llc reads freed memory when run on 2006-11-30-NoCompileUnit.cpp

[llvmbot]

Bugzilla Link	1684
Resolution	FIXED
Resolved on	Sep 23, 2007 02:35
Version	unspecified
OS	Linux
Reporter	LLVM Bugzilla Contributor
CC	@asl

Extended Description

Running test/C++Frontend/2006-11-30-NoCompileUnit.cpp under valgrind
shows it reading freed memory in llvm::DIEBlock::BestForm.

To reproduce, run
llvm-gcc -S -O0 -emit-llvm -g 2006-11-30-NoCompileUnit.cpp -o - | llvm-as | valgrind --tool=memcheck llc --disable-fp-elim -f -o NoCompileUnit.s

[asl]

Mine

[asl]

Erm, wanted 1685 :)

[lattner]

Dale, can you take a look at this one?

Duncan, can you please attach the valgrind dump?

Thanks,

-Chris

[llvmbot]

Full backtrace:

Invalid read of size 4
at 0x868433F: llvm::DIEBlock::BestForm() const (DwarfWriter.cpp:622)
by 0x86955E2: llvm::DwarfDebug::AddBlock(llvm::DIE*, unsigned, unsigned, llvm::DIEBlock*) (DwarfWriter.cpp:1307)
by 0x8698227: llvm::DwarfDebug::ConstructType(llvm::DIE&, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1565)
by 0x869708B: llvm::DwarfDebug::AddType(llvm::DIE*, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1417)
by 0x8697A2E: llvm::DwarfDebug::ConstructType(llvm::DIE&, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1447)
by 0x869708B: llvm::DwarfDebug::AddType(llvm::DIE*, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1417)
by 0x8697A2E: llvm::DwarfDebug::ConstructType(llvm::DIE&, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1447)
by 0x869708B: llvm::DwarfDebug::AddType(llvm::DIE*, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1417)
by 0x86986F5: llvm::DwarfDebug::ConstructType(llvm::DIE&, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1643)
by 0x869708B: llvm::DwarfDebug::AddType(llvm::DIE*, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1417)
by 0x8697A2E: llvm::DwarfDebug::ConstructType(llvm::DIE&, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1447)
by 0x869708B: llvm::DwarfDebug::AddType(llvm::DIE*, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1417)
Address 0x438b960 is 80 bytes inside a block of size 84 free'd
at 0x4022166: operator delete(void*) (vg_replace_malloc.c:336)
by 0x868C3EF: llvm::DIEBlock::~DIEBlock() (DwarfWriter.cpp:609)
by 0x86955CE: llvm::DwarfDebug::AddBlock(llvm::DIE*, unsigned, unsigned, llvm::DIEBlock*) (DwarfWriter.cpp:1304)
by 0x8698227: llvm::DwarfDebug::ConstructType(llvm::DIE&, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1565)
by 0x869708B: llvm::DwarfDebug::AddType(llvm::DIE*, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1417)
by 0x8697A2E: llvm::DwarfDebug::ConstructType(llvm::DIE&, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1447)
by 0x869708B: llvm::DwarfDebug::AddType(llvm::DIE*, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1417)
by 0x8697A2E: llvm::DwarfDebug::ConstructType(llvm::DIE&, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1447)
by 0x869708B: llvm::DwarfDebug::AddType(llvm::DIE*, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1417)
by 0x86986F5: llvm::DwarfDebug::ConstructType(llvm::DIE&, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1643)
by 0x869708B: llvm::DwarfDebug::AddType(llvm::DIE*, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1417)
by 0x8697A2E: llvm::DwarfDebug::ConstructType(llvm::DIE&, llvm::TypeDesc*, llvm::CompileUnit*) (DwarfWriter.cpp:1447)

[lattner]

The problem is obvious:
if (!Value) {
Value = Block;
ValuesSet.InsertNode(Value, Where);
Values.push_back(Value);
} else {
delete Block;
}

Die->AddValue(Attribute, Block->BestForm(), Value);

If Value is true, it deletes Block then dereferences it.

[lattner]

Fixed, patch here:
http://lists.cs.uiuc.edu/pipermail/llvm-commits/Week-of-Mon-20070917/053751.html

-Chris

[llvmbot]

Chris,

Can we close this if it's fixed? ;-)

--Owen

[nlewycky]

Chris, did you want to close this bug? I can't reproduce it with the fix applied, though I haven't tried it without the fix.

[llvmbot]

I can confirm that this bug is now fixed.