[llvm-bugs] [Bug 29144] New: Heap-use-after-free detected by AddressSanitizer in GVNHoist

via llvm-bugs llvm-bugs at lists.llvm.org
Thu Aug 25 15:12:26 PDT 2016 

https://llvm.org/bugs/show_bug.cgi?id=29144

            Bug ID: 29144
           Summary: Heap-use-after-free detected by AddressSanitizer in
                    GVNHoist
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Scalar Optimizations
          Assignee: sebpop at gmail.com
          Reporter: rtrieu at google.com
                CC: llvm-bugs at lists.llvm.org
    Classification: Unclassified

AddressSanitizer has detected a heap-use-after-free when compiling the
following code.  With non-instrumented Clang, this would cause a crash in
larger inputs, but go undetected for smaller input sizes.

$ cat reduce.c
extern int Foo(int x) __attribute__((pure));

void Create(int n1, int n2) {
  if (Foo(1) == 0 && n1 == n2) {}
  else if (Foo(1) == 0 && n1 == n2) {}
  else if (Foo(1) == 0 && n1 == n2) {}
  else if (Foo(1) == 0) {}
}
$ ./clang-asan -cc1 -emit-obj -O2 reduce.c
=================================================================
==9788==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000ae88
at pc 0x000000720f2c bp 0x7ffef9a87c60 sp 0x7ffef9a87c58
READ of size 1 at 0x60c00000ae88 thread T0
    #0 0x720f2b in llvm::Value::getValueID() const
llvm/include/llvm/IR/Value.h:425:12
    #1 0x747fa8 in llvm::Instruction::getOpcode() const
llvm/include/llvm/IR/Instruction.h:103:39
    #2 0x7743c8 in llvm::CallInst::classof(llvm::Instruction const*)
llvm/include/llvm/IR/Instructions.h:1817:15
    #3 0x7742ba in llvm::isa_impl_wrap<llvm::CallInst, llvm::Instruction*
const, llvm::Instruction const*>::doit(llvm::Instruction* const&)
llvm/include/llvm/Support/Casting.h:112:12
    #4 0x9ad5d6 in llvm::cast_retty<llvm::CallInst,
llvm::Instruction*>::ret_type llvm::dyn_cast<llvm::CallInst,
llvm::Instruction>(llvm::Instruction*)
llvm/include/llvm/Support/Casting.h:298:10
    #5 0x5247731 in llvm::GVN::ValueTable::lookupOrAddCall(llvm::CallInst*)
llvm/lib/Transforms/Scalar/GVN.cpp:427:35
    #6 0x5246069 in llvm::GVN::ValueTable::lookupOrAdd(llvm::Value*)
llvm/lib/Transforms/Scalar/GVN.cpp:485:14
    #7 0x5234b01 in (anonymous namespace)::CallInfo::insert(llvm::CallInst*,
llvm::GVN::ValueTable&) llvm/lib/Transforms/Scalar/GVNHoist.cpp:166:21
    #8 0x5234338 in (anonymous
namespace)::GVNHoist::hoistExpressions(llvm::Function&)
llvm/lib/Transforms/Scalar/GVNHoist.cpp:898:14
    #9 0x5233b21 in (anonymous namespace)::GVNHoist::run(llvm::Function&)
llvm/lib/Transforms/Scalar/GVNHoist.cpp:227:24
    #10 0x523b918 in (anonymous
namespace)::GVNHoistLegacyPass::runOnFunction(llvm::Function&)
llvm/lib/Transforms/Scalar/GVNHoist.cpp:936:14
    #11 0x5ccf581 in llvm::FPPassManager::runOnFunction(llvm::Function&)
llvm/lib/IR/LegacyPassManager.cpp:1522:27
    #12 0x5ccecb4 in
llvm::legacy::FunctionPassManagerImpl::run(llvm::Function&)
llvm/lib/IR/LegacyPassManager.cpp:1471:44
    #13 0x5ccebb3 in llvm::legacy::FunctionPassManager::run(llvm::Function&)
llvm/lib/IR/LegacyPassManager.cpp:1395:15
    #14 0x6cb8a9 in (anonymous
namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction,
std::unique_ptr<llvm::raw_pwrite_stream,
std::default_delete<llvm::raw_pwrite_stream> >)
llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:712:27
    #15 0x6ca596 in clang::EmitBackendOutput(clang::DiagnosticsEngine&,
clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions
const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction,
std::unique_ptr<llvm::raw_pwrite_stream,
std::default_delete<llvm::raw_pwrite_stream> >)
llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:808:13
    #16 0x5e3713 in
clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&)
llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:193:7
    #17 0x1e229bd in clang::ParseAST(clang::Sema&, bool, bool)
llvm/tools/clang/lib/Parse/ParseAST.cpp:167:13
    #18 0x5deb89 in clang::CodeGenAction::ExecuteAction()
llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:867:28
    #19 0x18e4041 in clang::FrontendAction::Execute()
llvm/tools/clang/lib/Frontend/FrontendAction.cpp:458:8
    #20 0x16888e6 in
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:871:11
    #21 0x5c4cc7 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:246:25
    #22 0x59eeab in cc1_main(llvm::ArrayRef<char const*>, char const*, void*)
llvm/tools/clang/tools/driver/cc1_main.cpp:183:13
    #23 0x5b9188 in ExecuteCC1Tool(llvm::ArrayRef<char const*>,
llvm::StringRef) llvm/tools/clang/tools/driver/driver.cpp:299:12
    #24 0x5b8064 in main llvm/tools/clang/tools/driver/driver.cpp:380:12

AddressSanitizer can not describe address in more detail (wild memory access
suspected).
SUMMARY: AddressSanitizer: heap-use-after-free
llvm/include/llvm/IR/Value.h:425:12 in llvm::Value::getValueID() const
Shadow bytes around the buggy address:
Shadow bytes around the buggy address:
  0x0c187fff9580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff95b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c187fff95d0: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff95e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff95f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff9600: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fff9610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c187fff9620: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9788==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160825/8585b9c0/attachment.html>

More information about the llvm-bugs mailing list