http://llvm.org/bugs/show_bug.cgi?id=5097
Summary: Buffer overflow in LoopSimplify
Product: new-bugs
Version: unspecified
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: new bugs
AssignedTo: [email protected]
ReportedBy: [email protected]
CC: [email protected]
Created an attachment (id=3583)
--> (http://llvm.org/bugs/attachment.cgi?id=3583)
testcase .ll
Reproduce by building with expensive checking and doing:
opt bugpoint-reduced-simplified.ll -loop-unswitch -loopsimplify -iv-users
The problem seems to be that in lines 275...282 of LoopSimplify.cpp
const std::vector<DomTreeNodeBase<BasicBlock> *> &Children =
Node->getChildren();
for (unsigned k = 0, g = Children.size(); k != g; ++k) {
DT->changeImmediateDominator(Children[k], Node->getIDom());
if (DF) DF->changeImmediateDominator(Children[k]->getBlock(),
Node->getIDom()->getBlock(),
DT);
}
the code inside the loop mutates the Node->getChildren() vector.
Since Children is a reference to this vector, it can change as the
loop is executed. In the testcase Children has length 1, so the
loop is entered. It looks like the first line resizes Children to
be empty. Then the second line accesses off the end of Children.
--
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
LLVMbugs mailing list
[email protected]
http://lists.cs.uiuc.edu/mailman/listinfo/llvmbugs
