[llvm-bugs] [Bug 45164] New: Assertion in backend causes invalid accesses in driver

via llvm-bugs llvm-bugs at lists.llvm.org
Tue Mar 10 07:18:11 PDT 2020 

https://bugs.llvm.org/show_bug.cgi?id=45164

            Bug ID: 45164
           Summary: Assertion in backend causes invalid accesses in driver
           Product: clang
           Version: 10.0
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Driver
          Assignee: unassignedclangbugs at nondot.org
          Reporter: daltenty at ibm.com
                CC: llvm-bugs at lists.llvm.org, neeilans at live.com,
                    richard-llvm at metafoo.co.uk

Created attachment 23218
  --> https://bugs.llvm.org/attachment.cgi?id=23218&action=edit
Run with address sanitizer enabled on ppc64le

When running clang 10.0.0-rc3 with the `clang/test/CodeGenObjC/illegal-UTF8.m`
testcase, we get an (expected) assertion from the backend, but during the
driver shutdown and cleanup after that assertion we get an invalid access
related to Timers that were original created by CC1. Depending on the platform
and what exactly happens to be there at the invalid address we may get a crash
or hang due to an infinite loop in the Timer cleanup (which happens on AIX).

Originally found on AIX, but I've reproduced here on RHEL 7 ppc64le with
address sanitizers to highlight the problematic access.  

--

It looks like this is present since https://reviews.llvm.org/D69825 changes the
default behaviour of the driver to run cc1 in process. 

Instead of spawning, the driver now uses CrashRecoveryContext to wrap its
execution. The in process call to CC1 creates a few timer objects on the stack
and adds them to the linked list in the DefaultTimerGroup. But when the backend
asserts the error handling code in CrashRecovery context longjmps back to the
driver and after longjmp unwinds the stack, the pointers in the ManagedStatic
refer to invalid locations in discarded stack frames (which may be overwritten
by subsequent frames). When llvm::shutdown is called by the driver as it
terminates it runs a cleanup on the ManagedStatic DefaultTimerGroup and reads
the invalid stack region.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20200310/0a404125/attachment.html>

More information about the llvm-bugs mailing list