[llvm-bugs] [Bug 28588] New: Use after free in DSE

via llvm-bugs llvm-bugs at lists.llvm.org
Sun Jul 17 07:05:56 PDT 2016 

https://llvm.org/bugs/show_bug.cgi?id=28588

            Bug ID: 28588
           Summary: Use after free in DSE
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: Scalar Optimizations
          Assignee: unassignedbugs at nondot.org
          Reporter: benny.kra at gmail.com
                CC: junbuml at codeaurora.org, llvm-bugs at lists.llvm.org
    Classification: Unclassified

Created attachment 16755
  --> https://llvm.org/bugs/attachment.cgi?id=16755&action=edit
IR test case

The attached test case fails with opt -dse.

opt: llvm/include/llvm/Support/Casting.h:81: static bool
llvm::isa_impl_cl<llvm::Function, llvm::Value *>::doit(const From *) [To =
llvm::Function, From = llvm::Value *]: Assertion `Val && "isa<> used on a null
pointer"' failed.
#0 0x00007f2694ca1d3f llvm::sys::PrintStackTrace(llvm::raw_ostream&)
llvm/lib/Support/Unix/Signals.inc:402:5
#1 0x00007f2694ca2249 PrintStackTraceSignalHandler(void*)
llvm/lib/Support/Unix/Signals.inc:470:1
#2 0x00007f2694ca08a3 llvm::sys::RunSignalHandlers()
llvm/lib/Support/Signals.cpp:45:5
#3 0x00007f2694ca287e SignalHandler(int)
llvm/lib/Support/Unix/Signals.inc:256:1
#4 0x00007f269418c330 __restore_rt
(/lib/x86_64-linux-gnu/libpthread.so.0+0x10330)
#5 0x00007f26935ccc37 gsignal
/build/eglibc-oGUzwX/eglibc-2.19/signal/../nptl/sysdeps/unix/sysv/linux/raise.c:56:0
#6 0x00007f26935d0028 abort
/build/eglibc-oGUzwX/eglibc-2.19/stdlib/abort.c:91:0
#7 0x00007f26935c5bf6 __assert_fail_base
/build/eglibc-oGUzwX/eglibc-2.19/assert/assert.c:92:0
#8 0x00007f26935c5ca2 (/lib/x86_64-linux-gnu/libc.so.6+0x2fca2)
#9 0x00007f2694ddce9e llvm::isa_impl_cl<llvm::Function,
llvm::Value*>::doit(llvm::Value const*)
llvm/include/llvm/Support/Casting.h:82:38
#10 0x00007f2694ddce48 llvm::isa_impl_wrap<llvm::Function, llvm::Value*,
llvm::Value*>::doit(llvm::Value* const&)
llvm/include/llvm/Support/Casting.h:122:5
#11 0x00007f2694ddce22 llvm::isa_impl_wrap<llvm::Function, llvm::Use const,
llvm::Value*>::doit(llvm::Use const&) llvm/include/llvm/Support/Casting.h:112:5
#12 0x00007f2694ddcd05 bool llvm::isa<llvm::Function, llvm::Use>(llvm::Use
const&) llvm/include/llvm/Support/Casting.h:133:3
#13 0x00007f2694ddcc45
_ZN4llvm8dyn_castINS_8FunctionENS_3UseEEENSt9enable_ifIXntsr14is_simple_typeIT0_EE5valueENS_10cast_rettyIT_KS4_E8ret_typeEE4typeERS7_
llvm/include/llvm/Support/Casting.h:286:10
#14 0x00007f2694ddcbfd llvm::CallInst::getCalledFunction() const
llvm/include/llvm/IR/Instructions.h:1810:5
#15 0x00007f2694ddd085 llvm::IntrinsicInst::classof(llvm::CallInst const*)
llvm/include/llvm/IR/IntrinsicInst.h:49:27
#16 0x00007f2694ddd03d llvm::IntrinsicInst::classof(llvm::Value const*)
llvm/include/llvm/IR/IntrinsicInst.h:54:34
#17 0x00007f2694ddcff5 llvm::isa_impl<llvm::IntrinsicInst, llvm::Value,
void>::doit(llvm::Value const&) llvm/include/llvm/Support/Casting.h:56:5
#18 0x00007f2694ddcfc7 llvm::isa_impl_cl<llvm::IntrinsicInst, llvm::Value
const*>::doit(llvm::Value const*) llvm/include/llvm/Support/Casting.h:96:5
#19 0x00007f2694ddcf38 llvm::isa_impl_wrap<llvm::IntrinsicInst, llvm::Value
const*, llvm::Value const*>::doit(llvm::Value const* const&)
llvm/include/llvm/Support/Casting.h:122:5
#20 0x00007f2694ddcf12 llvm::isa_impl_wrap<llvm::IntrinsicInst, llvm::Value
const* const, llvm::Value const*>::doit(llvm::Value const* const&)
llvm/include/llvm/Support/Casting.h:112:5
#21 0x00007f2694ddcae5 bool llvm::isa<llvm::IntrinsicInst, llvm::Value
const*>(llvm::Value const* const&) llvm/include/llvm/Support/Casting.h:133:3
#22 0x00007f2694de4888 llvm::MemIntrinsic::classof(llvm::Value const*)
llvm/include/llvm/IR/IntrinsicInst.h:211:14
#23 0x00007f2694de4865 llvm::isa_impl<llvm::MemIntrinsic, llvm::Instruction,
void>::doit(llvm::Instruction const&) llvm/include/llvm/Support/Casting.h:56:5
#24 0x00007f2694de4837 llvm::isa_impl_cl<llvm::MemIntrinsic, llvm::Instruction
const*>::doit(llvm::Instruction const*)
llvm/include/llvm/Support/Casting.h:96:5
#25 0x00007f2694de47d8 llvm::isa_impl_wrap<llvm::MemIntrinsic,
llvm::Instruction const*, llvm::Instruction const*>::doit(llvm::Instruction
const* const&) llvm/include/llvm/Support/Casting.h:122:5
#26 0x00007f2694de47b2 llvm::isa_impl_wrap<llvm::MemIntrinsic,
llvm::Instruction* const, llvm::Instruction const*>::doit(llvm::Instruction*
const&) llvm/include/llvm/Support/Casting.h:112:5
#27 0x00007f2694de4705 bool llvm::isa<llvm::MemIntrinsic,
llvm::Instruction*>(llvm::Instruction* const&)
llvm/include/llvm/Support/Casting.h:133:3
#28 0x00007f2694de1dd8 llvm::cast_retty<llvm::MemIntrinsic,
llvm::Instruction*>::ret_type llvm::dyn_cast<llvm::MemIntrinsic,
llvm::Instruction>(llvm::Instruction*)
llvm/include/llvm/Support/Casting.h:298:10
#29 0x00007f2694e01340 getLocForWrite(llvm::Instruction*, llvm::AAResults&)
llvm/lib/Transforms/Scalar/DeadStoreElimination.cpp:153:21
#30 0x00007f2694e02660 removePartiallyOverlappedStores(llvm::AAResults*,
llvm::DataLayout const&, llvm::DenseMap<llvm::Instruction*, std::map<long,
long, std::less<long>, std::allocator<std::pair<long const, long> > >,
llvm::DenseMapInfo<llvm::Instruction*>,
llvm::detail::DenseMapPair<llvm::Instruction*, std::map<long, long,
std::less<long>, std::allocator<std::pair<long const, long> > > > >&)
llvm/lib/Transforms/Scalar/DeadStoreElimination.cpp:919:5
#31 0x00007f2694e003d7 eliminateDeadStores(llvm::BasicBlock&, llvm::AAResults*,
llvm::MemoryDependenceResults*, llvm::DominatorTree*, llvm::TargetLibraryInfo
const*) llvm/lib/Transforms/Scalar/DeadStoreElimination.cpp:1097:19
#32 0x00007f2694dff9ff eliminateDeadStores(llvm::Function&, llvm::AAResults*,
llvm::MemoryDependenceResults*, llvm::DominatorTree*, llvm::TargetLibraryInfo
const*) llvm/lib/Transforms/Scalar/DeadStoreElimination.cpp:1115:21
#33 0x00007f2694dffdb6 (anonymous
namespace)::DSELegacyPass::runOnFunction(llvm::Function&)
llvm/lib/Transforms/Scalar/DeadStoreElimination.cpp:1156:5
#34 0x00007f2695caecdd llvm::FPPassManager::runOnFunction(llvm::Function&)
llvm/lib/IR/LegacyPassManager.cpp:1526:23
#35 0x00007f2695caf015 llvm::FPPassManager::runOnModule(llvm::Module&)
llvm/lib/IR/LegacyPassManager.cpp:1547:16
#36 0x00007f2695caf7fe (anonymous
namespace)::MPPassManager::runOnModule(llvm::Module&)
llvm/lib/IR/LegacyPassManager.cpp:1603:23
#37 0x00007f2695caf2fb llvm::legacy::PassManagerImpl::run(llvm::Module&)
llvm/lib/IR/LegacyPassManager.cpp:1706:16
#38 0x00007f2695cafd41 llvm::legacy::PassManager::run(llvm::Module&)
llvm/lib/IR/LegacyPassManager.cpp:1737:3
#39 0x00000000004450f1 main llvm/tools/opt/opt.cpp:679:3
#40 0x00007f26935b7f45 __libc_start_main
/build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:321:0
#41 0x0000000000427388 _start (llvm-debug/bin/opt+0x427388)
Stack dump:
0.    Program arguments: llvm-debug/bin/opt -S -dse -o -
bugpoint-reduced-simplified.ll 
1.    Running pass 'Function Pass Manager' on module
'bugpoint-reduced-simplified.ll'.
2.    Running pass 'Dead Store Elimination' on function '@_UPT_destroy'

Looks like this crash was introduced r275571.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160717/f60eb60b/attachment-0001.html>

More information about the llvm-bugs mailing list