[llvm-bugs] [Bug 179071] [clang] Crash at -O3 -fprofile-instr-generate: AddressSanitizer: SEGV on unknown address 0x7fff44e0ef78 (pc 0x7effef1508fd bp 0x7effeec9d670 sp 0x7effeec9d418 T0)

LLVM Bugs via llvm-bugs Sat, 31 Jan 2026 14:10:59 -0800

Issue	179071
Summary	[clang] Crash at -O3 -fprofile-instr-generate: AddressSanitizer: SEGV on unknown address 0x7fff44e0ef78 (pc 0x7effef1508fd bp 0x7effeec9d670 sp 0x7effeec9d418 T0)
Labels	clang
Assignees
Reporter	zxt5

    This code crashes with `-O3 -fprofile-instr-generate` due to a SEGV:
```
$ cat small.c
#include <stdint.h>
int32_t c[];
uint8_t d, e, f;
int32_t(a)(int32_t, int32_t b) { return b < 0 ?: b; }
static int32_t *h(int32_t *, int16_t, int32_t);
static int32_t *g(int32_t *, uint16_t, int16_t, int32_t, int32_t);
uint32_t i() {
  for (;;)
    g(h(0, 0, 0), 0, 0, 0, 0);
}
int32_t *h(int32_t *, int16_t, int32_t) {}
int32_t *g(int32_t *, uint16_t, int16_t, int32_t, int32_t k) {
  int32_t j;
m:
  if (f)
 for (d = 0; d <= 9; d++)
      for (e = 2; e <= 9; e++) {
        int32_t *l = &c[1];
        for (j = 9; j; j--)
          for (; k >= 0; k--)
 *l = a(0, *l);
      }
  goto m;
}
void main() {}
```


Stack dump:

```
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.      Program arguments: /home/x27zhou/compiler-nightly/install/llvm/bin/clang-23 -cc1 -triple x86_64-unknown-linux-gnu -O3 -emit-obj -dumpdir a- -disable-free -clear-ast-before-backend -main-file-name small.c -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=none -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/home/x27zhou/fuzz-pgo/outcome-2026-01-31-07-03-09/bug-exit-2-id-33540 -fprofile-instrument=clang -fcoverage-compilation-dir=/home/x27zhou/fuzz-pgo/outcome-2026-01-31-07-03-09/bug-exit-2-id-33540 -resource-dir /home/x27zhou/compiler-nightly/install/llvm/lib/clang/23 -internal-isystem /home/x27zhou/compiler-nightly/install/llvm/lib/clang/23/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/12/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -ferror-limit 19 -fmessage-length=282 -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fcolor-diagnostics -vectorize-loops -vectorize-slp -faddrsig -fdwarf2-cfi-asm -o /tmp/small-3ac083.o -x c small.c
1.      <eof> parser at end of file
2.      Optimizer
3.      Running pass "require<globals-aa>,function(invalidate<aa>),require<profile-summary>,cgscc(devirt<4>(inline,function-attrs<skip-non-recursive-function-attrs>,argpromotion,openmp-opt-cgscc,function<eager-inv;no-rerun>(sroa<modify-cfg>,early-cse<memssa>,speculative-execution<only-if-divergent-target>,jump-threading,correlated-propagation,simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;no-switch-to-arithmetic;no-switch-to-lookup;keep-loops;no-hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;no-sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,instcombine<max-iterations=1;no-verify-fixpoint>,aggressive-instcombine,libcalls-shrinkwrap,tailcallelim,simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;no-switch-to-arithmetic;no-switch-to-lookup;keep-loops;no-hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;no-sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,reassociate,constraint-elimination,loop-mssa(loop-instsimplify,loop-simplifycfg,licm<no-allowspeculation>,loop-rotate<header-duplication;no-prepare-for-lto>,licm<allowspeculation>,simple-loop-unswitch<nontrivial;trivial>),simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;no-switch-to-arithmetic;no-switch-to-lookup;keep-loops;no-hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;no-sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,instcombine<max-iterations=1;no-verify-fixpoint>,loop(loop-idiom,indvars,extra-simple-loop-unswitch-passes,loop-deletion,loop-unroll-full),sroa<modify-cfg>,vector-combine,mldst-motion<no-split-footer-bb>,gvn<>,sccp,bdce,instcombine<max-iterations=1;no-verify-fixpoint>,jump-threading,correlated-propagation,adce,memcpyopt,dse,move-auto-init,loop-mssa(licm<allowspeculation>),coro-elide,simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;switch-to-arithmetic;no-switch-to-lookup;keep-loops;hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,instcombine<max-iterations=1;no-verify-fixpoint>),function-attrs,function(require<should-not-run-function-passes>),coro-split,coro-annotation-elide)),function(invalidate<should-not-run-function-passes>),cgscc(devirt<4>())" on module "small.c"
4.      Running pass "cgscc(devirt<4>(inline,function-attrs<skip-non-recursive-function-attrs>,argpromotion,openmp-opt-cgscc,function<eager-inv;no-rerun>(sroa<modify-cfg>,early-cse<memssa>,speculative-execution<only-if-divergent-target>,jump-threading,correlated-propagation,simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;no-switch-to-arithmetic;no-switch-to-lookup;keep-loops;no-hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;no-sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,instcombine<max-iterations=1;no-verify-fixpoint>,aggressive-instcombine,libcalls-shrinkwrap,tailcallelim,simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;no-switch-to-arithmetic;no-switch-to-lookup;keep-loops;no-hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;no-sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,reassociate,constraint-elimination,loop-mssa(loop-instsimplify,loop-simplifycfg,licm<no-allowspeculation>,loop-rotate<header-duplication;no-prepare-for-lto>,licm<allowspeculation>,simple-loop-unswitch<nontrivial;trivial>),simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;no-switch-to-arithmetic;no-switch-to-lookup;keep-loops;no-hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;no-sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,instcombine<max-iterations=1;no-verify-fixpoint>,loop(loop-idiom,indvars,extra-simple-loop-unswitch-passes,loop-deletion,loop-unroll-full),sroa<modify-cfg>,vector-combine,mldst-motion<no-split-footer-bb>,gvn<>,sccp,bdce,instcombine<max-iterations=1;no-verify-fixpoint>,jump-threading,correlated-propagation,adce,memcpyopt,dse,move-auto-init,loop-mssa(licm<allowspeculation>),coro-elide,simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;switch-to-arithmetic;no-switch-to-lookup;keep-loops;hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,instcombine<max-iterations=1;no-verify-fixpoint>),function-attrs,function(require<should-not-run-function-passes>),coro-split,coro-annotation-elide))" on module "small.c"
5.      Running pass "loop(loop-idiom,indvars,extra-simple-loop-unswitch-passes,loop-deletion,loop-unroll-full)" on function "g"
  #0 0x0000561e2e21267b backtrace (/home/x27zhou/compiler-nightly/install/llvm/bin/clang-23+0x4eef67b)
  #1 0x0000561e36e95478 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Support/Unix/Signals.inc:846:8
 #2 0x0000561e36e8d3e0 llvm::sys::RunSignalHandlers() /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Support/Signals.cpp:0:5
 #3 0x0000561e36e986a7 SignalHandler(int, siginfo_t*, void*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Support/Unix/Signals.inc:429:38
 #4 0x00007f7c0b523520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
  #5 0x0000561e341ac035 llvm::ScalarEvolution::createAddRecFromPHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:5847:0
 #6 0x0000561e341afe79 llvm::ScalarEvolution::createNodeForPHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:6114:19
 #7 0x0000561e341d024f llvm::ScalarEvolution::createSCEV(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:0:12
 #8 0x0000561e3419f24e llvm::ScalarEvolution::createSCEVIter(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:7599:9
 #9 0x0000561e341aeec2 llvm::ilist_detail::node_base_parent<llvm::BasicBlock>::getNodeBaseParent() /home/x27zhou/compiler-nightly/src/llvm-project/llvm/include/llvm/ADT/ilist_node_base.h:55:49
 #10 0x0000561e341aeec2 llvm::ilist_detail::node_parent_access<llvm::ilist_node_impl<llvm::ilist_detail::node_options<llvm::Instruction, true, false, void, true, llvm::BasicBlock>>, llvm::BasicBlock>::getParent() /home/x27zhou/compiler-nightly/src/llvm-project/llvm/include/llvm/ADT/ilist_node.h:38:41
 #11 0x0000561e341aeec2 llvm::ScalarEvolution::createNodeFromSelectLikePHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:6069:45
 #12 0x0000561e341b00d1 llvm::ScalarEvolution::createNodeForPHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:6127:19
 #13 0x0000561e341d024f llvm::ScalarEvolution::createSCEV(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:0:12
 #14 0x0000561e3419f24e llvm::ScalarEvolution::createSCEVIter(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:7599:9
 #15 0x0000561e341aeec2 llvm::ilist_detail::node_base_parent<llvm::BasicBlock>::getNodeBaseParent() /home/x27zhou/compiler-nightly/src/llvm-project/llvm/include/llvm/ADT/ilist_node_base.h:55:49
 #16 0x0000561e341aeec2 llvm::ilist_detail::node_parent_access<llvm::ilist_node_impl<llvm::ilist_detail::node_options<llvm::Instruction, true, false, void, true, llvm::BasicBlock>>, llvm::BasicBlock>::getParent() /home/x27zhou/compiler-nightly/src/llvm-project/llvm/include/llvm/ADT/ilist_node.h:38:41
 #17 0x0000561e341aeec2 llvm::ScalarEvolution::createNodeFromSelectLikePHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:6069:45
 #18 0x0000561e341b00d1 llvm::ScalarEvolution::createNodeForPHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:6127:19
 #19 0x0000561e341d024f llvm::ScalarEvolution::createSCEV(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:0:12
...
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1755632==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffe946cff00 (pc 0x7f7c0b5ff8fd bp 0x7f7c0b14c670 sp 0x7f7c0b14c418 T0)
==1755632==The signal is caused by a WRITE memory access.
    #0 0x7f7c0b5ff8fd in syscall misc/../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
    #1 0x561e36e986d7 in SignalHandler(int, siginfo_t*, void*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Support/Unix/Signals.inc:429:7
 #2 0x7f7c0b52351f  (/lib/x86_64-linux-gnu/libc.so.6+0x4251f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
    #3 0x561e341ac034 in llvm::ScalarEvolution::createAddRecFromPHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:5847
 #4 0x561e341afe78 in llvm::ScalarEvolution::createNodeForPHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:6114:23
 #5 0x561e341d024e in llvm::ScalarEvolution::createSCEV(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:8214:12
 #6 0x561e3419f24d in llvm::ScalarEvolution::createSCEVIter(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:7591:21
 #7 0x561e341aeec1 in llvm::ScalarEvolution::getSCEV(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:4630:10
 #8 0x561e341aeec1 in llvm::ScalarEvolution::createNodeFromSelectLikePHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:6069:27
 #9 0x561e341b00d0 in llvm::ScalarEvolution::createNodeForPHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:6127:23
 #10 0x561e341d024e in llvm::ScalarEvolution::createSCEV(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:8214:12
 #11 0x561e3419f24d in llvm::ScalarEvolution::createSCEVIter(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:7591:21
 #12 0x561e341aeec1 in llvm::ScalarEvolution::getSCEV(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:4630:10
 #13 0x561e341aeec1 in llvm::ScalarEvolution::createNodeFromSelectLikePHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:6069:27
 #14 0x561e341b00d0 in llvm::ScalarEvolution::createNodeForPHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:6127:23
 #15 0x561e341d024e in llvm::ScalarEvolution::createSCEV(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:8214:12
 #16 0x561e3419f24d in llvm::ScalarEvolution::createSCEVIter(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:7591:21
 #17 0x561e341aeec1 in llvm::ScalarEvolution::getSCEV(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:4630:10
 #18 0x561e341aeec1 in llvm::ScalarEvolution::createNodeFromSelectLikePHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:6069:27
 #19 0x561e341b00d0 in llvm::ScalarEvolution::createNodeForPHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:6127:23
 #20 0x561e341d024e in llvm::ScalarEvolution::createSCEV(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:8214:12
 #21 0x561e3419f24d in llvm::ScalarEvolution::createSCEVIter(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:7591:21
 #22 0x561e341aeec1 in llvm::ScalarEvolution::getSCEV(llvm::Value*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:4630:10
 #23 0x561e341aeec1 in llvm::ScalarEvolution::createNodeFromSelectLikePHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/ScalarEvolution.cpp:6069:27
 #24 0x561e341b00d0 in llvm::ScalarEvolution::createNodeForPHI(llvm::PHINode*) /home/x27zhou/compiler-nightly/src/llvm-project/llvm/lib/Analysis/Sca<truncated>Please see the issue for the entire body.

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

[llvm-bugs] [Bug 179071] [clang] Crash at -O3 -fprofile-instr-generate: AddressSanitizer: SEGV on unknown address 0x7fff44e0ef78 (pc 0x7effef1508fd bp 0x7effeec9d670 sp 0x7effeec9d418 T0)

Reply via email to