https://llvm.org/bugs/show_bug.cgi?id=29144
Bug ID: 29144
Summary: Heap-use-after-free detected by AddressSanitizer in
GVNHoist
Product: libraries
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P
Component: Scalar Optimizations
Assignee: seb...@gmail.com
Reporter: rtr...@google.com
CC: llvm-bugs@lists.llvm.org
Classification: Unclassified
AddressSanitizer has detected a heap-use-after-free when compiling the
following code. With non-instrumented Clang, this would cause a crash in
larger inputs, but go undetected for smaller input sizes.
$ cat reduce.c
extern int Foo(int x) __attribute__((pure));
void Create(int n1, int n2) {
if (Foo(1) == 0 && n1 == n2) {}
else if (Foo(1) == 0 && n1 == n2) {}
else if (Foo(1) == 0 && n1 == n2) {}
else if (Foo(1) == 0) {}
}
$ ./clang-asan -cc1 -emit-obj -O2 reduce.c
=================================================================
==9788==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000ae88
at pc 0x000000720f2c bp 0x7ffef9a87c60 sp 0x7ffef9a87c58
READ of size 1 at 0x60c00000ae88 thread T0
#0 0x720f2b in llvm::Value::getValueID() const
llvm/include/llvm/IR/Value.h:425:12
#1 0x747fa8 in llvm::Instruction::getOpcode() const
llvm/include/llvm/IR/Instruction.h:103:39
#2 0x7743c8 in llvm::CallInst::classof(llvm::Instruction const*)
llvm/include/llvm/IR/Instructions.h:1817:15
#3 0x7742ba in llvm::isa_impl_wrap<llvm::CallInst, llvm::Instruction*
const, llvm::Instruction const*>::doit(llvm::Instruction* const&)
llvm/include/llvm/Support/Casting.h:112:12
#4 0x9ad5d6 in llvm::cast_retty<llvm::CallInst,
llvm::Instruction*>::ret_type llvm::dyn_cast<llvm::CallInst,
llvm::Instruction>(llvm::Instruction*)
llvm/include/llvm/Support/Casting.h:298:10
#5 0x5247731 in llvm::GVN::ValueTable::lookupOrAddCall(llvm::CallInst*)
llvm/lib/Transforms/Scalar/GVN.cpp:427:35
#6 0x5246069 in llvm::GVN::ValueTable::lookupOrAdd(llvm::Value*)
llvm/lib/Transforms/Scalar/GVN.cpp:485:14
#7 0x5234b01 in (anonymous namespace)::CallInfo::insert(llvm::CallInst*,
llvm::GVN::ValueTable&) llvm/lib/Transforms/Scalar/GVNHoist.cpp:166:21
#8 0x5234338 in (anonymous
namespace)::GVNHoist::hoistExpressions(llvm::Function&)
llvm/lib/Transforms/Scalar/GVNHoist.cpp:898:14
#9 0x5233b21 in (anonymous namespace)::GVNHoist::run(llvm::Function&)
llvm/lib/Transforms/Scalar/GVNHoist.cpp:227:24
#10 0x523b918 in (anonymous
namespace)::GVNHoistLegacyPass::runOnFunction(llvm::Function&)
llvm/lib/Transforms/Scalar/GVNHoist.cpp:936:14
#11 0x5ccf581 in llvm::FPPassManager::runOnFunction(llvm::Function&)
llvm/lib/IR/LegacyPassManager.cpp:1522:27
#12 0x5ccecb4 in
llvm::legacy::FunctionPassManagerImpl::run(llvm::Function&)
llvm/lib/IR/LegacyPassManager.cpp:1471:44
#13 0x5ccebb3 in llvm::legacy::FunctionPassManager::run(llvm::Function&)
llvm/lib/IR/LegacyPassManager.cpp:1395:15
#14 0x6cb8a9 in (anonymous
namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction,
std::unique_ptr<llvm::raw_pwrite_stream,
std::default_delete<llvm::raw_pwrite_stream> >)
llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:712:27
#15 0x6ca596 in clang::EmitBackendOutput(clang::DiagnosticsEngine&,
clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions
const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction,
std::unique_ptr<llvm::raw_pwrite_stream,
std::default_delete<llvm::raw_pwrite_stream> >)
llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:808:13
#16 0x5e3713 in
clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&)
llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:193:7
#17 0x1e229bd in clang::ParseAST(clang::Sema&, bool, bool)
llvm/tools/clang/lib/Parse/ParseAST.cpp:167:13
#18 0x5deb89 in clang::CodeGenAction::ExecuteAction()
llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:867:28
#19 0x18e4041 in clang::FrontendAction::Execute()
llvm/tools/clang/lib/Frontend/FrontendAction.cpp:458:8
#20 0x16888e6 in
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:871:11
#21 0x5c4cc7 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:246:25
#22 0x59eeab in cc1_main(llvm::ArrayRef<char const*>, char const*, void*)
llvm/tools/clang/tools/driver/cc1_main.cpp:183:13
#23 0x5b9188 in ExecuteCC1Tool(llvm::ArrayRef<char const*>,
llvm::StringRef) llvm/tools/clang/tools/driver/driver.cpp:299:12
#24 0x5b8064 in main llvm/tools/clang/tools/driver/driver.cpp:380:12
AddressSanitizer can not describe address in more detail (wild memory access
suspected).
SUMMARY: AddressSanitizer: heap-use-after-free
llvm/include/llvm/IR/Value.h:425:12 in llvm::Value::getValueID() const
Shadow bytes around the buggy address:
Shadow bytes around the buggy address:
0x0c187fff9580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff95b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c187fff95d0: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff95e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff95f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff9600: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff9610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c187fff9620: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==9788==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
