[llvm-bugs] [Bug 32240] New: Use after free in SCEV AA

via llvm-bugs llvm-bugs at lists.llvm.org
Sat Mar 11 11:08:20 PST 2017 

http://bugs.llvm.org/show_bug.cgi?id=32240

            Bug ID: 32240
           Summary: Use after free in SCEV AA
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Global Analyses
          Assignee: unassignedbugs at nondot.org
          Reporter: keno at alumni.harvard.edu
                CC: llvm-bugs at lists.llvm.org

Consider the following bugpoint reduced test case:
```
; ModuleID = 'bugpoint-reduced-simplified.bc'
source_filename = "bugpoint-output-e3ce3dd.bc"
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"

%GalaxySigmaDerivs.2.8.11.14.17.62.68 = type { %SMatrix.0.6.9.12.15.60.66,
%SArray.1.7.10.13.16.61.67 }
%SMatrix.0.6.9.12.15.60.66 = type { [9 x double] }
%SArray.1.7.10.13.16.61.67 = type { [27 x double] }

define void @julia_benchmark2_68791(i8**,
%GalaxySigmaDerivs.2.8.11.14.17.62.68*) #0 {
if22.2.2.2:
  %2 = getelementptr i8*, i8** %0, i64 7
  %3 = bitcast i8** %2 to i8***
  %4 = load i8**, i8*** %3, align 8, !tbaa !1
  store i8** %4, i8*** undef, align 8, !tbaa !6
  %sig_sf_j.sroa.0.0..sroa_idx = getelementptr inbounds
%GalaxySigmaDerivs.2.8.11.14.17.62.68, %GalaxySigmaDerivs.2.8.11.14.17.62.68*
%1, i64 0, i32 0, i32 0, i64 0
  %sig_sf_j.sroa.0.0.copyload = load double, double*
%sig_sf_j.sroa.0.0..sroa_idx, align 1
  %5 = fmul double undef, %sig_sf_j.sroa.0.0.copyload
  ret void
}

attributes #0 = { "no-frame-pointer-elim"="true" "target-cpu"="knl" }

!llvm.module.flags = !{!0}

!0 = !{i32 1, !"Debug Info Version", i32 3}
!1 = !{!2, !2, i64 0}
!2 = !{!"jtbaa_mutab", !3, i64 0}
!3 = !{!"jtbaa_value", !4, i64 0}
!4 = !{!"jtbaa_data", !5, i64 0}
!5 = !{!"jtbaa"}
!6 = !{!7, !7, i64 0}
!7 = !{!"jtbaa_gcframe", !5, i64 0}
```

Running `opt -scev-aa -da -gvn` on this file crashes opt, because gvn tries to
access a SCEV instance that got freed in
`ScalarEvolutionWrapperPass::releaseMemory`.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20170311/0828b8ff/attachment-0001.html>

More information about the llvm-bugs mailing list