[llvm-bugs] [Bug 27196] New: Crash in LLParser with undefined tbaa metadata

via llvm-bugs llvm-bugs at lists.llvm.org
Mon Apr 4 07:09:12 PDT 2016


            Bug ID: 27196
           Summary: Crash in LLParser with undefined tbaa metadata
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: LLVM assembly language parser
          Assignee: unassignedbugs at nondot.org
          Reporter: philip.pfaffe at gmail.com
                CC: llvm-bugs at lists.llvm.org
    Classification: Unclassified

Created attachment 16165
  --> https://llvm.org/bugs/attachment.cgi?id=16165&action=edit
Crashing Testcase

If IR is annotated with TBAA metadata but the referenced MD isn't declared, an
assertion in MDNode::getOperand is triggered. In LLParser::ValidateEndOfModule
in the call to UpgradeInstWithTBAATag, there is an unconditional check
"isa<MDNode>(MD->getOperand(0))", which ends badly if MD->getNumOperands() is

Crashing testcase attached.

A similar unchecked call chain occurs in BitcodeReader, but i haven't been able
to reproduce the error there, and i'm not sure whether the bitcode format
actually allows for this problem to arise.

A possible fix for the LLParser could be this:

--- a/lib/AsmParser/LLParser.cpp
+++ b/lib/AsmParser/LLParser.cpp
@@ -100,8 +100,9 @@ void LLParser::restoreParsingState(const SlotMapping
*Slots) {
 /// ValidateEndOfModule - Do final validity and sanity checks at the end of
 /// module.
 bool LLParser::ValidateEndOfModule() {
-  for (unsigned I = 0, E = InstsWithTBAATag.size(); I < E; I++)
-    UpgradeInstWithTBAATag(InstsWithTBAATag[I]);
+  for (auto *I : InstsWithTBAATag)
+    if (I->getMetadata(LLVMContext::MD_tbaa)->getNumOperands() > 0)
+      UpgradeInstWithTBAATag(I);

   // Handle any function attribute group forward references.
   for (std::map<Value*, std::vector<unsigned> >::iterator

You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160404/6ed276ea/attachment.html>

More information about the llvm-bugs mailing list