[llvm-bugs] [Bug 26509] New: Crash in InnerLoopVectorizer::vectorizeLoop()

via llvm-bugs llvm-bugs at lists.llvm.org
Sat Feb 6 12:53:06 PST 2016 

https://llvm.org/bugs/show_bug.cgi?id=26509

            Bug ID: 26509
           Summary: Crash in InnerLoopVectorizer::vectorizeLoop()
           Product: libraries
           Version: 3.8
          Hardware: PC
                OS: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P
         Component: Loop Optimizer
          Assignee: unassignedbugs at nondot.org
          Reporter: andrew at fubar.geek.nz
                CC: llvm-bugs at lists.llvm.org
    Classification: Unclassified

Created attachment 15847
  --> https://llvm.org/bugs/attachment.cgi?id=15847&action=edit
Minimised source

I'm getting the following crash from clang 3.8 when building FreeBSD on an
AArch64 server. I've attached the minimised C source that crashed.

The this pointer in frame 0 contains the value free puts into buffers when
freed indicating a use after free bug.


% lldb
/scratch/andrew/obj/scratch/andrew/clang380-import/tmp/scratch/andrew/clang380-import/usr.bin/clang/clang/clang
-c clang.core
(lldb) target create
"/scratch/andrew/obj/scratch/andrew/clang380-import/tmp/scratch/andrew/clang380-import/usr.bin/clang/clang/clang"
--core "clang.core"
Core file '/home/andrew/clang/clang.core' (aarch64) was loaded.
(lldb) bt
* thread #1: tid = 0, 0x00000000010452f0 clang`(anonymous
namespace)::InnerLoopVectorizer::vectorizeLoop() [inlined]
llvm::Type::getContext(this=0x5a5a5a5a5a5a5a5a) const at Type.h:115, name =
'clang', stop reason = signal SIGSEGV
  * frame #0: 0x00000000010452f0 clang`(anonymous
namespace)::InnerLoopVectorizer::vectorizeLoop() [inlined]
llvm::Type::getContext(this=0x5a5a5a5a5a5a5a5a) const at Type.h:115
    frame #1: 0x00000000010452f0 clang`(anonymous
namespace)::InnerLoopVectorizer::vectorizeLoop() + 268 at
LoopVectorize.cpp:3167
    frame #2: 0x00000000010451e4 clang`(anonymous
namespace)::InnerLoopVectorizer::vectorizeLoop(this=0x0000007fffffbcc8) + 6628
at LoopVectorize.cpp:3289
    frame #3: 0x000000000103ee5c clang`(anonymous
namespace)::InnerLoopVectorizer::vectorize(this=0x0000007fffffbcc8,
L=<unavailable>, MinimumBitWidths=<unavailable>)::LoopVectorizationLegality*,
llvm::MapVector<llvm::Instruction*, unsigned long,
llvm::DenseMap<llvm::Instruction*, unsigned int,
llvm::DenseMapInfo<llvm::Instruction*>,
llvm::detail::DenseMapPair<llvm::Instruction*, unsigned int> >,
std::__1::vector<std::__1::pair<llvm::Instruction*, unsigned long>,
std::__1::allocator<std::__1::pair<llvm::Instruction*, unsigned long> > > >) +
3776 at LoopVectorize.cpp:336
    frame #4: 0x0000000001039104 clang`(anonymous
namespace)::LoopVectorize::processLoop(this=<unavailable>,
L=0x0000000042cb13c0) + 15152 at LoopVectorize.cpp:1889
    frame #5: 0x0000000001035490 clang`(anonymous
namespace)::LoopVectorize::runOnFunction(this=0x0000000042c0d300,
F=<unavailable>) + 1388 at LoopVectorize.cpp:1659
    frame #6: 0x0000000001dacb84
clang`llvm::FPPassManager::runOnFunction(this=0x0000007fffffc6e0,
F=0x0000000042c0d300) + 296 at LegacyPassManager.cpp:1550
    frame #7: 0x0000000001dacdc0
clang`llvm::FPPassManager::runOnModule(this=0x0000000042c306c0,
M=<unavailable>) + 48 at LegacyPassManager.cpp:1571
    frame #8: 0x0000000001dad1cc
clang`llvm::legacy::PassManagerImpl::run(llvm::Module&) + 160 at
LegacyPassManager.cpp:1627
    frame #9: 0x0000000001dad12c
clang`llvm::legacy::PassManagerImpl::run(this=<unavailable>,
M=0x0000000042d38080) + 496 at LegacyPassManager.cpp:1730
    frame #10: 0x0000000000628ba0
clang`clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::CodeGenOptions
const&, clang::TargetOptions const&, clang::LangOptions const&,
llvm::StringRef, llvm::Module*, clang::BackendAction, llvm::raw_pwrite_stream*)
+ 1472 at BackendUtil.cpp:703
    frame #11: 0x00000000006285e0
clang`clang::EmitBackendOutput(Diags=<unavailable>, CGOpts=<unavailable>,
TOpts=<unavailable>, LOpts=<unavailable>, TDesc=<unavailable>, M=<unavailable>,
Action=<unavailable>, OS=<unavailable>) + 5228 at BackendUtil.cpp:720
    frame #12: 0x0000000000626df0
clang`clang::BackendConsumer::HandleTranslationUnit(this=0x0000000042ca0280,
C=<unavailable>) + 456 at CodeGenAction.cpp:189
    frame #13: 0x00000000007fa880 clang`clang::ParseAST(S=0x0000000042cf9000,
PrintStats=<unavailable>, SkipFunctionBodies=<unavailable>) + 544 at
ParseAST.cpp:168
    frame #14: 0x000000000043c190
clang`clang::FrontendAction::Execute(this=<unavailable>) + 88 at
FrontendAction.cpp:439
    frame #15: 0x000000000045a0cc
clang`clang::CompilerInstance::ExecuteAction(this=0x0000000042ca0000,
Act=0x0000000042cae0c0) + 1040 at CompilerInstance.cpp:840
    frame #16: 0x00000000004084f8
clang`clang::ExecuteCompilerInvocation(Clang=0x0000000042ca0000) + 2316 at
ExecuteCompilerInvocation.cpp:222
    frame #17: 0x000000000040075c clang`cc1_main(Argv=<unavailable>,
Argv0=<unavailable>, MainAddr=<unavailable>) + 916 at cc1_main.cpp:116
    frame #18: 0x0000000000406e4c clang`main [inlined]
ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) + 80 at
driver.cpp:301
    frame #19: 0x0000000000406dfc clang`main(argc_=<unavailable>,
argv_=<unavailable>) + 9612 at driver.cpp:366
    frame #20: 0x0000000000400328 clang`__start + 360


I use the following to compile the attached code.
/scratch/andrew/obj/scratch/andrew/clang380-import/tmp/scratch/andrew/clang380-import/usr.bin/clang/clang/clang
"-cc1" "-triple" "aarch64-unknown-freebsd11.0" "-emit-obj" "-O2"
"-vectorize-loops" "-x" "c" "tip-339c01.c"

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160206/f35362c6/attachment.html>

More information about the llvm-bugs mailing list