search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
27.97k stars 11.54k forks source link

llvm-gcc: user-after-free in tree conversion causing ICE #4947

Closed edwintorok closed 5 years ago

edwintorok commented 15 years ago
Bugzilla Link 4575
Resolution FIXED
Resolved on Nov 07, 2018 00:22
Version unspecified
OS Linux
Attachments gzipped wxluxgui.i, slightly smaller testcase
CC @asl,@nlewycky

Extended Description

With SVN r76312 llvm-g++ ICEs when compiling either wxluxgui.cpp or wxluxapp.cpp from Luxrender (www.luxrender.net): $ /usr/local/bin/llvm-g++ wxluxgui.i -c -emit-llvm -O0 /home/edwin/lux/n/lux-a66b768345ed/renderer/wxluxgui.cpp:3755: internal compiler error: Segmentation fault Please submit a full bug report, with preprocessed source if appropriate. See <URL:http://llvm.org/bugs/> for instructions.

It doesn't fail always when compiling this file, but it does fail when compiling either this one or wxluxapp.cpp (thus never being able to compile luxrenderer).

Valgrind messages: ==9040== Invalid read of size 8
==9040== at 0x747520: T.2842 (DenseMap.h:366)
==9040== by 0x74BC1F: TypeConverter::ConvertRECORD(tree_node, tree_node) (llvm-types.cpp:1728)
==9040== by 0x74C6D5: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:707)
==9040== by 0x74CBCB: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:836)
==9040== by 0x74F529: TypeConverter::ConvertFunctionType(tree_node, tree_node, tree_node, unsigned int&, llvm::AttrListPtr&) (llvm-types.cpp:1214)
==9040== by 0x71D15E: make_decl_llvm (llvm-backend.cpp:1543)
==9040== by 0x6FA116: assemble_alias (varasm.c:5283)
==9040== by 0x485963: use_thunk (method.c:310)
==9040== by 0x489FC9: expand_body (semantics.c:3189)
==9040== by 0x23D8BCFF: ???
==9040== by 0x1: ???
==9040== by 0xEF0CBB: (within /usr/local/libexec/gcc/x86_64-unknown-linux-gnu/4.2.1/cc1plus)
==9040== Address 0x4c41268 is 120 bytes inside a block of size 1,024 free'd
==9040== at 0x4A0711D: operator delete(void) (vg_replace_malloc.c:342)
==9040== by 0x74751F: T.2842 (DenseMap.h:469)
==9040== by 0x74BC1F: TypeConverter::ConvertRECORD(tree_node, tree_node) (llvm-types.cpp:1728)
==9040== by 0x74C6D5: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:707)
==9040== by 0x74CBCB: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:836)
==9040== by 0x74F529: TypeConverter::ConvertFunctionType(tree_node, tree_node, tree_node, unsigned int&, llvm::AttrListPtr&) (llvm-types.cpp:1214)
==9040== by 0x71D15E: make_decl_llvm (llvm-backend.cpp:1543)
==9040== by 0x6FA116: assemble_alias (varasm.c:5283)
==9040== by 0x485963: use_thunk (method.c:310)
==9040== by 0x489FC9: expand_body (semantics.c:3189)
==9040== by 0x23D8BCFF: ???
==9040== by 0x1: ???
==9040==
==9040== Invalid read of size 8
==9040== at 0x74BC2B: TypeConverter::ConvertRECORD(tree_node, tree_node) (llvm-types.cpp:1731)
==9040== by 0x74C6D5: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:707)
==9040== by 0x74CBCB: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:836)
==9040== by 0x74F529: TypeConverter::ConvertFunctionType(tree_node, tree_node, tree_node, unsigned int&, llvm::AttrListPtr&) (llvm-types.cpp:1214)
==9040== by 0x71D15E: make_decl_llvm (llvm-backend.cpp:1543)
==9040== by 0x6FA116: assemble_alias (varasm.c:5283)
==9040== by 0x485963: use_thunk (method.c:310)
==9040== by 0x489FC9: expand_body (semantics.c:3189)
==9040== by 0x23D8BCFF: ???
==9040== by 0x1: ???
==9040== by 0xEF0CBB: (within /usr/local/libexec/gcc/x86_64-unknown-linux-gnu/4.2.1/cc1plus)
==9040== by 0x247946BF: ???
==9040== Address 0x4c41268 is 120 bytes inside a block of size 1,024 free'd
==9040== at 0x4A0711D: operator delete(void) (vg_replace_malloc.c:342)
==9040== by 0x74751F: T.2842 (DenseMap.h:469)
==9040== by 0x74BC1F: TypeConverter::ConvertRECORD(tree_node, tree_node) (llvm-types.cpp:1728)
==9040== by 0x74C6D5: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:707)
==9040== by 0x74CBCB: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:836)
==9040== by 0x74F529: TypeConverter::ConvertFunctionType(tree_node, tree_node, tree_node, unsigned int&, llvm::AttrListPtr&) (llvm-types.cpp:1214)
==9040== by 0x71D15E: make_decl_llvm (llvm-backend.cpp:1543)
==9040== by 0x6FA116: assemble_alias (varasm.c:5283)
==9040== by 0x485963: use_thunk (method.c:310)
==9040== by 0x489FC9: expand_body (semantics.c:3189)
==9040== by 0x23D8BCFF: ???
==9040== by 0x1: ???
==9040==
==9040== Invalid read of size 8
==9040== at 0x74BC34: TypeConverter::ConvertRECORD(tree_node, tree_node) (llvm-types.cpp:1732)
==9040== by 0x74C6D5: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:707)
==9040== by 0x74CBCB: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:836)
==9040== by 0x74F529: TypeConverter::ConvertFunctionType(tree_node, tree_node, tree_node, unsigned int&, llvm::AttrListPtr&) (llvm-types.cpp:1214)
==9040== by 0x71D15E: make_decl_llvm (llvm-backend.cpp:1543)
==9040== by 0x6FA116: assemble_alias (varasm.c:5283)
==9040== by 0x485963: use_thunk (method.c:310)
==9040== by 0x489FC9: expand_body (semantics.c:3189)
==9040== by 0x23D8BCFF: ???
==9040== by 0x1: ???
==9040== by 0xEF0CBB: (within /usr/local/libexec/gcc/x86_64-unknown-linux-gnu/4.2.1/cc1plus)
==9040== by 0x247946BF: ???
==9040== Address 0x4c41268 is 120 bytes inside a block of size 1,024 free'd
==9040== at 0x4A0711D: operator delete(void) (vg_replace_malloc.c:342)
==9040== by 0x74751F: T.2842 (DenseMap.h:469)
==9040== by 0x74BC1F: TypeConverter::ConvertRECORD(tree_node, tree_node) (llvm-types.cpp:1728)
==9040== by 0x74C6D5: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:707)
==9040== by 0x74CBCB: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:836)
==9040== by 0x74F529: TypeConverter::ConvertFunctionType(tree_node, tree_node, tree_node, unsigned int&, llvm::AttrListPtr&) (llvm-types.cpp:1214)
==9040== by 0x71D15E: make_decl_llvm (llvm-backend.cpp:1543)
==9040== by 0x6FA116: assemble_alias (varasm.c:5283)
==9040== by 0x485963: use_thunk (method.c:310)
==9040== by 0x489FC9: expand_body (semantics.c:3189)
==9040== by 0x23D8BCFF: ???
==9040== by 0x1: ???
==9040==
==9040== Invalid read of size 8
==9040== at 0x74BC40: TypeConverter::ConvertRECORD(tree_node, tree_node) (llvm-types.cpp:1733)
==9040== by 0x74C6D5: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:707)
==9040== by 0x74CBCB: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:836)
==9040== by 0x74F529: TypeConverter::ConvertFunctionType(tree_node, tree_node, tree_node, unsigned int&, llvm::AttrListPtr&) (llvm-types.cpp:1214)
==9040== by 0x71D15E: make_decl_llvm (llvm-backend.cpp:1543)
==9040== by 0x6FA116: assemble_alias (varasm.c:5283)
==9040== by 0x485963: use_thunk (method.c:310)
==9040== by 0x489FC9: expand_body (semantics.c:3189)
==9040== by 0x23D8BCFF: ???
==9040== by 0x1: ???
==9040== by 0xEF0CBB: (within /usr/local/libexec/gcc/x86_64-unknown-linux-gnu/4.2.1/cc1plus)
==9040== by 0x247946BF: ???
==9040== Address 0x4c41268 is 120 bytes inside a block of size 1,024 free'd
==9040== at 0x4A0711D: operator delete(void) (vg_replace_malloc.c:342)
==9040== by 0x74751F: T.2842 (DenseMap.h:469)
==9040== by 0x74BC1F: TypeConverter::ConvertRECORD(tree_node, tree_node) (llvm-types.cpp:1728)
==9040== by 0x74C6D5: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:707)
==9040== by 0x74CBCB: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:836)
==9040== by 0x74F529: TypeConverter::ConvertFunctionType(tree_node, tree_node, tree_node, unsigned int&, llvm::AttrListPtr&) (llvm-types.cpp:1214)
==9040== by 0x71D15E: make_decl_llvm (llvm-backend.cpp:1543)
==9040== by 0x6FA116: assemble_alias (varasm.c:5283)
==9040== by 0x485963: use_thunk (method.c:310)
==9040== by 0x489FC9: expand_body (semantics.c:3189)
==9040== by 0x23D8BCFF: ???
==9040== by 0x1: ???
==9040==
==9040== Invalid read of size 8
==9040== at 0x74BC50: TypeConverter::ConvertRECORD(tree_node, tree_node) (llvm-types.cpp:1736)
==9040== by 0x74C6D5: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:707)
==9040== by 0x74CBCB: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:836)
==9040== by 0x74F529: TypeConverter::ConvertFunctionType(tree_node, tree_node, tree_node, unsigned int&, llvm::AttrListPtr&) (llvm-types.cpp:1214)
==9040== by 0x71D15E: make_decl_llvm (llvm-backend.cpp:1543)
==9040== by 0x6FA116: assemble_alias (varasm.c:5283)
==9040== by 0x485963: use_thunk (method.c:310)
==9040== by 0x489FC9: expand_body (semantics.c:3189)
==9040== by 0x23D8BCFF: ???
==9040== by 0x1: ???
==9040== by 0xEF0CBB: (within /usr/local/libexec/gcc/x86_64-unknown-linux-gnu/4.2.1/cc1plus)
==9040== by 0x247946BF: ???
==9040== Address 0x4c41268 is 120 bytes inside a block of size 1,024 free'd
==9040== at 0x4A0711D: operator delete(void) (vg_replace_malloc.c:342)
==9040== by 0x74751F: T.2842 (DenseMap.h:469)
==9040== by 0x74BC1F: TypeConverter::ConvertRECORD(tree_node, tree_node) (llvm-types.cpp:1728)
==9040== by 0x74C6D5: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:707)
==9040== by 0x74CBCB: TypeConverter::ConvertType(tree_node) (llvm-types.cpp:836)
==9040== by 0x74F529: TypeConverter::ConvertFunctionType(tree_node, tree_node, tree_node*, unsigned int&, llvm::AttrListPtr&) (llvm-types.cpp:1214)
==9040== by 0x71D15E: make_decl_llvm (llvm-backend.cpp:1543)
==9040== by 0x6FA116: assemble_alias (varasm.c:5283)
==9040== by 0x485963: use_thunk (method.c:310)
==9040== by 0x489FC9: expand_body (semantics.c:3189)
==9040== by 0x23D8BCFF: ???
==9040== by 0x1: ???

edwintorok commented 15 years ago

Let's try it. Fixed here, I hope: http://llvm.org/viewvc/llvm-project?rev=76459&view=rev The testcase never failed on Darwin so I can't verify this works, though.

Thanks Dale, it works now!

llvmbot commented 15 years ago

I'm now on vacation, so if that didn't work, somebody else please look at it.

llvmbot commented 15 years ago

Let's try it. Fixed here, I hope: http://llvm.org/viewvc/llvm-project?rev=76459&view=rev The testcase never failed on Darwin so I can't verify this works, though.

llvmbot commented 15 years ago

OK, this is my fault, thanks for the analysis. I can't remember now what I wanted a reference but it doesn't seem to be needed. Just removing the & should work, do you agree?

nlewycky commented 15 years ago

Initialization:

tree oldTy = TREE_TYPE(Field); tree &newTy = BaseTypesMap[oldTy];

Mutation:

if (!F || TREE_CODE(F) != TYPE_DECL) {
  BaseTypesMap[oldTy] = oldTy;
  return oldTy;
}
BaseTypesMap[oldTy] = newTy;
BaseTypesMap[newTy] = oldTy;

The trouble is that newTy is a reference to the tree in the innards of the BaseTypesMap. Once you mutate BaseTypesMap, that reference becomes invalid as the vector inside DenseMap moves.