[LLVMbugs] [Bug 12315] New: heap-use-after-free in clang::CodeGen::CGDebugInfo::CreateLimitedType (32-bit)

bugzilla-daemon Tue, 20 Mar 2012 09:54:53 -0700

http://llvm.org/bugs/show_bug.cgi?id=12315


             Bug #: 12315
           Summary: heap-use-after-free in
                    clang::CodeGen::CGDebugInfo::CreateLimitedType
                    (32-bit)
           Product: new-bugs
           Version: trunk
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: new bugs
        AssignedTo: [email protected]
        ReportedBy: [email protected]
                CC: [email protected]
    Classification: Unclassified


Created attachment 8242
  --> http://llvm.org/bugs/attachment.cgi?id=8242
reproducer

clang r153090 on x86_64 linux. 
Crash happens only with "-m32 -g" and any opt mode. 

% clang -c -m32 -O2 -g asan.cc

The use-after-free can be seen with AddressSanitizer or Valgrind. 
When running natively clang sometimes crashes too. 

test case minimized by c_reduce from a real code. 
The test is not perfectly minimal(3K), but this is where the reducer got stuck. 

This bug may (or may not) be another instance of PR# 12305


==11232== ERROR: AddressSanitizer heap-use-after-free on address 0x7f30d47774b0
at pc 0x90292d3 bp 0x7fff214d99d0 sp 0x7fff214d99c8
READ of size 4 at 0x7f30d47774b0 thread T0
   #0 0x90292d3 in llvm::MDNode::getNumOperands() const
include/llvm/Metadata.h:146
   #1 0xf1576a9 in llvm::DIDescriptor::getUInt64Field(unsigned int) const
lib/Analysis/DebugInfo.cpp:70
   #2 0x1fc70e6 in llvm::DIDescriptor::getUnsignedField(unsigned int) const
include/llvm/Analysis/DebugInfo.h:70
   #3 0x1f7bd58 in llvm::DIDescriptor::getTag() const
include/llvm/Analysis/DebugInfo.h:104
   #4 0xf15914c in llvm::DIDescriptor::isBasicType() const
lib/Analysis/DebugInfo.cpp:137
   #5 0xf15b6b5 in llvm::DIType::DIType(llvm::MDNode const*)
lib/Analysis/DebugInfo.cpp:302
   #6 0x1f44c25 in
clang::CodeGen::CGDebugInfo::CreateLimitedType(clang::RecordType const*)
tools/clang/lib/CodeGen/CGDebugInfo.cpp:1834
   #7 0x1f41c78 in
clang::CodeGen::CGDebugInfo::CreateLimitedTypeNode(clang::QualType,
llvm::DIFile) tools/clang/lib/CodeGen/CGDebugInfo.cpp:1851
   #8 0x1f0fd30 in
clang::CodeGen::CGDebugInfo::getOrCreateLimitedType(clang::QualType,
llvm::DIFile) tools/clang/lib/CodeGen/CGDebugInfo.cpp:1758
   #9 0x1f2f916 in clang::CodeGen::CGDebugInfo::CreateType(clang::RecordType
const*) tools/clang/lib/CodeGen/CGDebugInfo.cpp:1172
   #10 0x1f411b1 in
clang::CodeGen::CGDebugInfo::CreateTypeNode(clang::QualType, llvm::DIFile)
tools/clang/lib/CodeGen/CGDebugInfo.cpp:1697
   #11 0x1f0239b in
clang::CodeGen::CGDebugInfo::getOrCreateType(clang::QualType, llvm::DIFile)
tools/clang/lib/CodeGen/CGDebugInfo.cpp:1646
   #12 0x1f2aa53 in
clang::CodeGen::CGDebugInfo::CollectTemplateParams(clang::TemplateParameterList
const*, clang::TemplateArgumentList const&, llvm::DIFile) tools/clang/lib/C»
   #13 0x1f2c3a5 in
clang::CodeGen::CGDebugInfo::CollectCXXTemplateParams(clang::ClassTemplateSpecializationDecl
const*, llvm::DIFile) tools/clang/lib/CodeGen/CGDebugInfo.cpp:»
   #14 0x1f30159 in clang::CodeGen::CGDebugInfo::CreateType(clang::RecordType
const*) tools/clang/lib/CodeGen/CGDebugInfo.cpp:1209
   #15 0x1f411b1 in
clang::CodeGen::CGDebugInfo::CreateTypeNode(clang::QualType, llvm::DIFile)
tools/clang/lib/CodeGen/CGDebugInfo.cpp:1697
   #16 0x1f0239b in
clang::CodeGen::CGDebugInfo::getOrCreateType(clang::QualType, llvm::DIFile)
tools/clang/lib/CodeGen/CGDebugInfo.cpp:1646


0x7f30d47774b0 is located 48 bytes inside of 616-byte region
[0x7f30d4777480,0x7f30d47776e8)
freed by thread T0 here:
   #0 0x1085e102 in free ??:0
   #1 0x102b64d6 in llvm::MDNode::destroy() lib/VMCore/Metadata.cpp:186
   #2 0x102b34c4 in llvm::MDNode::replaceOperand(llvm::MDNodeOperand*,
llvm::Value*) lib/VMCore/Metadata.cpp:356
   #3 0x102b426b in llvm::MDNode::replaceOperandWith(unsigned int,
llvm::Value*) lib/VMCore/Metadata.cpp:93
   #4 0x1f44beb in
clang::CodeGen::CGDebugInfo::CreateLimitedType(clang::RecordType const*)
tools/clang/lib/CodeGen/CGDebugInfo.cpp:1834
   #5 0x1f41c78 in
clang::CodeGen::CGDebugInfo::CreateLimitedTypeNode(clang::QualType,
llvm::DIFile) tools/clang/lib/CodeGen/CGDebugInfo.cpp:1851
   #6 0x1f0fd30 in
clang::CodeGen::CGDebugInfo::getOrCreateLimitedType(clang::QualType,
llvm::DIFile) tools/clang/lib/CodeGen/CGDebugInfo.cpp:1758
   #7 0x1f2f916 in clang::CodeGen::CGDebugInfo::CreateType(clang::RecordType
const*) tools/clang/lib/CodeGen/CGDebugInfo.cpp:1172
   #8 0x1f411b1 in clang::CodeGen::CGDebugInfo::CreateTypeNode(clang::QualType,
llvm::DIFile) tools/clang/lib/CodeGen/CGDebugInfo.cpp:1697
   #9 0x1f0239b in
clang::CodeGen::CGDebugInfo::getOrCreateType(clang::QualType, llvm::DIFile)
tools/clang/lib/CodeGen/CGDebugInfo.cpp:1646
   #10 0x1f2aa53 in
clang::CodeGen::CGDebugInfo::CollectTemplateParams(clang::TemplateParameterList
const*, clang::TemplateArgumentList const&, llvm::DIFile) tools/clang/lib/C»
   #11 0x1f2c3a5 in
clang::CodeGen::CGDebugInfo::CollectCXXTemplateParams(clang::ClassTemplateSpecializationDecl
const*, llvm::DIFile) tools/clang/lib/CodeGen/CGDebugInfo.cpp:»
   #12 0x1f30159 in clang::CodeGen::CGDebugInfo::CreateType(clang::RecordType
const*) tools/clang/lib/CodeGen/CGDebugInfo.cpp:1209


previously allocated by thread T0 here:
   #0 0x1085e1c2 in malloc ??:0
   #1 0x102b7003 in llvm::MDNode::getMDNode(llvm::LLVMContext&,
llvm::ArrayRef<llvm::Value*>, llvm::MDNode::FunctionLocalness, bool)
lib/VMCore/Metadata.cpp:234
   #2 0x102b7ff2 in llvm::MDNode::get(llvm::LLVMContext&,
llvm::ArrayRef<llvm::Value*>) lib/VMCore/Metadata.cpp:244
   #3 0xf130365 in llvm::DIBuilder::createClassType(llvm::DIDescriptor,
llvm::StringRef, llvm::DIFile, unsigned int, unsigned long, unsigned long,
unsigned long, unsigned int,»
   #4 0x1f43ebd in
clang::CodeGen::CGDebugInfo::CreateLimitedType(clang::RecordType const*)
tools/clang/lib/CodeGen/CGDebugInfo.cpp:1804
   #5 0x1f41c78 in
clang::CodeGen::CGDebugInfo::CreateLimitedTypeNode(clang::QualType,
llvm::DIFile) tools/clang/lib/CodeGen/CGDebugInfo.cpp:1851
   #6 0x1f0fd30 in
clang::CodeGen::CGDebugInfo::getOrCreateLimitedType(clang::QualType,
llvm::DIFile) tools/clang/lib/CodeGen/CGDebugInfo.cpp:1758
   #7 0x1f2f916 in clang::CodeGen::CGDebugInfo::CreateType(clang::RecordType
const*) tools/clang/lib/CodeGen/CGDebugInfo.cpp:1172
   #8 0x1f411b1 in clang::CodeGen::CGDebugInfo::CreateTypeNode(clang::QualType,
llvm::DIFile) tools/clang/lib/CodeGen/CGDebugInfo.cpp:1697
   #9 0x1f0239b in
clang::CodeGen::CGDebugInfo::getOrCreateType(clang::QualType, llvm::DIFile)
tools/clang/lib/CodeGen/CGDebugInfo.cpp:1646

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
LLVMbugs mailing list
[email protected]
http://lists.cs.uiuc.edu/mailman/listinfo/llvmbugs

[LLVMbugs] [Bug 12315] New: heap-use-after-free in clang::CodeGen::CGDebugInfo::CreateLimitedType (32-bit)

Reply via email to