNodeDeleter>::~unique_ptr() ..../bits/unique_ptr.h:236:4
#2 0x2d895ca in std::_Rb_tree<unsigned int, std::pair<unsigned int const,
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
>, std::_Select1st<std::pair<unsigned int const,
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
> >, std::less<unsigned int>, std::allocator<std::pair<unsigned int const,
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
> > >::_M_destroy_node(std::_Rb_tree_node<std::pair<unsigned int const,
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
> >*) ..../bits/stl_tree.h:436:2
#3 0x2d894e8 in std::_Rb_tree<unsigned int, std::pair<unsigned int const,
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
>, std::_Select1st<std::pair<unsigned int const,
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
> >, std::less<unsigned int>, std::allocator<std::pair<unsigned int const,
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
> > >::_M_erase(std::_Rb_tree_node<std::pair<unsigned int const,
std::pair<std::unique_ptr<llvm::MDTuple, llvm::TempMDNodeDeleter>, llvm::SMLoc>
> >*) ..../bits/stl_tree.h:1287:4
#4 0x2d88e38 in llvm::LLParser::~LLParser()
third_party/llvm/llvm/lib/AsmParser/LLParser.h:108:9
#5 0x2d882bb in llvm::parseAssemblyInto(llvm::MemoryBufferRef,
llvm::Module&, llvm::SMDiagnostic&)
third_party/llvm/llvm/lib/AsmParser/Parser.cpp:29:3
#6 0x2d8846f in llvm::parseAssembly(llvm::MemoryBufferRef,
llvm::SMDiagnostic&, llvm::LLVMContext&)
third_party/llvm/llvm/lib/AsmParser/Parser.cpp:38:7
#7 0x2d85f58 in llvm::parseIR(llvm::MemoryBufferRef, llvm::SMDiagnostic&,
llvm::LLVMContext&) third_party/llvm/llvm/lib/IRReader/IRReader.cpp:79:10
#8 0x2d86461 in llvm::parseIRFile(llvm::StringRef, llvm::SMDiagnostic&,
llvm::LLVMContext&) third_party/llvm/llvm/lib/IRReader/IRReader.cpp:92:10
#9 0x1386be3 in main third_party/llvm/llvm/tools/opt/opt.cpp:341:31
#10 0x7f4d1dd5ace7 in __libc_start_main (..../lib64/libc.so.6+0x38ce7)
#11 0x1277038 in _start ..../sysdeps/x86_64/start.S:118
previously allocated by thread T0 here:
#0 0x131fce2 in operator new(unsigned long)
third_party/llvm/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:62:35
#1 0x2f71955 in llvm::MDNode::operator new(unsigned long, unsigned int)
third_party/llvm/llvm/lib/IR/Metadata.cpp:384:15
#2 0x2f736a6 in llvm::MDTuple::getImpl(llvm::LLVMContext&,
llvm::ArrayRef<llvm::Metadata*>, llvm::Metadata::StorageType, bool)
third_party/llvm/llvm/lib/IR/Metadata.cpp:704:20
#3 0x2aeda74 in llvm::MDTuple::getTemporary(llvm::LLVMContext&,
llvm::ArrayRef<llvm::Metadata*>)
third_party/llvm/llvm/include/llvm/IR/Metadata.h:934:24
#4 0x2d9e767 in llvm::LLParser::ParseMDNodeID(llvm::MDNode*&)
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:535:27
#5 0x2daed24 in llvm::LLParser::ParseMDNodeTail(llvm::MDNode*&)
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:2921:10
#6 0x2daf303 in llvm::LLParser::ParseMetadata(llvm::Metadata*&,
llvm::LLParser::PerFunctionState*)
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:3114:7
#7 0x2daec4c in
llvm::LLParser::ParseMDNodeVector(llvm::SmallVectorImpl<llvm::Metadata*>&)
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:4820:9
#8 0x2d9ed96 in llvm::LLParser::ParseMDTuple(llvm::MDNode*&, bool)
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:2896:7
#9 0x2d97ab4 in llvm::LLParser::ParseStandaloneMetadata()
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:594:14
#10 0x2d93e85 in llvm::LLParser::ParseTopLevelEntities()
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:182:33
#11 0x2d93a19 in llvm::LLParser::Run()
third_party/llvm/llvm/lib/AsmParser/LLParser.cpp:43:10
#12 0x2d882b0 in llvm::parseAssemblyInto(llvm::MemoryBufferRef,
llvm::Module&, llvm::SMDiagnostic&)
third_party/llvm/llvm/lib/AsmParser/Parser.cpp:29:10
#13 0x2d8846f in llvm::parseAssembly(llvm::MemoryBufferRef,
llvm::SMDiagnostic&, llvm::LLVMContext&)
third_party/llvm/llvm/lib/AsmParser/Parser.cpp:38:7
#14 0x2d85f58 in llvm::parseIR(llvm::MemoryBufferRef, llvm::SMDiagnostic&,
llvm::LLVMContext&) third_party/llvm/llvm/lib/IRReader/IRReader.cpp:79:10
#15 0x2d86461 in llvm::parseIRFile(llvm::StringRef, llvm::SMDiagnostic&,
llvm::LLVMContext&) third_party/llvm/llvm/lib/IRReader/IRReader.cpp:92:10
#16 0x1386be3 in main third_party/llvm/llvm/tools/opt/opt.cpp:341:31
#17 0x7f4d1dd5ace7 in __libc_start_main (..../lib64/libc.so.6+0x38ce7)
#18 0x1277038 in _start ..../sysdeps/x86_64/start.S:118
SUMMARY: AddressSanitizer: heap-use-after-free
third_party/llvm/llvm/include/llvm/IR/Metadata.h:85
llvm::Metadata::getMetadataID() const
Shadow bytes around the buggy address:
0x0c067fff8a80: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c067fff8a90: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c067fff8aa0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x0c067fff8ab0: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa fd fd
0x0c067fff8ac0: fd fd fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
=>0x0c067fff8ad0:[fd]fd fd fa fa fa fd fd fd fa fa fa 00 00 02 fa
0x0c067fff8ae0: fa fa 00 00 00 fa fa fa 00 00 00 01 fa fa 00 00
0x0c067fff8af0: 00 00 fa fa fd fd fd fd fa fa 00 00 04 fa fa fa
0x0c067fff8b00: 00 00 00 01 fa fa fd fd fd fd fa fa 00 00 00 03
0x0c067fff8b10: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
0x0c067fff8b20: 00 01 fa fa 00 00 06 fa fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18735==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20150121/75039ec6/attachment.html>
More information about the llvm-bugs
mailing list