LLVM Bugzilla is read-only and represents the historical archive of all LLVM issues filled before November 26, 2021. Use github to submit LLVM bugs

Bug 50638 - clang crashes on valid code at -Os and above on x86_64-linux-gnu (in 'Simplify the CFG')
Summary: clang crashes on valid code at -Os and above on x86_64-linux-gnu (in 'Simplif...
Status: RESOLVED FIXED
Alias: None
Product: libraries
Classification: Unclassified
Component: Transformation Utilities (show other bugs)
Version: trunk
Hardware: PC All
: P enhancement
Assignee: Unassigned LLVM Bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-09 04:07 PDT by Zhendong Su
Modified: 2021-06-11 07:35 PDT (History)
4 users (show)

See Also:
Fixed By Commit(s):

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Zhendong Su 2021-06-09 04:07:11 PDT 
[551] % clangtk -v
clang version 13.0.0 (https://github.com/llvm/llvm-project.git 205cde63c70e017a71d1ec06377421f7733f2ad5)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /local/suz-local/opfuzz/bin
Found candidate GCC installation: /usr/lib/gcc/i686-linux-gnu/8
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/6
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/6.5.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7.5.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/8
Selected GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7.5.0
Candidate multilib: .;@m64
Candidate multilib: 32;@m32
Candidate multilib: x32;@mx32
Selected multilib: .;@m64
[552] % 
[552] % clangtk -O1 small.c; ./a.out
[553] % 
[553] % clangtk -Os small.c
PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: /local/suz-local/software/local/clang-trunk/bin/clang-13 -cc1 -triple x86_64-unknown-linux-gnu -emit-obj --mrelax-relocations -disable-free -main-file-name small.c -mrelocation-model static -mframe-pointer=none -fmath-errno -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/local/suz-local/software/emitesting/bugs/20210609-clangtk-m64-O3-g-Weverything-pipe-fPIC-build-121036/delta -resource-dir /local/suz-local/software/local/clang-trunk/lib/clang/13.0.0 -I /usr/local/include/csmith -internal-isystem /local/suz-local/software/local/clang-trunk/lib/clang/13.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -Os -fdebug-compilation-dir=/local/suz-local/software/emitesting/bugs/20210609-clangtk-m64-O3-g-Weverything-pipe-fPIC-build-121036/delta -ferror-limit 19 -fgnuc-version=4.2.1 -fcolor-diagnostics -vectorize-loops -vectorize-slp -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/small-2b81e3.o -x c small.c
1.	<eof> parser at end of file
2.	Optimizer
 #0 0x00005634604aa35f PrintStackTraceSignalHandler(void*) Signals.cpp:0:0
 #1 0x00005634604a7bad SignalHandler(int) Signals.cpp:0:0
 #2 0x00007f695207f980 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x12980)
 #3 0x000056345fccbd30 llvm::Type::getInt1Ty(llvm::LLVMContext&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x2fbad30)
 #4 0x000056345fc4b4c8 llvm::SelectInst::areInvalidOperands(llvm::Value*, llvm::Value*, llvm::Value*) (.part.492) Instructions.cpp:0:0
 #5 0x000056345fc2d71f llvm::IRBuilderBase::CreateSelect(llvm::Value*, llvm::Value*, llvm::Value*, llvm::Twine const&, llvm::Instruction*) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x2f1c71f)
 #6 0x0000563460611b1e FoldTwoEntryPHINode(llvm::PHINode*, llvm::TargetTransformInfo const&, llvm::DomTreeUpdater*, llvm::DataLayout const&) SimplifyCFG.cpp:0:0
 #7 0x0000563460628872 llvm::simplifyCFG(llvm::BasicBlock*, llvm::TargetTransformInfo const&, llvm::DomTreeUpdater*, llvm::SimplifyCFGOptions const&, llvm::ArrayRef<llvm::WeakVH>) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x3917872)
 #8 0x000056346039717f iterativelySimplifyCFG(llvm::Function&, llvm::TargetTransformInfo const&, llvm::DomTreeUpdater*, llvm::SimplifyCFGOptions const&) SimplifyCFGPass.cpp:0:0
 #9 0x0000563460397cc6 simplifyFunctionCFGImpl(llvm::Function&, llvm::TargetTransformInfo const&, llvm::DominatorTree*, llvm::SimplifyCFGOptions const&) SimplifyCFGPass.cpp:0:0
#10 0x0000563460399434 llvm::SimplifyCFGPass::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x3688434)
#11 0x000056345e8ca271 llvm::detail::PassModel<llvm::Function, llvm::SimplifyCFGPass, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x1bb9271)
#12 0x000056345fcbf37c llvm::PassManager<llvm::Function, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x2fae37c)
#13 0x000056345e320361 llvm::detail::PassModel<llvm::Function, llvm::PassManager<llvm::Function, llvm::AnalysisManager<llvm::Function> >, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x160f361)
#14 0x000056345f416bc4 llvm::CGSCCToFunctionPassAdaptor::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x2705bc4)
#15 0x000056345e320e41 llvm::detail::PassModel<llvm::LazyCallGraph::SCC, llvm::CGSCCToFunctionPassAdaptor, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&>::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x160fe41)
#16 0x000056345f40f6e3 llvm::PassManager<llvm::LazyCallGraph::SCC, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&>::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x26fe6e3)
#17 0x000056345fdbcaf1 llvm::detail::PassModel<llvm::LazyCallGraph::SCC, llvm::PassManager<llvm::LazyCallGraph::SCC, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&>, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&>::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x30abaf1)
#18 0x000056345f412b88 llvm::DevirtSCCRepeatedPass::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x2701b88)
#19 0x000056345fdbcab1 llvm::detail::PassModel<llvm::LazyCallGraph::SCC, llvm::DevirtSCCRepeatedPass, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&>::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x30abab1)
#20 0x000056345f41113b llvm::ModuleToPostOrderCGSCCPassAdaptor::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x270013b)
#21 0x000056345fdbcb31 llvm::detail::PassModel<llvm::Module, llvm::ModuleToPostOrderCGSCCPassAdaptor, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Module> >::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x30abb31)
#22 0x000056345fcbd424 llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module> >::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x2fac424)
#23 0x000056345fdbf2a3 llvm::ModuleInlinerWrapperPass::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x30ae2a3)
#24 0x00005634614d1151 llvm::detail::PassModel<llvm::Module, llvm::ModuleInlinerWrapperPass, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Module> >::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x47c0151)
#25 0x000056345fcbd424 llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module> >::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x2fac424)
#26 0x0000563460790508 (anonymous namespace)::EmitAssemblyHelper::EmitAssemblyWithNewPassManager(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) BackendUtil.cpp:0:0
#27 0x0000563460795443 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::StringRef, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x3a84443)
#28 0x00005634614554ea clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x47444ea)
#29 0x0000563462321179 clang::ParseAST(clang::Sema&, bool, bool) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x5610179)
#30 0x0000563461455688 clang::CodeGenAction::ExecuteAction() (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x4744688)
#31 0x0000563460db5b81 clang::FrontendAction::Execute() (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x40a4b81)
#32 0x0000563460d5244a clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x404144a)
#33 0x0000563460e8379a clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x417279a)
#34 0x000056345e09c6cc cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x138b6cc)
#35 0x000056345e097a79 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) driver.cpp:0:0
#36 0x000056345dfc4407 main (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x12b3407)
#37 0x00007f6950d13bf7 __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:344:0
#38 0x000056345e0975ea _start (/local/suz-local/software/local/clang-trunk/bin/clang-13+0x13865ea)
clang-13: error: unable to execute command: Segmentation fault
clang-13: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 13.0.0 (https://github.com/llvm/llvm-project.git 205cde63c70e017a71d1ec06377421f7733f2ad5)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /local/suz-local/opfuzz/bin
clang-13: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-13: note: diagnostic msg: /tmp/small-bfab67.c
clang-13: note: diagnostic msg: /tmp/small-bfab67.sh
clang-13: note: diagnostic msg: 

********************
[554] % 
[554] % cat small.c
int a;
int main() {
  a = 0;
  while (a)
    for (a = 0; a < 1; a++)
      ;
  return 0;
}
Comment 1 Simon Pilgrim 2021-06-09 05:39:32 PDT 
crashes on: opt -simplifycfg

; ModuleID = 'bugpoint-reduced-conditionals.bc'
source_filename = "fuzz.ll"
target triple = "x86_64-unknown-linux-gnu"

@a = external dso_local global i32, align 4

define dso_local i32 @main() local_unnamed_addr {
entry:
  store i32 0, i32* @a, align 4
  br label %while.cond

while.cond:                                       ; preds = %for.cond, %entry
  %tobool.not = phi i1 [ false, %for.cond ], [ true, %entry ]
  br i1 %tobool.not, label %while.end, label %for.cond

for.cond:                                         ; preds = %for.inc, %while.cond
  %cmp = phi i1 [ true, %while.cond ], [ false, %for.inc ]
  %storemerge = phi i32 [ 0, %while.cond ], [ 1, %for.inc ]
  store i32 %storemerge, i32* @a, align 4
  br i1 %cmp, label %for.inc, label %while.cond

for.inc:                                          ; preds = %for.cond
  br label %for.cond

while.end:                                        ; preds = %while.cond
  ret i32 0
}
Comment 2 Sanjay Patel 2021-06-09 07:56:02 PDT 
I'm not seeing a crash with the original C program or the simplifycfg reduction with a freshly built compiler. 

And not seeing a crash on godbolt:
https://godbolt.org/z/dPqh11zx7

But I don't see any recent changes to simplifycfg that would account for a difference either...ideas?
Comment 3 Simon Pilgrim 2021-06-09 10:47:29 PDT 
I'm still seeing this with asserts enabled: https://godbolt.org/z/fcToWdsP1
Comment 4 Sanjay Patel 2021-06-11 06:49:20 PDT 
Should be fixed with:
https://reviews.llvm.org/rG602ab248335e

Simon or Zhendong, I'll leave this open until you can confirm (or we can wait for godbolt to update). 

I never got the assert on my release-with-asserts build (so the regression test in the patch already passed for me), but I was able to see the use-after-free problem in a debug build.
Comment 5 Zhendong Su 2021-06-11 07:34:58 PDT 
(In reply to Sanjay Patel from comment #4)
> Should be fixed with:
> https://reviews.llvm.org/rG602ab248335e
> 
> Simon or Zhendong, I'll leave this open until you can confirm (or we can
> wait for godbolt to update). 
> 
> I never got the assert on my release-with-asserts build (so the regression
> test in the patch already passed for me), but I was able to see the
> use-after-free problem in a debug build.

Sanjay, I can confirm that the crash has been fixed (with my build of e2d0798bc3e462738c557270528e8a983df0cf02); thanks.