[LLVMdev] Crash on invalid during LLVMContext destruction MDNode::dropAllReferences
David Blaikie
dblaikie at gmail.com
Wed Jan 14 09:24:52 PST 2015
On Wed, Jan 14, 2015 at 9:05 AM, Duncan P. N. Exon Smith <
dexonsmith at apple.com> wrote:
>
> > On 2015 Jan 14, at 07:58, Duncan P. N. Exon Smith <dexonsmith at apple.com>
> wrote:
> >
> >>
> >> On 2015 Jan 13, at 23:59, David Blaikie <dblaikie at gmail.com> wrote:
> >>
> >>
> >>
> >> On Tue, Jan 13, 2015 at 11:48 PM, Duncan Exon Smith <
> dexonsmith at apple.com> wrote:
> >> Not at a computer right now, but it looks like teardown isn't working
> correctly. Do you have an asserts build? Does an assertion fire there?
> >>
> >> That was with an asserts build.
> >>
> >> Looking at the stack trace, dropAllReferences() is being called on a
> node, so it sets its operands to nullptr, and some operand has RAUW support
> (so the tracking needs to be dropped) but looks like it might have been
> deleted or is otherwise corrupt. Hard to tell though.
> >>
> >> Does this reproduce from preprocessed source? Can you send it to me?
> >>
> >> Or maybe that's a test case in your email. I'll try it in the morning.
> >>
> >> Yeah, just the test code in the original email is what I reproduced the
> linked list error with - some variations of it produced the assertion...
> maybe valgrinding or asanified clang would make the failure more reliable,
> etc.
> >>
> >
> > The version here doesn't repro for me (don't have an asan build handy --
> > I'll build one -- but I tried the weaker gmalloc). I tried messing with
> > it but nothing happened.
> >
> > Can you send a version that gets the stack trace?
> >
> > (What revision is this, by the way? ToT as of last night?)
>
> Asan didn't find it either, and then I realized I was using the RUN line
> instead of the command-line you were using (with -g).
Ah, right - sorry about that red herring.
> So the asan dump follows.
>
Looks related to the stack I was seeing.
> I'll look into this when I get to work. Definitely from my stuff somehow.
>
OK - wasn't any particular rush for me, I just ran into this while writing
test cases for my debug line quality stuff in clang (accidentally
introduced a call to a function that didn't exist, which produced the
crash).
Based on how I saw it, I'm guessing it's something to do with "LLVMContext
has trouble being destroyed if <some task that we only do when successfully
finishing codegen and is skipped if we abort codegen due to an error in the
source> is not done first".
>
> $ /Users/dexonsmith/data/llvm.asan/staging/bin/clang -cc1 crash.cpp -g
> -emit-obj -fexceptions -fcxx-exceptions
> crash.cpp:13:1: error: C++ requires a type specifier for all declarations
> x;
> ^
> 1 error generated.
> =================================================================
> ==3013==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x60600000b5c0 at pc 0x00010b1a5454 bp 0x7fff54cdbb40 sp 0x7fff54cdbb38
> READ of size 1 at 0x60600000b5c0 thread T0
> #0 0x10b1a5453 in llvm::Metadata::getMetadataID() const
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x100284453)
> #1 0x10c4a8468 in
> llvm::ReplaceableMetadataImpl::replaceAllUsesWith(llvm::Metadata*)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x101587468)
> #2 0x10c4a9317 in llvm::ValueAsMetadata::handleDeletion(llvm::Value*)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x101588317)
> #3 0x10c4f5be0 in llvm::Value::~Value()
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1015d4be0)
> #4 0x10c35f22d in llvm::ConstantInt::~ConstantInt()
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10143e22d)
> #5 0x10c47e9b3 in void
> llvm::DeleteContainerSeconds<llvm::DenseMap<llvm::APInt,
> llvm::ConstantInt*, llvm::DenseMapAPIntKeyInfo,
> llvm::detail::DenseMapPair<llvm::APInt, llvm::ConstantInt*> >
> >(llvm::DenseMap<llvm::APInt, llvm::ConstantInt*,
> llvm::DenseMapAPIntKeyInfo, llvm::detail::DenseMapPair<llvm::APInt,
> llvm::ConstantInt*> >&)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10155d9b3)
> #6 0x10c47c524 in llvm::LLVMContextImpl::~LLVMContextImpl()
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10155b524)
> #7 0x10c47a07e in llvm::LLVMContext::~LLVMContext()
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10155907e)
> #8 0x10d68b2bb in clang::CodeGenAction::~CodeGenAction()
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10276a2bb)
> #9 0x10d68f83d in clang::EmitObjAction::~EmitObjAction()
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10276e83d)
> #10 0x10cfeb6ad in
> clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1020ca6ad)
> #11 0x10af2f768 in cc1_main(llvm::ArrayRef<char const*>, char const*,
> void*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10000e768)
> #12 0x10af249a6 in ExecuteCC1Tool(llvm::ArrayRef<char const*>,
> llvm::StringRef)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1000039a6)
> #13 0x10af23aea in main
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x100002aea)
> #14 0x7fff99d2a5c8 in start (/usr/lib/system/libdyld.dylib+0x35c8)
> #15 0x6 (<unknown module>)
>
> 0x60600000b5c0 is located 32 bytes inside of 64-byte region
> [0x60600000b5a0,0x60600000b5e0)
> freed by thread T0 here:
> #0 0x113dcd0e9 in wrap__ZdlPv
> (/SWE/Apps/DT/Binaries/OzarkFamily/Binaries2/clang/clang-602.0.31~1/Root/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/6.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x430e9)
> #1 0x10c4a84ee in
> llvm::ReplaceableMetadataImpl::replaceAllUsesWith(llvm::Metadata*)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1015874ee)
> #2 0x10c4a9317 in llvm::ValueAsMetadata::handleDeletion(llvm::Value*)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x101588317)
> #3 0x10c4f5be0 in llvm::Value::~Value()
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1015d4be0)
> #4 0x10c35f22d in llvm::ConstantInt::~ConstantInt()
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10143e22d)
> #5 0x10c47e9b3 in void
> llvm::DeleteContainerSeconds<llvm::DenseMap<llvm::APInt,
> llvm::ConstantInt*, llvm::DenseMapAPIntKeyInfo,
> llvm::detail::DenseMapPair<llvm::APInt, llvm::ConstantInt*> >
> >(llvm::DenseMap<llvm::APInt, llvm::ConstantInt*,
> llvm::DenseMapAPIntKeyInfo, llvm::detail::DenseMapPair<llvm::APInt,
> llvm::ConstantInt*> >&)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10155d9b3)
> #6 0x10c47c524 in llvm::LLVMContextImpl::~LLVMContextImpl()
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10155b524)
> #7 0x10c47a07e in llvm::LLVMContext::~LLVMContext()
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10155907e)
> #8 0x10d68b2bb in clang::CodeGenAction::~CodeGenAction()
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10276a2bb)
> #9 0x10d68f83d in clang::EmitObjAction::~EmitObjAction()
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10276e83d)
> #10 0x10cfeb6ad in
> clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1020ca6ad)
> #11 0x10af2f768 in cc1_main(llvm::ArrayRef<char const*>, char const*,
> void*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10000e768)
> #12 0x10af249a6 in ExecuteCC1Tool(llvm::ArrayRef<char const*>,
> llvm::StringRef)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1000039a6)
> #13 0x10af23aea in main
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x100002aea)
> #14 0x7fff99d2a5c8 in start (/usr/lib/system/libdyld.dylib+0x35c8)
> #15 0x6 (<unknown module>)
>
> previously allocated by thread T0 here:
> #0 0x113dccb69 in wrap__Znwm
> (/SWE/Apps/DT/Binaries/OzarkFamily/Binaries2/clang/clang-602.0.31~1/Root/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/6.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x42b69)
> #1 0x10c4a9f35 in llvm::MDNode::operator new(unsigned long, unsigned
> int) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x101588f35)
> #2 0x10c4abc1a in llvm::MDTuple::getImpl(llvm::LLVMContext&,
> llvm::ArrayRef<llvm::Metadata*>, bool)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10158ac1a)
> #3 0x10c3af5ed in llvm::DebugLoc::get(unsigned int, unsigned int,
> llvm::MDNode*, llvm::MDNode*)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10148e5ed)
> #4 0x10d4fa18c in
> clang::CodeGen::CGDebugInfo::EmitDeclare(clang::VarDecl const*,
> llvm::dwarf::LLVMConstants, llvm::Value*, unsigned int,
> llvm::IRBuilder<true, llvm::ConstantFolder,
> clang::CodeGen::CGBuilderInserter<true> >&)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1025d918c)
> #5 0x10d517b0d in
> clang::CodeGen::CodeGenFunction::EmitParmDecl(clang::VarDecl const&,
> llvm::Value*, bool, unsigned int)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1025f6b0d)
> #6 0x10d4a6a1f in
> clang::CodeGen::CodeGenFunction::EmitFunctionProlog(clang::CodeGen::CGFunctionInfo
> const&, llvm::Function*, clang::CodeGen::FunctionArgList const&)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x102585a1f)
> #7 0x10d6968cc in
> clang::CodeGen::CodeGenFunction::StartFunction(clang::GlobalDecl,
> clang::QualType, llvm::Function*, clang::CodeGen::CGFunctionInfo const&,
> clang::CodeGen::FunctionArgList const&, clang::SourceLocation,
> clang::SourceLocation)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1027758cc)
> #8 0x10d698b26 in
> clang::CodeGen::CodeGenFunction::GenerateCode(clang::GlobalDecl,
> llvm::Function*, clang::CodeGen::CGFunctionInfo const&)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x102777b26)
> #9 0x10d494e58 in
> clang::CodeGen::CodeGenModule::codegenCXXStructor(clang::CXXMethodDecl
> const*, clang::CodeGen::StructorType)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x102573e58)
> #10 0x10d75f36d in (anonymous
> namespace)::ItaniumCXXABI::emitCXXStructor(clang::CXXMethodDecl const*,
> clang::CodeGen::StructorType)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10283e36d)
> #11 0x10d6ae224 in
> clang::CodeGen::CodeGenModule::EmitGlobalDefinition(clang::GlobalDecl,
> llvm::GlobalValue*)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10278d224)
> #12 0x10d6b18c7 in
> clang::CodeGen::CodeGenModule::EmitGlobal(clang::GlobalDecl)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1027908c7)
> #13 0x10d759319 in (anonymous
> namespace)::ItaniumCXXABI::EmitCXXConstructors(clang::CXXConstructorDecl
> const*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x102838319)
> #14 0x10d6b5d0a in
> clang::CodeGen::CodeGenModule::EmitTopLevelDecl(clang::Decl*)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x102794d0a)
> #15 0x10d78fa0c in (anonymous
> namespace)::CodeGeneratorImpl::HandleTopLevelDecl(clang::DeclGroupRef)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10286ea0c)
> #16 0x10d68e7b2 in
> clang::BackendConsumer::HandleTopLevelDecl(clang::DeclGroupRef)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10276d7b2)
> #17 0x10dd927a9 in clang::ParseAST(clang::Sema&, bool, bool)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x102e717a9)
> #18 0x10d68c96c in clang::CodeGenAction::ExecuteAction()
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10276b96c)
> #19 0x10cf7a59c in clang::FrontendAction::Execute()
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10205959c)
> #20 0x10cf06beb in
> clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x101fe5beb)
> #21 0x10cfeb5c4 in
> clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1020ca5c4)
> #22 0x10af2f768 in cc1_main(llvm::ArrayRef<char const*>, char const*,
> void*) (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x10000e768)
> #23 0x10af249a6 in ExecuteCC1Tool(llvm::ArrayRef<char const*>,
> llvm::StringRef)
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x1000039a6)
> #24 0x10af23aea in main
> (/Users/dexonsmith/data/llvm.asan/staging/bin/clang+0x100002aea)
> #25 0x7fff99d2a5c8 in start (/usr/lib/system/libdyld.dylib+0x35c8)
> #26 0x6 (<unknown module>)
>
> SUMMARY: AddressSanitizer: heap-use-after-free ??:0
> llvm::Metadata::getMetadataID() const
> Shadow bytes around the buggy address:
> 0x1c0c00001660: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
> 0x1c0c00001670: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
> 0x1c0c00001680: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
> 0x1c0c00001690: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
> 0x1c0c000016a0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
> =>0x1c0c000016b0: fa fa fa fa fd fd fd fd[fd]fd fd fd fa fa fa fa
> 0x1c0c000016c0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
> 0x1c0c000016d0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 01 fa
> 0x1c0c000016e0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
> 0x1c0c000016f0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
> 0x1c0c00001700: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> ASan internal: fe
> ==3013==ABORTING
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150114/12766f69/attachment.html>
More information about the llvm-dev
mailing list