[llvm] [SelectionDAG] Fix null pointer dereference in resolveDanglingDebugInfo (PR #173947)
via llvm-commits
llvm-commits at lists.llvm.org
Mon Dec 29 19:51:20 PST 2025
https://github.com/MetalOxideSemi updated https://github.com/llvm/llvm-project/pull/173947
>From ee499cdabc35f445a036544e7f75800263b0c5ff Mon Sep 17 00:00:00 2001
From: Haoren Wang <haorenwange2 at outlook.com>
Date: Tue, 30 Dec 2025 11:08:19 +0800
Subject: [PATCH] [SelectionDAG] Fix null pointer dereference in
resolveDanglingDebugInfo
When handling dbg_value intrinsics for aggregate types containing
empty structs, Val.getNode() could return null, causing a crash
when attempting to dereference it.
This patch adds a null check before accessing Val.getNode() in
resolveDanglingDebugInfo, preventing the crash while maintaining
correct debug info handling for valid cases.
The issue was triggered by:
1. A dbg_value intrinsic referencing an aggregate type with empty structs
2. An insertvalue operation that gets lowered to a null SDNode
3. Attempting to dereference the null node in resolveDanglingDebugInfo
Added regression test in CodeGen/{X86|AArch64}/selectiondag-dbgvalue-null-crash.ll
---
.../SelectionDAG/SelectionDAGBuilder.cpp | 2 +-
.../selectiondag-dbgvalue-null-crash.ll | 45 +++++++++++++++++++
.../X86/selectiondag-dbgvalue-null-crash.ll | 45 +++++++++++++++++++
3 files changed, 91 insertions(+), 1 deletion(-)
create mode 100644 llvm/test/CodeGen/AArch64/selectiondag-dbgvalue-null-crash.ll
create mode 100644 llvm/test/CodeGen/X86/selectiondag-dbgvalue-null-crash.ll
diff --git a/llvm/lib/CodeGen/SelectionDAG/SelectionDAGBuilder.cpp b/llvm/lib/CodeGen/SelectionDAG/SelectionDAGBuilder.cpp
index c915cc058b4c5..d570581a8d608 100644
--- a/llvm/lib/CodeGen/SelectionDAG/SelectionDAGBuilder.cpp
+++ b/llvm/lib/CodeGen/SelectionDAG/SelectionDAGBuilder.cpp
@@ -1505,7 +1505,6 @@ void SelectionDAGBuilder::resolveDanglingDebugInfo(const Value *V,
DanglingDebugInfoVector &DDIV = DanglingDbgInfoIt->second;
for (auto &DDI : DDIV) {
DebugLoc DL = DDI.getDebugLoc();
- unsigned ValSDNodeOrder = Val.getNode()->getIROrder();
unsigned DbgSDNodeOrder = DDI.getSDNodeOrder();
DILocalVariable *Variable = DDI.getVariable();
DIExpression *Expr = DDI.getExpression();
@@ -1519,6 +1518,7 @@ void SelectionDAGBuilder::resolveDanglingDebugInfo(const Value *V,
// in the first place we should not be more successful here). Unless we
// have some test case that prove this to be correct we should avoid
// calling EmitFuncArgumentDbgValue here.
+ unsigned ValSDNodeOrder = Val.getNode()->getIROrder();
if (!EmitFuncArgumentDbgValue(V, Variable, Expr, DL,
FuncArgumentDbgValueKind::Value, Val)) {
LLVM_DEBUG(dbgs() << "Resolve dangling debug info for "
diff --git a/llvm/test/CodeGen/AArch64/selectiondag-dbgvalue-null-crash.ll b/llvm/test/CodeGen/AArch64/selectiondag-dbgvalue-null-crash.ll
new file mode 100644
index 0000000000000..45e688f543a86
--- /dev/null
+++ b/llvm/test/CodeGen/AArch64/selectiondag-dbgvalue-null-crash.ll
@@ -0,0 +1,45 @@
+; NOTE: Assertions have been autogenerated by utils/update_llc_test_checks.py UTC_ARGS: --version 6
+; RUN: llc < %s -mtriple=aarch64-unknown-linux-gnu | FileCheck %s
+; REQUIRES: system-linux
+; REQUIRES: x86-host
+; REQUIRES: x86-registered-target, aarch64-registered-target
+
+; Regression test for a null pointer dereference in
+; SelectionDAG::resolveDanglingDebugInfo when Val.getNode() returns null
+; for aggregate types with nested empty structs.
+;
+; FIXME: This test appears to reveal deeper bugs in DWARF generation logic
+; under certain host/target combinations. For now, we restrict it to Linux
+; hosts only until those underlying issues are fixed.
+
+; CHECK-LABEL: test_empty_struct_debug:
+; CHECK: ret
+
+; The crash occurred when:
+; 1. A dbg_value references an aggregate type containing empty structs {}
+; 2. An insertvalue operation on such types gets lowered by SelectionDAG
+; 3. The resulting SDValue has a null node, causing a crash when accessed
+
+define void @test_empty_struct_debug() !dbg !4 {
+entry:
+ %tmp = alloca { { i1, {} }, ptr, { { {} }, { {} } }, i64 }, align 8
+ #dbg_value({ { {} }, { {} } } zeroinitializer, !5, !DIExpression(), !6)
+ #dbg_value(i64 2, !7, !DIExpression(), !6)
+ %0 = insertvalue { { i1, {} }, ptr, { { {} }, { {} } }, i64 } { { i1, {} } zeroinitializer, ptr null, { { {} }, { {} } } zeroinitializer, i64 2 }, ptr null, 1, !dbg !6
+ %1 = insertvalue { { i1, {} }, ptr, { { {} }, { {} } }, i64 } %0, { i1, {} } zeroinitializer, 0, !dbg !8
+ store { { i1, {} }, ptr, { { {} }, { {} } }, i64 } %1, ptr %tmp, align 8
+ ret void
+}
+
+!llvm.dbg.cu = !{!0}
+!llvm.module.flags = !{!2, !3}
+
+!0 = distinct !DICompileUnit(language: DW_LANG_C11, file: !1, isOptimized: false, runtimeVersion: 0, emissionKind: LineTablesOnly)
+!1 = !DIFile(filename: "test_selectiondag.cpp", directory: "/home/AnonTokyo/documents/llvm-project/temp")
+!2 = !{i32 2, !"Debug Info Version", i32 3}
+!3 = !{i32 2, !"Dwarf Version", i32 4}
+!4 = distinct !DISubprogram(name: "test_empty_struct_debug", scope: !1, file: !1, line: 1, scopeLine: 1, spFlags: DISPFlagDefinition, unit: !0)
+!5 = !DILocalVariable(name: "v1", scope: !4, file: !1, line: 2)
+!6 = !DILocation(line: 2, column: 1, scope: !4)
+!7 = !DILocalVariable(name: "v2", scope: !4, file: !1, line: 3)
+!8 = !DILocation(line: 3, column: 1, scope: !4)
diff --git a/llvm/test/CodeGen/X86/selectiondag-dbgvalue-null-crash.ll b/llvm/test/CodeGen/X86/selectiondag-dbgvalue-null-crash.ll
new file mode 100644
index 0000000000000..7ef4e41fd36ad
--- /dev/null
+++ b/llvm/test/CodeGen/X86/selectiondag-dbgvalue-null-crash.ll
@@ -0,0 +1,45 @@
+; NOTE: Assertions have been autogenerated by utils/update_llc_test_checks.py UTC_ARGS: --version 6
+; RUN: llc < %s -mtriple=x86_64-unknown-linux-gnu | FileCheck %s
+; REQUIRES: system-linux
+; REQUIRES: x86-host
+; REQUIRES: x86-registered-target, aarch64-registered-target
+
+; Regression test for a null pointer dereference in
+; SelectionDAG::resolveDanglingDebugInfo when Val.getNode() returns null
+; for aggregate types with nested empty structs.
+;
+; FIXME: This test appears to reveal deeper bugs in DWARF generation logic
+; under certain host/target combinations. For now, we restrict it to Linux
+; hosts only until those underlying issues are fixed.
+
+; CHECK-LABEL: test_empty_struct_debug:
+; CHECK: retq
+
+; The crash occurred when:
+; 1. A dbg_value references an aggregate type containing empty structs {}
+; 2. An insertvalue operation on such types gets lowered by SelectionDAG
+; 3. The resulting SDValue has a null node, causing a crash when accessed
+
+define void @test_empty_struct_debug() !dbg !4 {
+entry:
+ %tmp = alloca { { i1, {} }, ptr, { { {} }, { {} } }, i64 }, align 8
+ #dbg_value({ { {} }, { {} } } zeroinitializer, !5, !DIExpression(), !6)
+ #dbg_value(i64 2, !7, !DIExpression(), !6)
+ %0 = insertvalue { { i1, {} }, ptr, { { {} }, { {} } }, i64 } { { i1, {} } zeroinitializer, ptr null, { { {} }, { {} } } zeroinitializer, i64 2 }, ptr null, 1, !dbg !6
+ %1 = insertvalue { { i1, {} }, ptr, { { {} }, { {} } }, i64 } %0, { i1, {} } zeroinitializer, 0, !dbg !8
+ store { { i1, {} }, ptr, { { {} }, { {} } }, i64 } %1, ptr %tmp, align 8
+ ret void
+}
+
+!llvm.dbg.cu = !{!0}
+!llvm.module.flags = !{!2, !3}
+
+!0 = distinct !DICompileUnit(language: DW_LANG_C11, file: !1, isOptimized: false, runtimeVersion: 0, emissionKind: LineTablesOnly)
+!1 = !DIFile(filename: "test_selectiondag.cpp", directory: "/home/AnonTokyo/documents/llvm-project/temp")
+!2 = !{i32 2, !"Debug Info Version", i32 3}
+!3 = !{i32 2, !"Dwarf Version", i32 4}
+!4 = distinct !DISubprogram(name: "test_empty_struct_debug", scope: !1, file: !1, line: 1, scopeLine: 1, spFlags: DISPFlagDefinition, unit: !0)
+!5 = !DILocalVariable(name: "v1", scope: !4, file: !1, line: 2)
+!6 = !DILocation(line: 2, column: 1, scope: !4)
+!7 = !DILocalVariable(name: "v2", scope: !4, file: !1, line: 3)
+!8 = !DILocation(line: 3, column: 1, scope: !4)
More information about the llvm-commits
mailing list