[llvm-bugs] [Bug 33200] New: stack-buffer-overflow in loop sinking in LLVM::Transforms/LICM/loopsink.ll
via llvm-bugs
llvm-bugs at lists.llvm.org
Sun May 28 12:16:42 PDT 2017
https://bugs.llvm.org/show_bug.cgi?id=33200
Bug ID: 33200
Summary: stack-buffer-overflow in loop sinking in
LLVM::Transforms/LICM/loopsink.ll
Product: new-bugs
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P
Component: new bugs
Assignee: unassignedbugs at nondot.org
Reporter: matthias.krueger at famsik.de
CC: llvm-bugs at lists.llvm.org
llvm @ f1e232d9b0afea4224c5cf2e8c0259594237f28f /
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@304080
91177308-0d34-0410-b5e6-96231b3b80d8
This was the result of doing a stage2 asan+ubsan instrumented check-all run.
build setup was like this:
cmake ../llvm -G "Ninja" \
-DCMAKE_BUILD_TYPE=Release \
-DLLVM_BINUTILS_INCDIR=/usr/include \
-DCMAKE_C_FLAGS="-march=native -Og -g" \
-DCMAKE_CXX_FLAGS="-march=native -Og -g" \
-DLLVM_PARALLEL_LINK_JOBS=1 \
-DLLVM_OPTIMIZED_TABLEGEN=1 \
-DLLVM_TARGETS_TO_BUILD="X86" \
-DCMAKE_AR="${rootDir}/stage_1/build/bin/llvm-ar" \
-DCMAKE_RANLIB="${rootDir}/stage_1/build/bin/llvm-ranlib" \
-DLLVM_USE_LINKER="${rootDir}/stage_1/build/bin/ld.lld" \
-DLLVM_USE_SANITIZER="Address;Undefined" \
-DLLVM_PARALLEL_LINK_JOBS=1 \
-DLLVM_ENABLE_EXPENSIVE_CHECKS=1
the test case LLVM::Transforms/LICM/loopsink.ll failed/crashed.
********************
FAIL: LLVM :: Transforms/LICM/loopsink.ll (30091 of 34661)
******************** TEST 'LLVM :: Transforms/LICM/loopsink.ll' FAILED
********************
Script:
--
/home/matthias/LLVM/LLVM_san/stage_2/objects/./bin/opt -S -loop-sink <
/home/matthias/LLVM/LLVM_san/stage_2/llvm/test/Transforms/LICM/loopsink.ll |
/home/matthias/LLVM/LLVM_san/stage_2/objects/./bin/FileCheck
/home/matthias/LLVM/LLVM_san/stage_2/llvm/test/Transforms/LICM/loopsink.ll
/home/matthias/LLVM/LLVM_san/stage_2/objects/./bin/opt -S -passes=loop-sink <
/home/matthias/LLVM/LLVM_san/stage_2/llvm/test/Transforms/LICM/loopsink.ll |
/home/matthias/LLVM/LLVM_san/stage_2/objects/./bin/FileCheck
/home/matthias/LLVM/LLVM_san/stage_2/llvm/test/Transforms/LICM/loopsink.ll
--
Exit Code: 2
Command Output (stderr):
--
=================================================================
==2927==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffdf026bb18 at pc 0x0000041fed23 bp 0x7ffdf026ab50 sp 0x7ffdf026ab48
READ of size 8 at 0x7ffdf026bb18 thread T0
#0 0x41fed22 in operator<<llvm::BasicBlock *, int>
/usr/lib/gcc/x86_64-redhat-linux/6.3.1/../../../../include/c++/6.3.1/bits/stl_pair.h:438:18
#1 0x41fed22 in sinkInstruction(llvm::Loop&, llvm::Instruction&,
llvm::SmallVectorImpl<llvm::BasicBlock*> const&,
llvm::SmallDenseMap<llvm::BasicBlock*, int, 16u,
llvm::DenseMapInfo<llvm::BasicBlock*>,
llvm::detail::DenseMapPair<llvm::BasicBlock*, int> > const&, llvm::LoopInfo&,
llvm::DominatorTree&,
llvm::BlockFrequencyInfo&)::$_0::operator()(llvm::BasicBlock*,
llvm::BasicBlock*) const
/home/matthias/LLVM/LLVM_san/stage_2/llvm/lib/Transforms/Scalar/LoopSink.cpp:205
#2 0x41f64f9 in sort<llvm::BasicBlock **, (lambda at
/home/matthias/LLVM/LLVM_san/stage_2/llvm/lib/Transforms/Scalar/LoopSink.cpp:204:13)>
/usr/lib/gcc/x86_64-redhat-linux/6.3.1/../../../../include/c++/6.3.1/bits/stl_algo.h:4737:7
#3 0x41f64f9 in sinkInstruction
/home/matthias/LLVM/LLVM_san/stage_2/llvm/lib/Transforms/Scalar/LoopSink.cpp:203
#4 0x41f64f9 in sinkLoopInvariantInstructions(llvm::Loop&,
llvm::AAResults&, llvm::LoopInfo&, llvm::DominatorTree&,
llvm::BlockFrequencyInfo&, llvm::ScalarEvolution*)
/home/matthias/LLVM/LLVM_san/stage_2/llvm/lib/Transforms/Scalar/LoopSink.cpp:293
#5 0x26eb100 in llvm::LPPassManager::runOnFunction(llvm::Function&)
/home/matthias/LLVM/LLVM_san/stage_2/llvm/lib/Analysis/LoopPass.cpp:196:23
#6 0x36dd66b in llvm::FPPassManager::runOnFunction(llvm::Function&)
/home/matthias/LLVM/LLVM_san/stage_2/llvm/lib/IR/LegacyPassManager.cpp:1519:27
#7 0x36ddd18 in llvm::FPPassManager::runOnModule(llvm::Module&)
/home/matthias/LLVM/LLVM_san/stage_2/llvm/lib/IR/LegacyPassManager.cpp:1540:16
#8 0x36dec77 in runOnModule
/home/matthias/LLVM/LLVM_san/stage_2/llvm/lib/IR/LegacyPassManager.cpp:1596:27
#9 0x36dec77 in llvm::legacy::PassManagerImpl::run(llvm::Module&)
/home/matthias/LLVM/LLVM_san/stage_2/llvm/lib/IR/LegacyPassManager.cpp:1699
#10 0x1c136f2 in main
/home/matthias/LLVM/LLVM_san/stage_2/llvm/tools/opt/opt.cpp:746:10
#11 0x7f63b66c8400 in __libc_start_main
/usr/src/debug/glibc-2.24-33-ge9e69e4/csu/../csu/libc-start.c:289
#12 0x1b0e029 in _start
(/home/matthias/LLVM/LLVM_san/stage_2/objects/bin/opt+0x1b0e029)
Address 0x7ffdf026bb18 is located in stack of thread T0 at offset 3704 in frame
#0 0x41f3caf in sinkLoopInvariantInstructions(llvm::Loop&,
llvm::AAResults&, llvm::LoopInfo&, llvm::DominatorTree&,
llvm::BlockFrequencyInfo&, llvm::ScalarEvolution*)
/home/matthias/LLVM/LLVM_san/stage_2/llvm/lib/Transforms/Scalar/LoopSink.cpp:243
This frame has 63 object(s):
[32, 40) 'Val.addr.i'
[64, 72) 'TheBucket.i'
[96, 120) 'ref.tmp.i.sroa.7.i.i'
[160, 176) '__dist.i.i.i'
[192, 200) '__comp.i.i'
[224, 232) '__first.addr.i.i'
[256, 264) '__last.addr.i.i'
[288, 304) 'retval.i.i129.i'
[320, 336) 'retval.i.i.i'
[352, 368) 'retval.i.i117.i.i'
[384, 400) 'retval.i.i109.i.i'
[416, 432) 'retval.i.i92.i.i'
[448, 464) 'retval.i.i84.i.i'
[480, 496) 'retval.i.i74.i.i'
[512, 528) 'retval.i.i.i.i'
[544, 592) 'BBsDominatedByColdestBB.i.i' (line 129)
[624, 648) 'tmp.i.i' (line 143)
[688, 712) 'tmp43.i.i' (line 151)
[752, 800) 'BBs.i' (line 173)
[832, 856) 'tmp.i' (line 182)
[896, 944) 'BBsToSinkInto.i' (line 192)
[976, 1016) 'SortedBBsToSinkInto.i' (line 200)
[1056, 1080) 'ref.tmp47.i' (line 216)
[1120, 1136) 'ref.tmp48.i' (line 216)
[1152, 1176) '__buf.i.i'
[1216, 1240) 'ref.tmp.i.sroa.7.i'
[1280, 1296) '__dist.i.i'
[1312, 1320) '__comp.i'
[1344, 1352) '__first.addr.i'
[1376, 1384) '__last.addr.i'
[1408, 1424) '__pred.i.i.i.i.i'
[1440, 1480) 'agg.tmp.i.i.i.i.i'
[1520, 1560) 'agg.tmp3.i.i.i.i.i'
[1600, 1640) 'agg.tmp6.i.i.i.i.i'
[1680, 1720) 'agg.tmp9.i.i.i.i.i'
[1760, 1800) 'agg.tmp13.i.i.i.i.i'
[1840, 1880) 'agg.tmp16.i.i.i.i.i'
[1920, 1960) 'agg.tmp19.i.i.i.i.i'
[2000, 2040) 'agg.tmp.i.i.i.i'
[2080, 2120) 'agg.tmp1.i.i.i.i'
[2160, 2176) '__dist.i.i.i.i'
[2192, 2232) 'agg.tmp.i.i.i'
[2272, 2312) 'agg.tmp5.i.i.i'
[2352, 2392) 'ref.tmp.i.i'
[2432, 2472) 'agg.tmp.i.i'
[2512, 2552) 'agg.tmp1.i.i'
[2592, 2632) 'agg.tmp.i'
[2672, 2712) 'agg.tmp1.i'
[2752, 2768) 'temp.lvalue'
[2784, 2792) 'PreheaderFreq' (line 253)
[2816, 2896) 'ref.tmp' (line 257)
[2928, 2992) 'CurAST' (line 263)
[3024, 3104) 'ref.tmp5' (line 266)
[3136, 3176) '__begin' (line 266)
[3216, 3256) '__end' (line 266)
[3296, 3400) 'ColdLoopBBs' (line 270)
[3440, 3704) 'LoopBlockNumber' (line 271) <== Memory access at offset 3704
overflows this variable
[3776, 3856) 'ref.tmp10' (line 273)
[3888, 3928) '__begin11' (line 273)
[3968, 4008) '__end12' (line 273)
[4048, 4056) 'B' (line 273)
[4080, 4088) 'II' (line 286)
[4112, 4120) 'E' (line 286)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/usr/lib/gcc/x86_64-redhat-linux/6.3.1/../../../../include/c++/6.3.1/bits/stl_pair.h:438:18
in operator<<llvm::BasicBlock *, int>
Shadow bytes around the buggy address:
0x10003e045710: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8
0x10003e045720: f8 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2
0x10003e045730: 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2
0x10003e045740: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003e045750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10003e045760: 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8
0x10003e045770: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f2
0x10003e045780: f2 f2 f2 f2 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f8 f2
0x10003e045790: f2 f2 00 f2 f2 f2 00 f3 f3 f3 f3 f3 00 00 00 00
0x10003e0457a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003e0457b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2927==ABORTING
FileCheck error: '-' is empty.
FileCheck command line:
/home/matthias/LLVM/LLVM_san/stage_2/objects/./bin/FileCheck
/home/matthias/LLVM/LLVM_san/stage_2/llvm/test/Transforms/LICM/loopsink.ll
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20170528/1e800024/attachment.html>
More information about the llvm-bugs
mailing list