28749 – heap-use-after-free in SelectionDAG

LLVM Bugzilla is read-only and represents the historical archive of all LLVM issues filled before November 26, 2021. Use github to submit LLVM bugs

Bug 28749 - heap-use-after-free in SelectionDAG

Summary: heap-use-after-free in SelectionDAG

Status:	RESOLVED FIXED

Alias:	None

Product:	new-bugs
Classification:	Unclassified
Component:	new bugs (show other bugs)
Version:	unspecified
Hardware:	PC Windows NT

Importance:	P normal
Assignee:	Unassigned LLVM Bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-07-28 00:30 PDT by Yaron Keren
Modified:	2016-08-03 02:55 PDT (History)
CC List:	4 users (show)

See Also:
Fixed By Commit(s):

Attachments
reproducer (466 bytes, text/plain) 2016-07-28 00:30 PDT, Yaron Keren	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yaron Keren 2016-07-28 00:30:26 PDT

Created attachment 16828 [details]
reproducer

compiling the attached using clang built with Asan results in 
heap-use-after-free. llvm, clang, libcxx, libcxxabi, compiler-rt, libunwind are trunk, r276955. clang configured as:

cmake -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -GNinja -DCMAKE_BUILD_TYPE=Debug -DLLVM_USE_SANITIZER:STRING="Address" -DCMAKE_C_FLAGS_DEBUG="-gmlt" -DCMAKE_CXX_FLAGS_DEBUG="-gmlt"

the compilation command is:

~/asan/build/bin/clang++ -cc1 -emit-obj -debug-info-kind=limited -O2 rational.cpp

where rational.cpp is attached.
The Asan report is:

=================================================================
==19198==ERROR: AddressSanitizer: heap-use-after-free on address 0x61f0000080b8 at pc 0x0000042b476d bp 0x7ffde4fb80f0 sp 0x7ffde4fb80e8

READ of size 8 at 0x61f0000080b8 thread T0
    #0 0x42b476c in llvm::SelectionDAG::TransferDbgValues(llvm::SDValue, llvm::SDValue) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:6644:23
    #1 0x42b4187 in llvm::SelectionDAG::ReplaceAllUsesWith(llvm::SDValue, llvm::SDValue) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:6289:3
    #2 0x42b4f97 in llvm::SelectionDAG::ReplaceAllUsesOfValueWith(llvm::SDValue, llvm::SDValue) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:6404:5
    #3 0x435a841 in llvm::DAGTypeLegalizer::ReplaceValueWith(llvm::SDValue, llvm::SDValue) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/LegalizeTypes.cpp:705:9
    #4 0x44215d2 in llvm::DAGTypeLegalizer::PromoteIntegerOperand(llvm::SDNode*, unsigned int) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/LegalizeIntegerTypes.cpp:931:3
    #5 0x4359427 in llvm::DAGTypeLegalizer::run() /home/ceemple/llvm/lib/CodeGen/SelectionDAG/LegalizeTypes.cpp:290:28
    #6 0x4362e39 in llvm::SelectionDAG::LegalizeTypes() /home/ceemple/llvm/lib/CodeGen/SelectionDAG/LegalizeTypes.cpp:1176:34
    #7 0x42eac53 in llvm::SelectionDAGISel::CodeGenAndEmitDAG() /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:769:23
    #8 0x42ea390 in llvm::SelectionDAGISel::SelectBasicBlock(llvm::ilist_iterator<llvm::Instruction const>, llvm::ilist_iterator<llvm::Instruction const>, bool&) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:679:3
    #9 0x42e9b9b in llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:1482:7
    #10 0x42e67dc in llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:500:3
    #11 0x1d8f18d in (anonymous namespace)::X86DAGToDAGISel::runOnMachineFunction(llvm::MachineFunction&) /home/ceemple/llvm/lib/Target/X86/X86ISelDAGToDAG.cpp:175:25
    #12 0x257ee25 in llvm::MachineFunctionPass::runOnFunction(llvm::Function&) /home/ceemple/llvm/lib/CodeGen/MachineFunctionPass.cpp:60:13
    #13 0x2ae0241 in llvm::FPPassManager::runOnFunction(llvm::Function&) /home/ceemple/llvm/lib/IR/LegacyPassManager.cpp:1526:27
    #14 0x2ae0572 in llvm::FPPassManager::runOnModule(llvm::Module&) /home/ceemple/llvm/lib/IR/LegacyPassManager.cpp:1547:16
    #15 0x2ae0d63 in (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) /home/ceemple/llvm/lib/IR/LegacyPassManager.cpp:1603:27
    #16 0x2ae0855 in llvm::legacy::PassManagerImpl::run(llvm::Module&) /home/ceemple/llvm/lib/IR/LegacyPassManager.cpp:1706:44
    #17 0x36413b1 in (anonymous namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) /home/ceemple/llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:741:19
    #18 0x3640788 in clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) /home/ceemple/llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:753:13
    #19 0x4461c23 in clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) /home/ceemple/llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:193:7
    #20 0x4d82a1d in clang::ParseAST(clang::Sema&, bool, bool) /home/ceemple/llvm/tools/clang/lib/Parse/ParseAST.cpp:167:13
    #21 0x445f2d5 in clang::CodeGenAction::ExecuteAction() /home/ceemple/llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:867:28
    #22 0x3dda801 in clang::FrontendAction::Execute() /home/ceemple/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:458:8
    #23 0x3d5d606 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /home/ceemple/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:868:11
    #24 0x3f14549 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /home/ceemple/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:241:25
    #25 0xdb2213 in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /home/ceemple/llvm/tools/clang/tools/driver/cc1_main.cpp:116:13
    #26 0xda39f8 in ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) /home/ceemple/llvm/tools/clang/tools/driver/driver.cpp:299:12
    #27 0xda288d in main /home/ceemple/llvm/tools/clang/tools/driver/driver.cpp:380:12
    #28 0x7fa60b39582f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #29 0xcd3e68 in _start (/home/ceemple/asan/build/bin/clang-4.0+0xcd3e68)

0x61f0000080b8 is located 568 bytes inside of 3072-byte region [0x61f000007e80,0x61f000008a80)
freed by thread T0 here:
    #0 0xd9fefb in operator delete(void*) /home/ceemple/llvm/build/../projects/compiler-rt/lib/asan/asan_new_delete.cc:110:3
    #1 0x42cd773 in llvm::DenseMap<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >::grow(unsigned int) /home/ceemple/llvm/include/llvm/ADT/DenseMap.h:679:5
    #2 0x42cd4d3 in llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> >* llvm::DenseMapBase<llvm::DenseMap<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >, llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >::InsertIntoBucketImpl<llvm::SDNode const*>(llvm::SDNode const* const&, llvm::SDNode const* const&, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> >*) /home/ceemple/llvm/include/llvm/ADT/DenseMap.h:484:13
    #3 0x42ccf57 in llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> >* llvm::DenseMapBase<llvm::DenseMap<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >, llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >::InsertIntoBucket<llvm::SDNode const* const&>(llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> >*, llvm::SDNode const* const&) /home/ceemple/llvm/include/llvm/ADT/DenseMap.h:450:17
    #4 0x42ccdd5 in llvm::DenseMapBase<llvm::DenseMap<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >, llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >::FindAndConstruct(llvm::SDNode const* const&) /home/ceemple/llvm/include/llvm/ADT/DenseMap.h:267:13
    #5 0x42ccca8 in llvm::DenseMapBase<llvm::DenseMap<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >, llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >::operator[](llvm::SDNode const* const&) /home/ceemple/llvm/include/llvm/ADT/DenseMap.h:271:12
    #6 0x42c7822 in llvm::SDDbgInfo::add(llvm::SDDbgValue*, llvm::SDNode const*, bool) /home/ceemple/llvm/include/llvm/CodeGen/SelectionDAG.h:132:7
    #7 0x42b68d3 in llvm::SelectionDAG::AddDbgValue(llvm::SDDbgValue*, llvm::SDNode*, bool) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:6632:12
    #8 0x42b46a8 in llvm::SelectionDAG::TransferDbgValues(llvm::SDValue, llvm::SDValue) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:6652:7
    #9 0x42b4187 in llvm::SelectionDAG::ReplaceAllUsesWith(llvm::SDValue, llvm::SDValue) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:6289:3
    #10 0x42b4f97 in llvm::SelectionDAG::ReplaceAllUsesOfValueWith(llvm::SDValue, llvm::SDValue) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:6404:5
    #11 0x435a841 in llvm::DAGTypeLegalizer::ReplaceValueWith(llvm::SDValue, llvm::SDValue) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/LegalizeTypes.cpp:705:9
    #12 0x44215d2 in llvm::DAGTypeLegalizer::PromoteIntegerOperand(llvm::SDNode*, unsigned int) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/LegalizeIntegerTypes.cpp:931:3
    #13 0x4359427 in llvm::DAGTypeLegalizer::run() /home/ceemple/llvm/lib/CodeGen/SelectionDAG/LegalizeTypes.cpp:290:28
    #14 0x4362e39 in llvm::SelectionDAG::LegalizeTypes() /home/ceemple/llvm/lib/CodeGen/SelectionDAG/LegalizeTypes.cpp:1176:34
    #15 0x42eac53 in llvm::SelectionDAGISel::CodeGenAndEmitDAG() /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:769:23
    #16 0x42ea390 in llvm::SelectionDAGISel::SelectBasicBlock(llvm::ilist_iterator<llvm::Instruction const>, llvm::ilist_iterator<llvm::Instruction const>, bool&) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:679:3
    #17 0x42e9b9b in llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:1482:7
    #18 0x42e67dc in llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:500:3
    #19 0x1d8f18d in (anonymous namespace)::X86DAGToDAGISel::runOnMachineFunction(llvm::MachineFunction&) /home/ceemple/llvm/lib/Target/X86/X86ISelDAGToDAG.cpp:175:25
    #20 0x257ee25 in llvm::MachineFunctionPass::runOnFunction(llvm::Function&) /home/ceemple/llvm/lib/CodeGen/MachineFunctionPass.cpp:60:13
    #21 0x2ae0241 in llvm::FPPassManager::runOnFunction(llvm::Function&) /home/ceemple/llvm/lib/IR/LegacyPassManager.cpp:1526:27
    #22 0x2ae0572 in llvm::FPPassManager::runOnModule(llvm::Module&) /home/ceemple/llvm/lib/IR/LegacyPassManager.cpp:1547:16
    #23 0x2ae0d63 in (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) /home/ceemple/llvm/lib/IR/LegacyPassManager.cpp:1603:27
    #24 0x2ae0855 in llvm::legacy::PassManagerImpl::run(llvm::Module&) /home/ceemple/llvm/lib/IR/LegacyPassManager.cpp:1706:44
    #25 0x36413b1 in (anonymous namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) /home/ceemple/llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:741:19
    #26 0x3640788 in clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) /home/ceemple/llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:753:13
    #27 0x4461c23 in clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) /home/ceemple/llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:193:7
    #28 0x4d82a1d in clang::ParseAST(clang::Sema&, bool, bool) /home/ceemple/llvm/tools/clang/lib/Parse/ParseAST.cpp:167:13
    #29 0x445f2d5 in clang::CodeGenAction::ExecuteAction() /home/ceemple/llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:867:28

previously allocated by thread T0 here:
    #0 0xd9f8fb in operator new(unsigned long) /home/ceemple/llvm/build/../projects/compiler-rt/lib/asan/asan_new_delete.cc:78:35
    #1 0x42cab42 in llvm::DenseMap<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >::allocateBuckets(unsigned int) /home/ceemple/llvm/include/llvm/ADT/DenseMap.h:729:37
    #2 0x42cd72c in llvm::DenseMap<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >::grow(unsigned int) /home/ceemple/llvm/include/llvm/ADT/DenseMap.h:669:5
    #3 0x42cd4d3 in llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> >* llvm::DenseMapBase<llvm::DenseMap<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >, llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >::InsertIntoBucketImpl<llvm::SDNode const*>(llvm::SDNode const* const&, llvm::SDNode const* const&, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> >*) /home/ceemple/llvm/include/llvm/ADT/DenseMap.h:484:13
    #4 0x42ccf57 in llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> >* llvm::DenseMapBase<llvm::DenseMap<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >, llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >::InsertIntoBucket<llvm::SDNode const* const&>(llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> >*, llvm::SDNode const* const&) /home/ceemple/llvm/include/llvm/ADT/DenseMap.h:450:17
    #5 0x42ccdd5 in llvm::DenseMapBase<llvm::DenseMap<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >, llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >::FindAndConstruct(llvm::SDNode const* const&) /home/ceemple/llvm/include/llvm/ADT/DenseMap.h:267:13
    #6 0x42ccca8 in llvm::DenseMapBase<llvm::DenseMap<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >, llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u>, llvm::DenseMapInfo<llvm::SDNode const*>, llvm::detail::DenseMapPair<llvm::SDNode const*, llvm::SmallVector<llvm::SDDbgValue*, 2u> > >::operator[](llvm::SDNode const* const&) /home/ceemple/llvm/include/llvm/ADT/DenseMap.h:271:12
    #7 0x42c7822 in llvm::SDDbgInfo::add(llvm::SDDbgValue*, llvm::SDNode const*, bool) /home/ceemple/llvm/include/llvm/CodeGen/SelectionDAG.h:132:7
    #8 0x42b68d3 in llvm::SelectionDAG::AddDbgValue(llvm::SDDbgValue*, llvm::SDNode*, bool) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:6632:12
    #9 0x421ef91 in llvm::SelectionDAGBuilder::visitIntrinsicCall(llvm::CallInst const&, unsigned int) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAGBuilder.cpp:4936:11
    #10 0x41f2c10 in llvm::SelectionDAGBuilder::visitCall(llvm::CallInst const&) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAGBuilder.cpp:6216:20
    #11 0x41e1b8d in llvm::SelectionDAGBuilder::visit(llvm::Instruction const&) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAGBuilder.cpp:981:3
    #12 0x42ea2c2 in llvm::SelectionDAGISel::SelectBasicBlock(llvm::ilist_iterator<llvm::Instruction const>, llvm::ilist_iterator<llvm::Instruction const>, bool&) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:671:10
    #13 0x42e9b9b in llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:1482:7
    #14 0x42e67dc in llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:500:3
    #15 0x1d8f18d in (anonymous namespace)::X86DAGToDAGISel::runOnMachineFunction(llvm::MachineFunction&) /home/ceemple/llvm/lib/Target/X86/X86ISelDAGToDAG.cpp:175:25
    #16 0x257ee25 in llvm::MachineFunctionPass::runOnFunction(llvm::Function&) /home/ceemple/llvm/lib/CodeGen/MachineFunctionPass.cpp:60:13
    #17 0x2ae0241 in llvm::FPPassManager::runOnFunction(llvm::Function&) /home/ceemple/llvm/lib/IR/LegacyPassManager.cpp:1526:27
    #18 0x2ae0572 in llvm::FPPassManager::runOnModule(llvm::Module&) /home/ceemple/llvm/lib/IR/LegacyPassManager.cpp:1547:16
    #19 0x2ae0d63 in (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) /home/ceemple/llvm/lib/IR/LegacyPassManager.cpp:1603:27
    #20 0x2ae0855 in llvm::legacy::PassManagerImpl::run(llvm::Module&) /home/ceemple/llvm/lib/IR/LegacyPassManager.cpp:1706:44
    #21 0x36413b1 in (anonymous namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) /home/ceemple/llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:741:19
    #22 0x3640788 in clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) /home/ceemple/llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:753:13
    #23 0x4461c23 in clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) /home/ceemple/llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:193:7
    #24 0x4d82a1d in clang::ParseAST(clang::Sema&, bool, bool) /home/ceemple/llvm/tools/clang/lib/Parse/ParseAST.cpp:167:13
    #25 0x445f2d5 in clang::CodeGenAction::ExecuteAction() /home/ceemple/llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:867:28
    #26 0x3dda801 in clang::FrontendAction::Execute() /home/ceemple/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:458:8
    #27 0x3d5d606 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /home/ceemple/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:868:11
    #28 0x3f14549 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /home/ceemple/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:241:25
    #29 0xdb2213 in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /home/ceemple/llvm/tools/clang/tools/driver/cc1_main.cpp:116:13

SUMMARY: AddressSanitizer: heap-use-after-free /home/ceemple/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:6644:23 in llvm::SelectionDAG::TransferDbgValues(llvm::SDValue, llvm::SDValue)
Shadow bytes around the buggy address:
  0x0c3e7fff8fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fff8fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3e7fff8fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3e7fff8ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3e7fff9000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3e7fff9010: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c3e7fff9020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3e7fff9030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3e7fff9040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3e7fff9050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3e7fff9060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19198==ABORTING

Comment 1 Yaron Keren 2016-07-28 00:37:26 PDT

possibly duplicate of bug 28613

Comment 2 Hans Wennborg 2016-07-29 11:20:27 PDT

Nirav's r277135 seems to have fixed this.

Comment 3 Yaron Keren 2016-08-03 02:55:38 PDT

fixed for me too, thanks!