Bugzilla – Bug 191
[licm] Memory read after free causes infrequent crash
Last modified: 2003-12-18 02:14:44
You need to log in before you can comment on or make changes to this bug.
The 1.1 LICM pass can read memory after it has been released. The flow of events looks like this: 1. LICM analyzes the body of a loop for aliases, building up an AliasSetTracker object which contains an entry for each pointer in the loop body. 2. LICM loops through the instructions in the loop body, an chooses to sink a pointer expression, such as a getelementptr 3. There are no exits from the loop, or the getelementptr does not dominate any exits. For this reason, LICM will just delete the expression, because it is dead. 4. After the body of the loop has been hoisted/sunk, LICM loops through the AliasSetTracker, promoting must-aliased sets. Because the instruction was deleted but never removed from the AliasSetTracker, it can read memory that was freed, but only if it is the leader pointer for the set. This can cause _extremely_ infrequent crashes in the LICM pass, when compiling 177.mesa for example.
Fixing the bug was easy, just remove values from the AliasSetTracker when we remove them from the program: http://mail.cs.uiuc.edu/pipermail/llvm-commits/Week-of-Mon-20031215/010278.html The only complication is that we had to rearrange AliasSetTracker a bit to implement the AST::remove method: http://mail.cs.uiuc.edu/pipermail/llvm-commits/Week-of-Mon-20031215/010276.html http://mail.cs.uiuc.edu/pipermail/llvm-commits/Week-of-Mon-20031215/010277.html -Chris