[llvm-bugs] [Bug 31848] New: Segfault/Memory corruption in DependenceAnalysis

via llvm-bugs llvm-bugs at lists.llvm.org
Thu Feb 2 05:18:49 PST 2017 

https://llvm.org/bugs/show_bug.cgi?id=31848

            Bug ID: 31848
           Summary: Segfault/Memory corruption in DependenceAnalysis
           Product: new-bugs
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: new bugs
          Assignee: unassignedbugs at nondot.org
          Reporter: philip.pfaffe at gmail.com
                CC: llvm-bugs at lists.llvm.org
    Classification: Unclassified

Created attachment 17927
  --> https://llvm.org/bugs/attachment.cgi?id=17927&action=edit
lit testcase triggering the bug

It's possible for DependenceAnalysis to run into a heap buffer overflow. The
attached testcase triggers the bug for current trunk, but I'm positive this has
been defective in previous versions as well.

The bug occurs within the banerjeeMIV-test, in the function collectCoeffInfo().
This function allocates a new array on the heap with MaxLevels+1 elements.
MaxLevels is the maximum loop depth either of the two Instructions being tested
are found in. This array is then filled by walking the AddRecExprs in the
SCEV-Expr describing the access subscript. The problem with this is that the
SCEV-Expr can contain AddRecExprs that do not correspond to loops surrounding
the tested Instruction. And if those AddRecExprs belong to a loop that's deeper
than MaxLevels, we're accessing the array outside of its bounds.

In summary, I don't think that this is really a problem with the
banerjeeMIV-test, and I strongly suspect there are other inputs for which
AddRecExprs are being treated as index variables even if they actually are not.

The fix for the memory corruption could be straightforward, by (correctly)
classifying the subscript pair as NonLinear. However I am not sure whether this
is overly pessimistic or even sound in general.

- Philip

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20170202/36135169/attachment.html>

More information about the llvm-bugs mailing list