heap-use-after-free in llvm/lib/Transforms/Vectorize/VPlanConstruction.cpp when compiling at -Os with PGO #173222
Description
The UAF happens on the recent commit 93f339b.
$ clang-trunk -v
clang version 22.0.0git (https://github.com/llvm/llvm-project.git 93f339b5933f3a8fe02ad185c2c79d69ab78ba0d)
Target: x86_64-unknown-linux-gnu
The reduced test case and profile data are attached.
Steps to reproduce:
- Generate the profile by:
llvm-profdata merge -o test.profdata profile.txt
- compile at
-Osusing PGO with the profile:
clang-trunk -Os -fprofile-instr-use=test.profdata test.c
Crash info:
==3176394==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000217c8 at pc 0x563b4ef180d0 bp 0x7fff19036db0 sp 0x7fff19036da8
READ of size 8 at 0x6160000217c8 thread T0
#0 0x563b4ef180cf in simplifyLiveInsWithSCEV(llvm::VPlan&, llvm::PredicatedScalarEvolution&) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/VPlanConstruction.cpp:581:24
#1 0x563b4ef180cf in llvm::VPlanTransforms::buildVPlan0(llvm::Loop*, llvm::LoopInfo&, llvm::Type*, llvm::DebugLoc, llvm::PredicatedScalarEvolution&, llvm::LoopVersioning*) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/VPlanConstruction.cpp:594:3
#2 0x563b4e9b8ff0 in llvm::LoopVectorizationPlanner::buildVPlansWithVPRecipes(llvm::ElementCount, llvm::ElementCount) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp:8315:17
#3 0x563b4e9b7dda in llvm::LoopVectorizationPlanner::plan(llvm::ElementCount, unsigned int) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp:6821:3
#4 0x563b4e9f52a3 in llvm::LoopVectorizePass::processLoop(llvm::Loop*) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp:9992:7
#5 0x563b4ea17116 in llvm::LoopVectorizePass::runImpl(llvm::Function&) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp:10264:30
#6 0x563b4ea18afc in llvm::LoopVectorizePass::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp:10302:32
#7 0x563b4cfb44e1 in llvm::detail::PassModel<llvm::Function, llvm::LoopVectorizePass, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:91:17
#8 0x563b48d929f7 in llvm::PassManager<llvm::Function, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/IR/PassManagerImpl.h:76:38
#9 0x563b4234f6d1 in llvm::detail::PassModel<llvm::Function, llvm::PassManager<llvm::Function, llvm::AnalysisManager<llvm::Function> >, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:91:17
#10 0x563b48d9ee81 in llvm::ModuleToFunctionPassAdaptor::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) /home/x27zhou/compilers/llvm-project/llvm/lib/IR/PassManager.cpp:127:38
#11 0x563b42352cd1 in llvm::detail::PassModel<llvm::Module, llvm::ModuleToFunctionPassAdaptor, llvm::AnalysisManager<llvm::Module> >::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:91:17
#12 0x563b48d8f4e7 in llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module> >::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/IR/PassManagerImpl.h:76:38
#13 0x563b4a6dfd06 in (anonymous namespace)::EmitAssemblyHelper::RunOptimizationPipeline(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >&, std::unique_ptr<llvm::ToolOutputFile, std::default_delete<llvm::ToolOutputFile> >&, clang::BackendConsumer*) /home/x27zhou/compilers/llvm-project/clang/lib/CodeGen/BackendUtil.cpp:1261:9
#14 0x563b4a6c1f6f in (anonymous namespace)::EmitAssemblyHelper::emitAssembly(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >, clang::BackendConsumer*) /home/x27zhou/compilers/llvm-project/clang/lib/CodeGen/BackendUtil.cpp:1334:3
#15 0x563b4a6c1f6f in clang::emitBackendOutput(clang::CompilerInstance&, clang::CodeGenOptions&, llvm::StringRef, llvm::Module*, clang::BackendAction, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >, clang::BackendConsumer*) /home/x27zhou/compilers/llvm-project/clang/lib/CodeGen/BackendUtil.cpp:1507:13
#16 0x563b4b7767ee in clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) /home/x27zhou/compilers/llvm-project/clang/lib/CodeGen/CodeGenAction.cpp:312:3
#17 0x563b502f3ce5 in clang::ParseAST(clang::Sema&, bool, bool) /home/x27zhou/compilers/llvm-project/clang/lib/Parse/ParseAST.cpp:183:13
#18 0x563b4b786a10 in clang::CodeGenAction::ExecuteAction() /home/x27zhou/compilers/llvm-project/clang/lib/CodeGen/CodeGenAction.cpp:1109:30
#19 0x563b4c03ad64 in clang::FrontendAction::Execute() /home/x27zhou/compilers/llvm-project/clang/lib/Frontend/FrontendAction.cpp:1312:3
#20 0x563b4be2c6d5 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /home/x27zhou/compilers/llvm-project/clang/lib/Frontend/CompilerInstance.cpp:1003:33
#21 0x563b4c37fd47 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /home/x27zhou/compilers/llvm-project/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:310:25
#22 0x563b415e6b3e in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /home/x27zhou/compilers/llvm-project/clang/tools/driver/cc1_main.cpp:304:15
#23 0x563b415dc0c1 in ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>) /home/x27zhou/compilers/llvm-project/clang/tools/driver/driver.cpp:225:12
#24 0x563b415d8dc7 in clang_main(int, char**, llvm::ToolContext const&) /home/x27zhou/compilers/llvm-project/clang/tools/driver/driver.cpp:268:12
#25 0x563b4160c58f in main /home/x27zhou/compilers/llvm-trunk-build/tools/clang/tools/driver/clang-driver.cpp:17:10
#26 0x7f478432ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#27 0x7f478432ae3f in __libc_start_main csu/../csu/libc-start.c:392:3
#28 0x563b41514c54 in _start (/home/x27zhou/compilers/llvm-trunk-install/bin/clang-22+0x4e0dc54) (BuildId: 256bbdba2b4c78fbae47a0b07d8bc78537eb806a)
0x6160000217c8 is located 328 bytes inside of 528-byte region [0x616000021680,0x616000021890)
freed by thread T0 here:
#0 0x563b41597ec6 in __interceptor_realloc (/home/x27zhou/compilers/llvm-trunk-install/bin/clang-22+0x4e90ec6) (BuildId: 256bbdba2b4c78fbae47a0b07d8bc78537eb806a)
#1 0x563b49f13544 in llvm::safe_realloc(void*, unsigned long) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/Support/MemAlloc.h:53:18
#2 0x563b49f13544 in llvm::SmallVectorBase<unsigned int>::grow_pod(void*, unsigned long, unsigned long) /home/x27zhou/compilers/llvm-project/llvm/lib/Support/SmallVector.cpp:159:15
#3 0x563b4ea4d020 in llvm::SmallVectorTemplateCommon<std::pair<llvm::Value*, llvm::VPValue*>, void>::grow_pod(unsigned long, unsigned long) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/SmallVector.h:140:11
#4 0x563b4ea4d020 in llvm::SmallVectorTemplateBase<std::pair<llvm::Value*, llvm::VPValue*>, true>::grow(unsigned long) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/SmallVector.h:526:41
#5 0x563b4ea4d020 in std::pair<llvm::Value*, llvm::VPValue*> const* llvm::SmallVectorTemplateCommon<std::pair<llvm::Value*, llvm::VPValue*>, void>::reserveForParamAndGetAddressImpl<llvm::SmallVectorTemplateBase<std::pair<llvm::Value*, llvm::VPValue*>, true> >(llvm::SmallVectorTemplateBase<std::pair<llvm::Value*, llvm::VPValue*>, true>*, std::pair<llvm::Value*, llvm::VPValue*> const&, unsigned long) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/SmallVector.h:247:11
#6 0x563b4ea4d020 in llvm::SmallVectorTemplateBase<std::pair<llvm::Value*, llvm::VPValue*>, true>::reserveForParamAndGetAddress(std::pair<llvm::Value*, llvm::VPValue*>&, unsigned long) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/SmallVector.h:538:9
#7 0x563b4ea4d020 in llvm::SmallVectorTemplateBase<std::pair<llvm::Value*, llvm::VPValue*>, true>::push_back(std::pair<llvm::Value*, llvm::VPValue*>) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/SmallVector.h:563:23
#8 0x563b4ea4d020 in std::pair<llvm::Value*, llvm::VPValue*>& llvm::SmallVectorTemplateBase<std::pair<llvm::Value*, llvm::VPValue*>, true>::growAndEmplaceBack<std::piecewise_construct_t const&, std::tuple<llvm::Value* const&>, std::tuple<> >(std::piecewise_construct_t const&, std::tuple<llvm::Value* const&>&&, std::tuple<>&&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/SmallVector.h:557:5
#9 0x563b4ea4d020 in std::pair<llvm::Value*, llvm::VPValue*>& llvm::SmallVectorImpl<std::pair<llvm::Value*, llvm::VPValue*> >::emplace_back<std::piecewise_construct_t const&, std::tuple<llvm::Value* const&>, std::tuple<> >(std::piecewise_construct_t const&, std::tuple<llvm::Value* const&>&&, std::tuple<>&&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/SmallVector.h:946:20
#10 0x563b4ea4d020 in std::pair<std::pair<llvm::Value*, llvm::VPValue*>*, bool> llvm::MapVector<llvm::Value*, llvm::VPValue*, llvm::SmallDenseMap<llvm::Value*, unsigned int, 16u, llvm::DenseMapInfo<llvm::Value*, void>, llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >, llvm::SmallVector<std::pair<llvm::Value*, llvm::VPValue*>, 16u> >::try_emplace_impl<llvm::Value* const&>(llvm::Value* const&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/MapVector.h:240:14
#11 0x563b4e9eb1aa in std::pair<std::pair<llvm::Value*, llvm::VPValue*>*, bool> llvm::MapVector<llvm::Value*, llvm::VPValue*, llvm::SmallDenseMap<llvm::Value*, unsigned int, 16u, llvm::DenseMapInfo<llvm::Value*, void>, llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >, llvm::SmallVector<std::pair<llvm::Value*, llvm::VPValue*>, 16u> >::try_emplace<>(llvm::Value* const&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/MapVector.h:117:12
#12 0x563b4e9eb1aa in llvm::VPlan::getOrAddLiveIn(llvm::Value*) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/VPlan.h:4545:35
#13 0x563b4ef16d4d in simplifyLiveInsWithSCEV(llvm::VPlan&, llvm::PredicatedScalarEvolution&)::$_4::operator()(llvm::VPValue*) const /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/VPlanConstruction.cpp:577:19
#14 0x563b4ef16d4d in simplifyLiveInsWithSCEV(llvm::VPlan&, llvm::PredicatedScalarEvolution&) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/VPlanConstruction.cpp:582:37
#15 0x563b4ef16d4d in llvm::VPlanTransforms::buildVPlan0(llvm::Loop*, llvm::LoopInfo&, llvm::Type*, llvm::DebugLoc, llvm::PredicatedScalarEvolution&, llvm::LoopVersioning*) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/VPlanConstruction.cpp:594:3
#16 0x563b4e9b8ff0 in llvm::LoopVectorizationPlanner::buildVPlansWithVPRecipes(llvm::ElementCount, llvm::ElementCount) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp:8315:17
#17 0x563b4e9b7dda in llvm::LoopVectorizationPlanner::plan(llvm::ElementCount, unsigned int) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp:6821:3
#18 0x563b4e9f52a3 in llvm::LoopVectorizePass::processLoop(llvm::Loop*) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp:9992:7
#19 0x563b4ea17116 in llvm::LoopVectorizePass::runImpl(llvm::Function&) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp:10264:30
#20 0x563b4ea18afc in llvm::LoopVectorizePass::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp:10302:32
#21 0x563b4cfb44e1 in llvm::detail::PassModel<llvm::Function, llvm::LoopVectorizePass, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:91:17
#22 0x563b48d929f7 in llvm::PassManager<llvm::Function, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/IR/PassManagerImpl.h:76:38
#23 0x563b4234f6d1 in llvm::detail::PassModel<llvm::Function, llvm::PassManager<llvm::Function, llvm::AnalysisManager<llvm::Function> >, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:91:17
#24 0x563b48d9ee81 in llvm::ModuleToFunctionPassAdaptor::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) /home/x27zhou/compilers/llvm-project/llvm/lib/IR/PassManager.cpp:127:38
#25 0x563b42352cd1 in llvm::detail::PassModel<llvm::Module, llvm::ModuleToFunctionPassAdaptor, llvm::AnalysisManager<llvm::Module> >::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:91:17
#26 0x563b48d8f4e7 in llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module> >::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/IR/PassManagerImpl.h:76:38
#27 0x563b4a6dfd06 in (anonymous namespace)::EmitAssemblyHelper::RunOptimizationPipeline(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >&, std::unique_ptr<llvm::ToolOutputFile, std::default_delete<llvm::ToolOutputFile> >&, clang::BackendConsumer*) /home/x27zhou/compilers/llvm-project/clang/lib/CodeGen/BackendUtil.cpp:1261:9
#28 0x563b4a6c1f6f in (anonymous namespace)::EmitAssemblyHelper::emitAssembly(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >, clang::BackendConsumer*) /home/x27zhou/compilers/llvm-project/clang/lib/CodeGen/BackendUtil.cpp:1334:3
#29 0x563b4a6c1f6f in clang::emitBackendOutput(clang::CompilerInstance&, clang::CodeGenOptions&, llvm::StringRef, llvm::Module*, clang::BackendAction, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >, clang::BackendConsumer*) /home/x27zhou/compilers/llvm-project/clang/lib/CodeGen/BackendUtil.cpp:1507:13
#30 0x563b4b7767ee in clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) /home/x27zhou/compilers/llvm-project/clang/lib/CodeGen/CodeGenAction.cpp:312:3
#31 0x563b502f3ce5 in clang::ParseAST(clang::Sema&, bool, bool) /home/x27zhou/compilers/llvm-project/clang/lib/Parse/ParseAST.cpp:183:13
#32 0x563b4b786a10 in clang::CodeGenAction::ExecuteAction() /home/x27zhou/compilers/llvm-project/clang/lib/CodeGen/CodeGenAction.cpp:1109:30
#33 0x563b4c03ad64 in clang::FrontendAction::Execute() /home/x27zhou/compilers/llvm-project/clang/lib/Frontend/FrontendAction.cpp:1312:3
#34 0x563b4be2c6d5 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /home/x27zhou/compilers/llvm-project/clang/lib/Frontend/CompilerInstance.cpp:1003:33
#35 0x563b4c37fd47 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /home/x27zhou/compilers/llvm-project/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:310:25
#36 0x563b415e6b3e in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /home/x27zhou/compilers/llvm-project/clang/tools/driver/cc1_main.cpp:304:15
#37 0x563b415dc0c1 in ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>) /home/x27zhou/compilers/llvm-project/clang/tools/driver/driver.cpp:225:12
#38 0x563b415d8dc7 in clang_main(int, char**, llvm::ToolContext const&) /home/x27zhou/compilers/llvm-project/clang/tools/driver/driver.cpp:268:12
#39 0x563b4160c58f in main /home/x27zhou/compilers/llvm-trunk-build/tools/clang/tools/driver/clang-driver.cpp:17:10
#40 0x7f478432ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
previously allocated by thread T0 here:
#0 0x563b41597a9e in malloc (/home/x27zhou/compilers/llvm-trunk-install/bin/clang-22+0x4e90a9e) (BuildId: 256bbdba2b4c78fbae47a0b07d8bc78537eb806a)
#1 0x563b49f135f9 in llvm::safe_malloc(unsigned long) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/Support/MemAlloc.h:26:18
#2 0x563b49f135f9 in llvm::SmallVectorBase<unsigned int>::grow_pod(void*, unsigned long, unsigned long) /home/x27zhou/compilers/llvm-project/llvm/lib/Support/SmallVector.cpp:151:15
#3 0x563b4ea4d020 in llvm::SmallVectorTemplateCommon<std::pair<llvm::Value*, llvm::VPValue*>, void>::grow_pod(unsigned long, unsigned long) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/SmallVector.h:140:11
#4 0x563b4ea4d020 in llvm::SmallVectorTemplateBase<std::pair<llvm::Value*, llvm::VPValue*>, true>::grow(unsigned long) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/SmallVector.h:526:41
#5 0x563b4ea4d020 in std::pair<llvm::Value*, llvm::VPValue*> const* llvm::SmallVectorTemplateCommon<std::pair<llvm::Value*, llvm::VPValue*>, void>::reserveForParamAndGetAddressImpl<llvm::SmallVectorTemplateBase<std::pair<llvm::Value*, llvm::VPValue*>, true> >(llvm::SmallVectorTemplateBase<std::pair<llvm::Value*, llvm::VPValue*>, true>*, std::pair<llvm::Value*, llvm::VPValue*> const&, unsigned long) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/SmallVector.h:247:11
#6 0x563b4ea4d020 in llvm::SmallVectorTemplateBase<std::pair<llvm::Value*, llvm::VPValue*>, true>::reserveForParamAndGetAddress(std::pair<llvm::Value*, llvm::VPValue*>&, unsigned long) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/SmallVector.h:538:9
#7 0x563b4ea4d020 in llvm::SmallVectorTemplateBase<std::pair<llvm::Value*, llvm::VPValue*>, true>::push_back(std::pair<llvm::Value*, llvm::VPValue*>) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/SmallVector.h:563:23
#8 0x563b4ea4d020 in std::pair<llvm::Value*, llvm::VPValue*>& llvm::SmallVectorTemplateBase<std::pair<llvm::Value*, llvm::VPValue*>, true>::growAndEmplaceBack<std::piecewise_construct_t const&, std::tuple<llvm::Value* const&>, std::tuple<> >(std::piecewise_construct_t const&, std::tuple<llvm::Value* const&>&&, std::tuple<>&&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/SmallVector.h:557:5
#9 0x563b4ea4d020 in std::pair<llvm::Value*, llvm::VPValue*>& llvm::SmallVectorImpl<std::pair<llvm::Value*, llvm::VPValue*> >::emplace_back<std::piecewise_construct_t const&, std::tuple<llvm::Value* const&>, std::tuple<> >(std::piecewise_construct_t const&, std::tuple<llvm::Value* const&>&&, std::tuple<>&&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/SmallVector.h:946:20
#10 0x563b4ea4d020 in std::pair<std::pair<llvm::Value*, llvm::VPValue*>*, bool> llvm::MapVector<llvm::Value*, llvm::VPValue*, llvm::SmallDenseMap<llvm::Value*, unsigned int, 16u, llvm::DenseMapInfo<llvm::Value*, void>, llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >, llvm::SmallVector<std::pair<llvm::Value*, llvm::VPValue*>, 16u> >::try_emplace_impl<llvm::Value* const&>(llvm::Value* const&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/MapVector.h:240:14
#11 0x563b4e9eb1aa in std::pair<std::pair<llvm::Value*, llvm::VPValue*>*, bool> llvm::MapVector<llvm::Value*, llvm::VPValue*, llvm::SmallDenseMap<llvm::Value*, unsigned int, 16u, llvm::DenseMapInfo<llvm::Value*, void>, llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >, llvm::SmallVector<std::pair<llvm::Value*, llvm::VPValue*>, 16u> >::try_emplace<>(llvm::Value* const&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/ADT/MapVector.h:117:12
#12 0x563b4e9eb1aa in llvm::VPlan::getOrAddLiveIn(llvm::Value*) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/VPlan.h:4545:35
#13 0x563b4ef1063e in (anonymous namespace)::PlainCFGBuilder::buildPlainCFG() /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/VPlanConstruction.cpp:297:31
#14 0x563b4ef1063e in llvm::VPlanTransforms::buildVPlan0(llvm::Loop*, llvm::LoopInfo&, llvm::Type*, llvm::DebugLoc, llvm::PredicatedScalarEvolution&, llvm::LoopVersioning*) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/VPlanConstruction.cpp:592:43
#15 0x563b4e9b8ff0 in llvm::LoopVectorizationPlanner::buildVPlansWithVPRecipes(llvm::ElementCount, llvm::ElementCount) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp:8315:17
#16 0x563b4e9b7dda in llvm::LoopVectorizationPlanner::plan(llvm::ElementCount, unsigned int) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp:6821:3
#17 0x563b4e9f52a3 in llvm::LoopVectorizePass::processLoop(llvm::Loop*) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp:9992:7
#18 0x563b4ea17116 in llvm::LoopVectorizePass::runImpl(llvm::Function&) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp:10264:30
#19 0x563b4ea18afc in llvm::LoopVectorizePass::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/LoopVectorize.cpp:10302:32
#20 0x563b4cfb44e1 in llvm::detail::PassModel<llvm::Function, llvm::LoopVectorizePass, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:91:17
#21 0x563b48d929f7 in llvm::PassManager<llvm::Function, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/IR/PassManagerImpl.h:76:38
#22 0x563b4234f6d1 in llvm::detail::PassModel<llvm::Function, llvm::PassManager<llvm::Function, llvm::AnalysisManager<llvm::Function> >, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:91:17
#23 0x563b48d9ee81 in llvm::ModuleToFunctionPassAdaptor::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) /home/x27zhou/compilers/llvm-project/llvm/lib/IR/PassManager.cpp:127:38
#24 0x563b42352cd1 in llvm::detail::PassModel<llvm::Module, llvm::ModuleToFunctionPassAdaptor, llvm::AnalysisManager<llvm::Module> >::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:91:17
#25 0x563b48d8f4e7 in llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module> >::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) /home/x27zhou/compilers/llvm-project/llvm/include/llvm/IR/PassManagerImpl.h:76:38
#26 0x563b4a6dfd06 in (anonymous namespace)::EmitAssemblyHelper::RunOptimizationPipeline(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >&, std::unique_ptr<llvm::ToolOutputFile, std::default_delete<llvm::ToolOutputFile> >&, clang::BackendConsumer*) /home/x27zhou/compilers/llvm-project/clang/lib/CodeGen/BackendUtil.cpp:1261:9
#27 0x563b4a6c1f6f in (anonymous namespace)::EmitAssemblyHelper::emitAssembly(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >, clang::BackendConsumer*) /home/x27zhou/compilers/llvm-project/clang/lib/CodeGen/BackendUtil.cpp:1334:3
#28 0x563b4a6c1f6f in clang::emitBackendOutput(clang::CompilerInstance&, clang::CodeGenOptions&, llvm::StringRef, llvm::Module*, clang::BackendAction, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >, clang::BackendConsumer*) /home/x27zhou/compilers/llvm-project/clang/lib/CodeGen/BackendUtil.cpp:1507:13
#29 0x563b4b7767ee in clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) /home/x27zhou/compilers/llvm-project/clang/lib/CodeGen/CodeGenAction.cpp:312:3
#30 0x563b502f3ce5 in clang::ParseAST(clang::Sema&, bool, bool) /home/x27zhou/compilers/llvm-project/clang/lib/Parse/ParseAST.cpp:183:13
#31 0x563b4b786a10 in clang::CodeGenAction::ExecuteAction() /home/x27zhou/compilers/llvm-project/clang/lib/CodeGen/CodeGenAction.cpp:1109:30
#32 0x563b4c03ad64 in clang::FrontendAction::Execute() /home/x27zhou/compilers/llvm-project/clang/lib/Frontend/FrontendAction.cpp:1312:3
#33 0x563b4be2c6d5 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /home/x27zhou/compilers/llvm-project/clang/lib/Frontend/CompilerInstance.cpp:1003:33
#34 0x563b4c37fd47 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /home/x27zhou/compilers/llvm-project/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:310:25
#35 0x563b415e6b3e in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /home/x27zhou/compilers/llvm-project/clang/tools/driver/cc1_main.cpp:304:15
#36 0x563b415dc0c1 in ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>) /home/x27zhou/compilers/llvm-project/clang/tools/driver/driver.cpp:225:12
#37 0x563b415d8dc7 in clang_main(int, char**, llvm::ToolContext const&) /home/x27zhou/compilers/llvm-project/clang/tools/driver/driver.cpp:268:12
#38 0x563b4160c58f in main /home/x27zhou/compilers/llvm-trunk-build/tools/clang/tools/driver/clang-driver.cpp:17:10
#39 0x7f478432ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-use-after-free /home/x27zhou/compilers/llvm-project/llvm/lib/Transforms/Vectorize/VPlanConstruction.cpp:581:24 in simplifyLiveInsWithSCEV(llvm::VPlan&, llvm::PredicatedScalarEvolution&)
Shadow bytes around the buggy address:
0x0c2c7fffc2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fffc2b0: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fffc2c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fffc2d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c7fffc2e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2c7fffc2f0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
0x0c2c7fffc300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c7fffc310: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fffc320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fffc330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fffc340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3176394==ABORTING
test.c:
#include <stdint.h>
#include <stdio.h>
struct a {
uint64_t b;
int32_t c;
int64_t d;
uint32_t e;
};
struct f {
int32_t b;
int8_t g;
struct a c;
int8_t h;
int32_t d;
int8_t j;
};
uint64_t k, ah, ab, r, p, n;
static struct f l;
int64_t m[];
static int8_t o;
static int16_t q[];
uint32_t s[];
long ad, aj, ak;
int af;
typedef void (*al)();
static void *am = &o;
al an[];
static int8_t(v)() {}
static int16_t(w)(int16_t aa, int ae) { return ae >= 2 ? aa : aa >> ae; }
int32_t(x)(int32_t aa, int ae) { return ae >= 2 || aa >> ae ?: aa << ae; }
int64_t(y)(int64_t, int64_t z) { return -z; }
uint16_t(ag)(uint16_t ai, uint16_t aq) { return ai + aq; }
static uint32_t t(struct a, int64_t, int64_t, struct f);
static int8_t u(uint32_t, int8_t, int64_t, int32_t, uint32_t);
static uint8_t func_93(uint32_t, uint32_t, int8_t);
static int ac() {}
static int32_t ao() {
struct a ap = {};
t(ap, 0, ap.d, l);
}
uint32_t t(struct a ar, int64_t, int64_t, struct f) {
int32_t as[][4][9] = {{}, {}, 0, 0, 0, 0, 0, 2};
struct f at = {};
u(0 || func_93(k, as[2][0][5], l.b), at.c.c, ar.b, ar.d, at.g);
}
int8_t u(uint32_t au, int8_t, int64_t, int32_t, uint32_t av) {
int32_t aw;
struct a ax = {};
av = w(au, q[0] = ad) <= ax.b;
if (r = n)
for (aw = 0; aw < 8; aw = ag(aw, 1))
if (x(av, af) ^ o)
for (p = 8; p != 7; --p)
s[3] = (y(v(), l.c.e) & l.j) != 1 == av;
}
uint8_t func_93(uint32_t ay, uint32_t az, int8_t) {
int32_t ba = 0;
uint16_t bb = 5;
if (az) {
unsigned bc = 0;
for (; l.g < ah && (!ab || ++bc <= 300); l.g++)
m[l.g] = 2;
} else {
uint32_t bd = 0;
((((0 == bd || ba) >= bd) >= l.j || aj) < 4 != l.c.e && l.h) <= ay !=
(0 != (2 >= (l.d != (((0 >= 7 == az) > ak) < az == 7) > ay || l.b) &&
bb)) >= l.h;
}
return l.d;
}
void main(int argc) {
for (size_t i = 0; i < 4; ++i)
if (argc)
if (ac())
an[i](am);
ao();
}
profile.txt:
test.c:func_93
1063856843901418860
16
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0