[LLVMdev] Crash on invalid during LLVMContext destruction MDNode::dropAllReferences
Duncan P. N. Exon Smith
dexonsmith at apple.com
Wed Jan 14 09:05:28 PST 2015
> On 2015 Jan 14, at 07:58, Duncan P. N. Exon Smith <dexonsmith at apple.com> wrote:
>
>>
>> On 2015 Jan 13, at 23:59, David Blaikie <dblaikie at gmail.com> wrote:
>>
>>
>>
>> On Tue, Jan 13, 2015 at 11:48 PM, Duncan Exon Smith <dexonsmith at apple.com> wrote:
>> Not at a computer right now, but it looks like teardown isn't working correctly. Do you have an asserts build? Does an assertion fire there?
>>
>> That was with an asserts build.
>>
>> Looking at the stack trace, dropAllReferences() is being called on a node, so it sets its operands to nullptr, and some operand has RAUW support (so the tracking needs to be dropped) but looks like it might have been deleted or is otherwise corrupt. Hard to tell though.
>>
>> Does this reproduce from preprocessed source? Can you send it to me?
>>
>> Or maybe that's a test case in your email. I'll try it in the morning.
>>
>> Yeah, just the test code in the original email is what I reproduced the linked list error with - some variations of it produced the assertion... maybe valgrinding or asanified clang would make the failure more reliable, etc.
>>
>
> The version here doesn't repro for me (don't have an asan build handy --
> I'll build one -- but I tried the weaker gmalloc). I tried messing with
> it but nothing happened.
>
> Can you send a version that gets the stack trace?
>
> (What revision is this, by the way? ToT as of last night?)
Asan didn't find it either, and then I realized I was using the RUN line
instead of the command-line you were using (with -g). So the asan dump
follows.
I'll look into this when I get to work. Definitely from my stuff somehow.
$ /Users/dexonsmith/data/llvm.asan/staging/bin/clang -cc1 crash.cpp -g -emit-obj -fexceptions -fcxx-exceptions
crash.cpp:13:1: error: C++ requires a type specifier for all declarations
x;
^
1 error generated.
=================================================================
==3013==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000b5c0 at pc 0x00010b1a5454 bp 0x7fff54cdbb40 sp 0x7fff54cdbb38
READ of size 1 at 0x60600000b5c0 thread T0
#0 0x10b1a5453 in llvm::Metadata::getMetadataID() const (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x100284453)
#1 0x10c4a8468 in llvm::ReplaceableMetadataImpl::replaceAllUsesWith(llvm::Metadata*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x101587468)
#2 0x10c4a9317 in llvm::ValueAsMetadata::handleDeletion(llvm::Value*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x101588317)
#3 0x10c4f5be0 in llvm::Value::~Value() (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1015d4be0)
#4 0x10c35f22d in llvm::ConstantInt::~ConstantInt() (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10143e22d)
#5 0x10c47e9b3 in void llvm::DeleteContainerSeconds<llvm::DenseMap<llvm::APInt, llvm::ConstantInt*, llvm::DenseMapAPIntKeyInfo, llvm::detail::DenseMapPair<llvm::APInt, llvm::ConstantInt*> > >(llvm::DenseMap<llvm::APInt, llvm::ConstantInt*, llvm::DenseMapAPIntKeyInfo, llvm::detail::DenseMapPair<llvm::APInt, llvm::ConstantInt*> >&) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10155d9b3)
#6 0x10c47c524 in llvm::LLVMContextImpl::~LLVMContextImpl() (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10155b524)
#7 0x10c47a07e in llvm::LLVMContext::~LLVMContext() (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10155907e)
#8 0x10d68b2bb in clang::CodeGenAction::~CodeGenAction() (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10276a2bb)
#9 0x10d68f83d in clang::EmitObjAction::~EmitObjAction() (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10276e83d)
#10 0x10cfeb6ad in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1020ca6ad)
#11 0x10af2f768 in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10000e768)
#12 0x10af249a6 in ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1000039a6)
#13 0x10af23aea in main (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x100002aea)
#14 0x7fff99d2a5c8 in start (/usr/lib/system/libdyld.dylib+0x35c8)
#15 0x6 (<unknown module>)
0x60600000b5c0 is located 32 bytes inside of 64-byte region [0x60600000b5a0,0x60600000b5e0)
freed by thread T0 here:
#0 0x113dcd0e9 in wrap__ZdlPv (/SWE/Apps/DT/Binaries/OzarkFamily/Binaries2/clang/clang-602.0.31~1/Root/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/6.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x430e9)
#1 0x10c4a84ee in llvm::ReplaceableMetadataImpl::replaceAllUsesWith(llvm::Metadata*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1015874ee)
#2 0x10c4a9317 in llvm::ValueAsMetadata::handleDeletion(llvm::Value*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x101588317)
#3 0x10c4f5be0 in llvm::Value::~Value() (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1015d4be0)
#4 0x10c35f22d in llvm::ConstantInt::~ConstantInt() (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10143e22d)
#5 0x10c47e9b3 in void llvm::DeleteContainerSeconds<llvm::DenseMap<llvm::APInt, llvm::ConstantInt*, llvm::DenseMapAPIntKeyInfo, llvm::detail::DenseMapPair<llvm::APInt, llvm::ConstantInt*> > >(llvm::DenseMap<llvm::APInt, llvm::ConstantInt*, llvm::DenseMapAPIntKeyInfo, llvm::detail::DenseMapPair<llvm::APInt, llvm::ConstantInt*> >&) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10155d9b3)
#6 0x10c47c524 in llvm::LLVMContextImpl::~LLVMContextImpl() (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10155b524)
#7 0x10c47a07e in llvm::LLVMContext::~LLVMContext() (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10155907e)
#8 0x10d68b2bb in clang::CodeGenAction::~CodeGenAction() (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10276a2bb)
#9 0x10d68f83d in clang::EmitObjAction::~EmitObjAction() (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10276e83d)
#10 0x10cfeb6ad in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1020ca6ad)
#11 0x10af2f768 in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10000e768)
#12 0x10af249a6 in ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1000039a6)
#13 0x10af23aea in main (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x100002aea)
#14 0x7fff99d2a5c8 in start (/usr/lib/system/libdyld.dylib+0x35c8)
#15 0x6 (<unknown module>)
previously allocated by thread T0 here:
#0 0x113dccb69 in wrap__Znwm (/SWE/Apps/DT/Binaries/OzarkFamily/Binaries2/clang/clang-602.0.31~1/Root/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/6.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x42b69)
#1 0x10c4a9f35 in llvm::MDNode::operator new(unsigned long, unsigned int) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x101588f35)
#2 0x10c4abc1a in llvm::MDTuple::getImpl(llvm::LLVMContext&, llvm::ArrayRef<llvm::Metadata*>, bool) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10158ac1a)
#3 0x10c3af5ed in llvm::DebugLoc::get(unsigned int, unsigned int, llvm::MDNode*, llvm::MDNode*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10148e5ed)
#4 0x10d4fa18c in clang::CodeGen::CGDebugInfo::EmitDeclare(clang::VarDecl const*, llvm::dwarf::LLVMConstants, llvm::Value*, unsigned int, llvm::IRBuilder<true, llvm::ConstantFolder, clang::CodeGen::CGBuilderInserter<true> >&) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1025d918c)
#5 0x10d517b0d in clang::CodeGen::CodeGenFunction::EmitParmDecl(clang::VarDecl const&, llvm::Value*, bool, unsigned int) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1025f6b0d)
#6 0x10d4a6a1f in clang::CodeGen::CodeGenFunction::EmitFunctionProlog(clang::CodeGen::CGFunctionInfo const&, llvm::Function*, clang::CodeGen::FunctionArgList const&) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x102585a1f)
#7 0x10d6968cc in clang::CodeGen::CodeGenFunction::StartFunction(clang::GlobalDecl, clang::QualType, llvm::Function*, clang::CodeGen::CGFunctionInfo const&, clang::CodeGen::FunctionArgList const&, clang::SourceLocation, clang::SourceLocation) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1027758cc)
#8 0x10d698b26 in clang::CodeGen::CodeGenFunction::GenerateCode(clang::GlobalDecl, llvm::Function*, clang::CodeGen::CGFunctionInfo const&) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x102777b26)
#9 0x10d494e58 in clang::CodeGen::CodeGenModule::codegenCXXStructor(clang::CXXMethodDecl const*, clang::CodeGen::StructorType) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x102573e58)
#10 0x10d75f36d in (anonymous namespace)::ItaniumCXXABI::emitCXXStructor(clang::CXXMethodDecl const*, clang::CodeGen::StructorType) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10283e36d)
#11 0x10d6ae224 in clang::CodeGen::CodeGenModule::EmitGlobalDefinition(clang::GlobalDecl, llvm::GlobalValue*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10278d224)
#12 0x10d6b18c7 in clang::CodeGen::CodeGenModule::EmitGlobal(clang::GlobalDecl) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1027908c7)
#13 0x10d759319 in (anonymous namespace)::ItaniumCXXABI::EmitCXXConstructors(clang::CXXConstructorDecl const*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x102838319)
#14 0x10d6b5d0a in clang::CodeGen::CodeGenModule::EmitTopLevelDecl(clang::Decl*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x102794d0a)
#15 0x10d78fa0c in (anonymous namespace)::CodeGeneratorImpl::HandleTopLevelDecl(clang::DeclGroupRef) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10286ea0c)
#16 0x10d68e7b2 in clang::BackendConsumer::HandleTopLevelDecl(clang::DeclGroupRef) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10276d7b2)
#17 0x10dd927a9 in clang::ParseAST(clang::Sema&, bool, bool) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x102e717a9)
#18 0x10d68c96c in clang::CodeGenAction::ExecuteAction() (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10276b96c)
#19 0x10cf7a59c in clang::FrontendAction::Execute() (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10205959c)
#20 0x10cf06beb in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x101fe5beb)
#21 0x10cfeb5c4 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1020ca5c4)
#22 0x10af2f768 in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10000e768)
#23 0x10af249a6 in ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1000039a6)
#24 0x10af23aea in main (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x100002aea)
#25 0x7fff99d2a5c8 in start (/usr/lib/system/libdyld.dylib+0x35c8)
#26 0x6 (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 llvm::Metadata::getMetadataID() const
Shadow bytes around the buggy address:
0x1c0c00001660: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
0x1c0c00001670: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
0x1c0c00001680: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x1c0c00001690: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x1c0c000016a0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
=>0x1c0c000016b0: fa fa fa fa fd fd fd fd[fd]fd fd fd fa fa fa fa
0x1c0c000016c0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
0x1c0c000016d0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 01 fa
0x1c0c000016e0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x1c0c000016f0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x1c0c00001700: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
ASan internal: fe
==3013==ABORTING
More information about the llvm-dev
mailing list