[llvm-bugs] [Bug 34968] New: null deref in llvm::ScalarEvolution::getMulExpr

via llvm-bugs llvm-bugs at lists.llvm.org
Mon Oct 16 11:15:32 PDT 2017 

https://bugs.llvm.org/show_bug.cgi?id=34968

            Bug ID: 34968
           Summary: null deref in  llvm::ScalarEvolution::getMulExpr
           Product: new-bugs
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: new bugs
          Assignee: unassignedbugs at nondot.org
          Reporter: kcc at google.com
                CC: llvm-bugs at lists.llvm.org, mascasa at google.com,
                    max.kazantsev at azul.com, vitalybuka at google.com

at r315916

void foo(int *a) {
  while (1) {
    a[60] = ((1 + a[60]) + a[0]);
    while ((a[60] + a[0])) {
      a[0] = (a[0] + 1);
    }
  }
}

% clang -cc1 -triple x86_64-unknown-linux-gnu  -O2  -emit-obj z.cc

Program received signal SIGSEGV, Segmentation fault.
0x0000000001466b90 in llvm::SCEV::getType() const ()
(gdb) bt
#0  0x0000000001466b90 in llvm::SCEV::getType() const ()
#1  0x000000000146c6c9 in
llvm::ScalarEvolution::getMulExpr(llvm::SmallVectorImpl<llvm::SCEV const*>&,
llvm::SCEV::NoWrapFlags, unsigned int) ()
#2  0x000000000146ce97 in
llvm::ScalarEvolution::getMulExpr(llvm::SmallVectorImpl<llvm::SCEV const*>&,
llvm::SCEV::NoWrapFlags, unsigned int) ()
#3  0x000000000146df0d in
llvm::ScalarEvolution::getMulExpr(llvm::SmallVectorImpl<llvm::SCEV const*>&,
llvm::SCEV::NoWrapFlags, unsigned int) ()
#4  0x000000000147c8ec in llvm::ScalarEvolution::getNegativeSCEV(llvm::SCEV
const*, llvm::SCEV::NoWrapFlags) ()
#5  0x0000000001476566 in llvm::ScalarEvolution::getMinusSCEV(llvm::SCEV
const*, llvm::SCEV const*, llvm::SCEV::NoWrapFlags, unsigned int) ()
#6  0x0000000001497dc8 in
llvm::ScalarEvolution::isImpliedCondOperands(llvm::CmpInst::Predicate,
llvm::SCEV const*, llvm::SCEV const*, llvm::SCEV const*, llvm::SCEV const*) ()
#7  0x0000000001497c78 in
llvm::ScalarEvolution::isImpliedCond(llvm::CmpInst::Predicate, llvm::SCEV
const*, llvm::SCEV const*, llvm::CmpInst::Predicate, llvm::SCEV const*,
llvm::SCEV const*) ()
#8  0x0000000001472347 in
llvm::ScalarEvolution::isLoopBackedgeGuardedByCond(llvm::Loop const*,
llvm::CmpInst::Predicate, llvm::SCEV const*, llvm::SCEV const*) ()
#9  0x000000000146fafc in llvm::ScalarEvolution::getZeroExtendExpr(llvm::SCEV
const*, llvm::Type*, unsigned int) ()
#10 0x00000000014c1b6c in
llvm::SCEVExpander::getAddRecExprPHILiterally(llvm::SCEVAddRecExpr const*,
llvm::Loop const*, llvm::Type*, llvm::Type*, llvm::Type*&, bool&) ()
#11 0x00000000014c2980 in
llvm::SCEVExpander::expandAddRecExprLiterally(llvm::SCEVAddRecExpr const*) ()
#12 0x00000000014be62d in llvm::SCEVExpander::expand(llvm::SCEV const*) ()
#13 0x00000000014be009 in llvm::SCEVExpander::expandCodeFor(llvm::SCEV const*,
llvm::Type*) ()
#14 0x0000000001c152c9 in (anonymous namespace)::LSRInstance::Expand((anonymous
namespace)::LSRUse const&, (anonymous namespace)::LSRFixup const&, (anonymous
namespace)::Formula const&,
llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::Instruction, true,
false, void>, false, false>, llvm::SCEVExpander&,
llvm::SmallVectorImpl<llvm::WeakTrackingVH>&) const ()
#15 0x0000000001bf8c3e in (anonymous
namespace)::LSRInstance::LSRInstance(llvm::Loop*, llvm::IVUsers&,
llvm::ScalarEvolution&, llvm::DominatorTree&, llvm::LoopInfo&,
llvm::TargetTransformInfo const&) ()
#16 0x0000000001bf1c2f in ReduceLoopStrength(llvm::Loop*, llvm::IVUsers&,
llvm::ScalarEvolution&, llvm::DominatorTree&, llvm::LoopInfo&,
llvm::TargetTransformInfo const&) ()
#17 0x000000000143014b in llvm::LPPassManager::runOnFunction(llvm::Function&)
()
#18 0x00000000018c1eff in llvm::FPPassManager::runOnFunction(llvm::Function&)
()
#19 0x00000000018c2153 in llvm::FPPassManager::runOnModule(llvm::Module&) ()
#20 0x00000000018c2655 in llvm::legacy::PassManagerImpl::run(llvm::Module&) ()
#21 0x0000000001edbb4f in clang::EmitBackendOutput(clang::DiagnosticsEngine&,
clang::HeaderSearchOptions const&, clang::CodeGenOptions const&,
clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout
const&, llvm::Module*, clang::BackendAction,
std::unique_ptr<llvm::raw_pwrite_stream,
std::default_delete<llvm::raw_pwrite_stream> >) ()
#22 0x000000000260455f in
clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) ()
#23 0x0000000002a9c746 in clang::ParseAST(clang::Sema&, bool, bool) ()
#24 0x00000000022b5eb8 in clang::FrontendAction::Execute() ()
#25 0x0000000002279671 in
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) ()
#26 0x0000000002340b4f in
clang::ExecuteCompilerInvocation(clang::CompilerInstance*) ()
#27 0x00000000008754b5 in cc1_main(llvm::ArrayRef<char const*>, char const*,
void*) ()
#28 0x0000000000873093 in main ()

Found by clang-proto-fuzzer, see
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3661

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20171016/b0119d6b/attachment.html>

More information about the llvm-bugs mailing list