[llvm-bugs] [Bug 51730] New: heap-use-after-free bug in LowerConstantIntrinsics
via llvm-bugs
llvm-bugs at lists.llvm.org
Fri Sep 3 03:00:13 PDT 2021
https://bugs.llvm.org/show_bug.cgi?id=51730
Bug ID: 51730
Summary: heap-use-after-free bug in LowerConstantIntrinsics
Product: new-bugs
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P
Component: new bugs
Assignee: unassignedbugs at nondot.org
Reporter: david.stenberg at ericsson.com
CC: htmldeveloper at gmail.com, llvm-bugs at lists.llvm.org
Created attachment 25226
--> https://bugs.llvm.org/attachment.cgi?id=25226&action=edit
IR reproducer.
Commit: 893ac53afc1ae3d433fee2835a1c5db00369d0c4
With an ASan build, running the following command on the attach reproducer:
$ opt -lower-constant-intrinsics -S stale-worklist-phi.ll
gives:
=================================================================
==280124==ERROR: AddressSanitizer: heap-use-after-free on address
0x607000010e98 at pc 0x0000074d6b01 bp 0x7ffeac5a69d0 sp 0x7ffeac5a69c8
READ of size 1 at 0x607000010e98 thread T0
#0 0x74d6b00 (opt+0x74d6b00)
#1 0x74d42d9 (opt+0x74d42d9)
#2 0x845ae71 (opt+0x845ae71)
#3 0x60d9dff (opt+0x60d9dff)
#4 0x11fe5d1 (opt+0x11fe5d1)
#5 0x60e932d (opt+0x60e932d)
#6 0x69de51 (opt+0x69de51)
#7 0x60d6760 (opt+0x60d6760)
#8 0x680519 (opt+0x680519)
#9 0x6ba414 (opt+0x6ba414)
#10 0x7f2686f88554 (/lib64/libc.so.6+0x22554)
#11 0x5c3cc6 (opt+0x5c3cc6)
0x607000010e98 is located 24 bytes inside of 72-byte region
[0x607000010e80,0x607000010ec8)
freed by thread T0 here:
#0 0x670aad (opt+0x670aad)
#1 0x5f81e63 (opt+0x5f81e63)
#2 0x5cbb5bd (opt+0x5cbb5bd)
#3 0x74d5e56 (opt+0x74d5e56)
#4 0x74d42d9 (opt+0x74d42d9)
#5 0x845ae71 (opt+0x845ae71)
#6 0x60d9dff (opt+0x60d9dff)
#7 0x11fe5d1 (opt+0x11fe5d1)
#8 0x60e932d (opt+0x60e932d)
#9 0x69de51 (opt+0x69de51)
#10 0x60d6760 (opt+0x60d6760)
#11 0x680519 (opt+0x680519)
#12 0x6ba414 (opt+0x6ba414)
#13 0x7f2686f88554 (/lib64/libc.so.6+0x22554)
previously allocated by thread T0 here:
#0 0x67024d (opt+0x67024d)
#1 0x613e45c (opt+0x613e45c)
#2 0x4b971e1 (opt+0x4b971e1)
#3 0x4b848e1 (opt+0x4b848e1)
#4 0x4b83936 (opt+0x4b83936)
#5 0x4b0505d (opt+0x4b0505d)
#6 0x4af512d (opt+0x4af512d)
#7 0x4aed24c (opt+0x4aed24c)
#8 0x4aecea9 (opt+0x4aecea9)
#9 0x4acd1fc (opt+0x4acd1fc)
#10 0x4acd5c6 (opt+0x4acd5c6)
#11 0x6889111 (opt+0x6889111)
#12 0x688a4b2 (opt+0x688a4b2)
#13 0x6b7fb4 (opt+0x6b7fb4)
#14 0x7f2686f88554 (/lib64/libc.so.6+0x22554)
SUMMARY: AddressSanitizer: heap-use-after-free (opt+0x74d6b00)
Shadow bytes around the buggy address:
0x0c0e7fffa180: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
0x0c0e7fffa190: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e7fffa1a0: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
0x0c0e7fffa1b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
0x0c0e7fffa1c0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
=>0x0c0e7fffa1d0: fd fd fd[fd]fd fd fd fd fd fa fa fa fa fa fd fd
0x0c0e7fffa1e0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0e7fffa1f0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
0x0c0e7fffa200: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e7fffa210: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
0x0c0e7fffa220: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==280124==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20210903/6950a47c/attachment.html>
More information about the llvm-bugs
mailing list