https://llvm.org/bugs/show_bug.cgi?id=26808
Bug ID: 26808
Summary: Lots of sketchy behaviour masked by RecyclingAllocator
Product: new-bugs
Version: trunk
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P
Component: new bugs
Assignee: unassignedb...@nondot.org
Reporter: llvm-b...@justinbogner.com
CC: llvm-bugs@lists.llvm.org
Classification: Unclassified
Created attachment 15971
--> https://llvm.org/bugs/attachment.cgi?id=15971&action=edit
Patch to make Recycler asan-aware
The attached patch teaches Recycler (and by proxy RecyclingAllocator) to poison
and unpoison memory for ASAN. Running ninja check under ASAN with this applied
hits a few thousand failures. Some of the issues include:
- We don't allocate nodes in SelectionDAG correctly - we always call an SDNode
allocator and upcast to the (much larger) subclasses. This mostly works since
the RecyclingAllocator is set to allocate 296 bytes per node.
- SelectionDAG sets node types to "ISD::DELETED_NODE" before returning them to
the free list, ostensibly to detect bugs. Then it *uses whether or not the
thing is deleted* for control flow in places like UpdateChainsAndGlue. This
*should not work*, but apparently it tends to in practice.
- SelectionDAG arbitrarily casts from smaller SDNodes to MachineSDNode in
MorphNodeTo. This is very much undefined behaviour, but basically works since
the allocations happen to be large enough.
- There's probably a use-after-free of `Tail` in
TargetInstrInfo::ReplaceTailWithBranchTo.
- RegisterCoalescer::reMaterializeTrivialDef appears to have use-after-free
bugs regarding MachineInstrs.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
