[llvm-bugs] [Bug 26808] New: Lots of sketchy behaviour masked by RecyclingAllocator

via llvm-bugs llvm-bugs at lists.llvm.org
Tue Mar 1 22:01:58 PST 2016 

https://llvm.org/bugs/show_bug.cgi?id=26808

            Bug ID: 26808
           Summary: Lots of sketchy behaviour masked by RecyclingAllocator
           Product: new-bugs
           Version: trunk
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: new bugs
          Assignee: unassignedbugs at nondot.org
          Reporter: llvm-bugs at justinbogner.com
                CC: llvm-bugs at lists.llvm.org
    Classification: Unclassified

Created attachment 15971
  --> https://llvm.org/bugs/attachment.cgi?id=15971&action=edit
Patch to make Recycler asan-aware

The attached patch teaches Recycler (and by proxy RecyclingAllocator) to poison
and unpoison memory for ASAN. Running ninja check under ASAN with this applied
hits a few thousand failures. Some of the issues include:

- We don't allocate nodes in SelectionDAG correctly - we always call an SDNode
allocator and upcast to the (much larger) subclasses. This mostly works since
the RecyclingAllocator is set to allocate 296 bytes per node.

- SelectionDAG sets node types to "ISD::DELETED_NODE" before returning them to
the free list, ostensibly to detect bugs. Then it *uses whether or not the
thing is deleted* for control flow in places like UpdateChainsAndGlue. This
*should not work*, but apparently it tends to in practice.

- SelectionDAG arbitrarily casts from smaller SDNodes to MachineSDNode in
MorphNodeTo. This is very much undefined behaviour, but basically works since
the allocations happen to be large enough.

- There's probably a use-after-free of `Tail` in
TargetInstrInfo::ReplaceTailWithBranchTo.

- RegisterCoalescer::reMaterializeTrivialDef appears to have use-after-free
bugs regarding MachineInstrs.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160302/26a20682/attachment.html>

More information about the llvm-bugs mailing list