Clang crash: Idx < Size && "access in bound" in AssignmentTrackingAnalysis

[ellishg]

Clang crashes in AssignmentTrackingAnalysis because Var is out of bounds of the bitvector VariableIDsInBlock.
https://github.com/apple/llvm-project/blob/29180d27e709b76965cc02c338188e37f2df9e7f/llvm/lib/CodeGen/AssignmentTrackingAnalysis.cpp#L1204-L1206

The upstream LLVM main branch does not crash.

clang reduced.ll -O2 -c

reduced.ll

target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"

%"class.std::__cxx11::basic_string" = type { %"struct.std::__cxx11::basic_string<char>::_Alloc_hider", i64, %union.anon }
%"struct.std::__cxx11::basic_string<char>::_Alloc_hider" = type { ptr }
%union.anon = type { i64, [8 x i8] }

; Function Attrs: nocallback nofree nosync nounwind speculatable willreturn memory(none)
declare void @llvm.dbg.declare(metadata, metadata, metadata) #0

define void @_foo() !dbg !4 {
entry:
  %Path = alloca %"class.std::__cxx11::basic_string", align 8
  %call1 = call i1 @_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE5emptyEv(ptr inttoptr (i64 136 to ptr))
  br i1 %call1, label %land.lhs.true, label %if.end5

land.lhs.true:                                    ; preds = %entry
  %call21 = load volatile i1, ptr null, align 4294967296
  br label %if.end5

common.ret:                                       ; preds = %if.end5
  ret void

if.end5:                                          ; preds = %land.lhs.true, %entry
  call void @llvm.dbg.declare(metadata ptr %Path, metadata !7, metadata !DIExpression()), !dbg !12
  call void @_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC2Ev(ptr %Path)
  %call6 = call i1 @_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE5emptyEv(ptr inttoptr (i64 136 to ptr))
  br i1 %call6, label %if.then7, label %common.ret

if.then7:                                         ; preds = %if.end5
  store volatile i32 0, ptr null, align 4294967296
  unreachable
}

define i1 @_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE5emptyEv(ptr %this) {
entry:
  %call = call i64 @_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE4sizeEv(ptr %this)
  %cmp = icmp eq i64 %call, 0
  ret i1 %cmp
}

define void @_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC2Ev(ptr %this) {
entry:
  %call = load volatile ptr, ptr null, align 4294967296
  store volatile i64 0, ptr %this, align 8
  ret void
}

define i64 @_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE4sizeEv(ptr %this) {
entry:
  %0 = load i64, ptr %this, align 8
  ret i64 %0
}

; uselistorder directives
uselistorder ptr @_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE5emptyEv, { 1, 0 }

attributes #0 = { nocallback nofree nosync nounwind speculatable willreturn memory(none) }

!llvm.dbg.cu = !{!0}
!llvm.module.flags = !{!3}

!0 = distinct !DICompileUnit(language: DW_LANG_C_plus_plus_14, file: !1, isOptimized: true, runtimeVersion: 0, emissionKind: FullDebug, enums: !2, splitDebugInlining: false, nameTableKind: None)
!1 = !DIFile(filename: "file.cpp", directory: "foo")
!2 = !{}
!3 = !{i32 2, !"Debug Info Version", i32 3}
!4 = distinct !DISubprogram(name: "foo", linkageName: "_foo", scope: !5, file: !1, line: 425, type: !6, scopeLine: 425, flags: DIFlagPrototyped | DIFlagAllCallsDescribed, spFlags: DISPFlagDefinition | DISPFlagOptimized, unit: !0, retainedNodes: !2)
!5 = !DINamespace(name: "llvm", scope: null)
!6 = distinct !DISubroutineType(types: !2)
!7 = !DILocalVariable(name: "Path", scope: !4, file: !1, line: 436, type: !8)
!8 = !DIDerivedType(tag: DW_TAG_typedef, name: "string", scope: !9, file: !1, line: 79, baseType: !10)
!9 = !DINamespace(name: "std", scope: null)
!10 = distinct !DICompositeType(tag: DW_TAG_class_type, name: "basic_string<char, std::char_traits<char>, std::allocator<char> >", scope: !11, file: !1, line: 85, size: 256, flags: DIFlagTypePassByReference | DIFlagNonTrivial, elements: !2, templateParams: !2, identifier: "_ZTSNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE")
!11 = !DINamespace(name: "__cxx11", scope: !9, exportSymbols: true)
!12 = !DILocation(line: 436, column: 15, scope: !4)

Error

inst not in same function as dbg.assign
  store volatile i64 0, ptr %Path.sroa.0, align 8, !DIAssignID !16
  call void @llvm.dbg.assign(metadata i64 0, metadata !9, metadata !DIExpression(DW_OP_LLVM_fragment, 0, 64), metadata !16, metadata ptr %Path.sroa.0, metadata !DIExpression()), !dbg !14
inst not in same function as dbg.assign
  store volatile i64 0, ptr %Path.sroa.0, align 8, !DIAssignID !16
  call void @llvm.dbg.assign(metadata i64 0, metadata !9, metadata !DIExpression(DW_OP_LLVM_fragment, 0, 64), metadata !16, metadata ptr %Path.sroa.0, metadata !DIExpression()), !dbg !14
dbg.assign not in same function as inst
  call void @llvm.dbg.assign(metadata i64 0, metadata !9, metadata !DIExpression(DW_OP_LLVM_fragment, 0, 64), metadata !16, metadata ptr %Path.sroa.0, metadata !DIExpression()), !dbg !14
  store volatile i64 0, ptr %Path.sroa.0, align 8, !DIAssignID !16
dbg.assign not in same function as inst
  call void @llvm.dbg.assign(metadata i64 0, metadata !9, metadata !DIExpression(DW_OP_LLVM_fragment, 0, 64), metadata !16, metadata ptr %Path.sroa.0, metadata !DIExpression()), !dbg !14
  store volatile i64 0, ptr %Path.sroa.0, align 8, !DIAssignID !16
clang: /data/users/ellishoag/repos/llvm-project/llvm/include/llvm/ADT/BitVector.h:358: BitVector &llvm::BitVector::set(unsigned int): Assertion `Idx < Size && "access in bound"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: ../../build/Ninja-RelWithDebInfoAssert/llvm-linux-x86_64/bin/clang /data/users/ellishoag/sandbox/clang-bug/reduce-w/reduced.ll -O2 -c
1.	Code generation
2.	Running pass 'Function Pass Manager' on module '/data/users/ellishoag/sandbox/clang-bug/reduce-w/reduced.ll'.
3.	Running pass 'Assignment Tracking Analysis' on function '@_foo.cold.1'
 #0 0x00005614d4d7ad08 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /data/users/ellishoag/repos/llvm-project/llvm/lib/Support/Unix/Signals.inc:602:13
 #1 0x00005614d4d78e90 llvm::sys::RunSignalHandlers() /data/users/ellishoag/repos/llvm-project/llvm/lib/Support/Signals.cpp:105:18
 #2 0x00005614d4cf5a36 (anonymous namespace)::CrashRecoveryContextImpl::HandleCrash(int, unsigned long) /data/users/ellishoag/repos/llvm-project/llvm/lib/Support/CrashRecoveryContext.cpp:73:5
 #3 0x00005614d4cf5a36 CrashRecoverySignalHandler(int) /data/users/ellishoag/repos/llvm-project/llvm/lib/Support/CrashRecoveryContext.cpp:390:51
 #4 0x00007f64dd23e6f0 __restore_rt (/lib64/libc.so.6+0x3e6f0)
 #5 0x00007f64dd28b94c __pthread_kill_implementation (/lib64/libc.so.6+0x8b94c)
 #6 0x00007f64dd23e646 gsignal (/lib64/libc.so.6+0x3e646)
 #7 0x00007f64dd2287f3 abort (/lib64/libc.so.6+0x287f3)
 #8 0x00007f64dd22871b _nl_load_domain.cold (/lib64/libc.so.6+0x2871b)
 #9 0x00007f64dd237386 (/lib64/libc.so.6+0x37386)
#10 0x00005614d47cce4e llvm::SmallVectorTemplateCommon<unsigned long, void>::operator[](unsigned long) /data/users/ellishoag/repos/llvm-project/llvm/include/llvm/ADT/SmallVector.h:294:5
#11 0x00005614d47cce4e llvm::BitVector::set(unsigned int) /data/users/ellishoag/repos/llvm-project/llvm/include/llvm/ADT/BitVector.h:359:5
#12 0x00005614d47cce4e (anonymous namespace)::AssignmentTrackingLowering::BlockInfo::setAssignment((anonymous namespace)::AssignmentTrackingLowering::BlockInfo::AssignmentKind, llvm::VariableID, (anonymous namespace)::AssignmentTrackingLowering::Assignment const&) /data/users/ellishoag/repos/llvm-project/llvm/lib/CodeGen/AssignmentTrackingAnalysis.cpp:1131:26
#13 0x00005614d47cce4e (anonymous namespace)::AssignmentTrackingLowering::addMemDef((anonymous namespace)::AssignmentTrackingLowering::BlockInfo*, llvm::VariableID, (anonymous namespace)::AssignmentTrackingLowering::Assignment const&) /data/users/ellishoag/repos/llvm-project/llvm/lib/CodeGen/AssignmentTrackingAnalysis.cpp:0:0
#14 0x00005614d47c3290 (anonymous namespace)::AssignmentTrackingLowering::processTaggedInstruction(llvm::Instruction&, (anonymous namespace)::AssignmentTrackingLowering::BlockInfo*) /data/users/ellishoag/repos/llvm-project/llvm/lib/CodeGen/AssignmentTrackingAnalysis.cpp:1574:5
#15 0x00005614d47c3290 (anonymous namespace)::AssignmentTrackingLowering::processNonDbgInstruction(llvm::Instruction&, (anonymous namespace)::AssignmentTrackingLowering::BlockInfo*) /data/users/ellishoag/repos/llvm-project/llvm/lib/CodeGen/AssignmentTrackingAnalysis.cpp:1480:5
#16 0x00005614d47c3290 (anonymous namespace)::AssignmentTrackingLowering::process(llvm::BasicBlock&, (anonymous namespace)::AssignmentTrackingLowering::BlockInfo*) /data/users/ellishoag/repos/llvm-project/llvm/lib/CodeGen/AssignmentTrackingAnalysis.cpp:1745:7
#17 0x00005614d47c3290 (anonymous namespace)::AssignmentTrackingLowering::run(FunctionVarLocsBuilder*) /data/users/ellishoag/repos/llvm-project/llvm/lib/CodeGen/AssignmentTrackingAnalysis.cpp:2135:9
#18 0x00005614d47bd958 analyzeFunction(llvm::Function&, llvm::DataLayout const&, FunctionVarLocsBuilder*) /data/users/ellishoag/repos/llvm-project/llvm/lib/CodeGen/AssignmentTrackingAnalysis.cpp:2529:20
#19 0x00005614d47bd958 llvm::AssignmentTrackingAnalysis::runOnFunction(llvm::Function&) /data/users/ellishoag/repos/llvm-project/llvm/lib/CodeGen/AssignmentTrackingAnalysis.cpp:2558:3
#20 0x00005614d49043f1 llvm::FPPassManager::runOnFunction(llvm::Function&) /data/users/ellishoag/repos/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1435:27
#21 0x00005614d490a962 llvm::FPPassManager::runOnModule(llvm::Module&) /data/users/ellishoag/repos/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1481:13
#22 0x00005614d4904ad7 (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) /data/users/ellishoag/repos/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:0:27
#23 0x00005614d4904ad7 llvm::legacy::PassManagerImpl::run(llvm::Module&) /data/users/ellishoag/repos/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:535:44
#24 0x00005614d4f3547b llvm::TimeTraceScope::~TimeTraceScope() /data/users/ellishoag/repos/llvm-project/llvm/include/llvm/Support/TimeProfiler.h:155:9
#25 0x00005614d4f3547b (anonymous namespace)::EmitAssemblyHelper::RunCodegenPipeline(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>&, std::unique_ptr<llvm::ToolOutputFile, std::default_delete<llvm::ToolOutputFile>>&, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>&) /data/users/ellishoag/repos/llvm-project/clang/lib/CodeGen/BackendUtil.cpp:1144:3
#26 0x00005614d4f3547b (anonymous namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>) /data/users/ellishoag/repos/llvm-project/clang/lib/CodeGen/BackendUtil.cpp:1166:3
#27 0x00005614d4f3547b clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, clang::CASOptions const&, llvm::StringRef, llvm::Module*, clang::BackendAction, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>) /data/users/ellishoag/repos/llvm-project/clang/lib/CodeGen/BackendUtil.cpp:1336:13
#28 0x00005614d5ccc4ff std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>::~unique_ptr() /usr/lib/gcc/x86_64-redhat-linux/11/../../../../include/c++/11/bits/unique_ptr.h:360:6
#29 0x00005614d5ccc4ff clang::CodeGenAction::ExecuteAction() /data/users/ellishoag/repos/llvm-project/clang/lib/CodeGen/CodeGenAction.cpp:1314:3
#30 0x00005614d5697d50 clang::FrontendAction::Execute() /data/users/ellishoag/repos/llvm-project/clang/lib/Frontend/FrontendAction.cpp:1270:10
#31 0x00005614d5606593 llvm::Error::getPtr() const /data/users/ellishoag/repos/llvm-project/llvm/include/llvm/Support/Error.h:270:42
#32 0x00005614d5606593 llvm::Error::operator bool() /data/users/ellishoag/repos/llvm-project/llvm/include/llvm/Support/Error.h:233:16
#33 0x00005614d5606593 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /data/users/ellishoag/repos/llvm-project/clang/lib/Frontend/CompilerInstance.cpp:1137:23
#34 0x00005614d5763d4c clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /data/users/ellishoag/repos/llvm-project/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:282:25
#35 0x00005614d34437a8 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /data/users/ellishoag/repos/llvm-project/clang/tools/driver/cc1_main.cpp:274:15
#36 0x00005614d343d8b1 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&) /data/users/ellishoag/repos/llvm-project/clang/tools/driver/driver.cpp:0:12
#37 0x00005614d5492ad9 clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const::$_0::operator()() const /data/users/ellishoag/repos/llvm-project/clang/lib/Driver/Job.cpp:477:30
#38 0x00005614d5492ad9 void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const::$_0>(long) /data/users/ellishoag/repos/llvm-project/llvm/include/llvm/ADT/STLFunctionalExtras.h:45:12
#39 0x00005614d4cf577e llvm::function_ref<void ()>::operator()() const /data/users/ellishoag/repos/llvm-project/llvm/include/llvm/ADT/STLFunctionalExtras.h:0:12
#40 0x00005614d4cf577e llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) /data/users/ellishoag/repos/llvm-project/llvm/lib/Support/CrashRecoveryContext.cpp:426:3
#41 0x00005614d54922c3 clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const /data/users/ellishoag/repos/llvm-project/clang/lib/Driver/Job.cpp:477:7
#42 0x00005614d545812c clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const /data/users/ellishoag/repos/llvm-project/clang/lib/Driver/Compilation.cpp:199:15
#43 0x00005614d54583e7 clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&, bool) const /data/users/ellishoag/repos/llvm-project/clang/lib/Driver/Compilation.cpp:253:13
#44 0x00005614d54738aa llvm::SmallVectorBase<unsigned int>::empty() const /data/users/ellishoag/repos/llvm-project/llvm/include/llvm/ADT/SmallVector.h:94:46
#45 0x00005614d54738aa clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&) /data/users/ellishoag/repos/llvm-project/clang/lib/Driver/Driver.cpp:1910:23
#46 0x00005614d343d16f clang_main(int, char**, llvm::ToolContext const&) /data/users/ellishoag/repos/llvm-project/clang/tools/driver/driver.cpp:455:21
#47 0x00005614d345b651 main /data/users/ellishoag/repos/build/Ninja-RelWithDebInfoAssert/llvm-linux-x86_64/tools/clang/tools/driver/clang-driver.cpp:15:3
#48 0x00007f64dd229590 __libc_start_call_main (/lib64/libc.so.6+0x29590)
#49 0x00007f64dd229640 __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x29640)
#50 0x00005614d343b035 _start (../../build/Ninja-RelWithDebInfoAssert/llvm-linux-x86_64/bin/clang+0xfa0035)
clang: error: clang frontend command failed with exit code 134 (use -v to see invocation)
clang version 17.0.0 (https://github.com/apple/llvm-project.git bc5dda4e7eac5997cd4b16b53db5be48bb451234)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /home/ellishoag/repos/swift/utils/../../build/Ninja-RelWithDebInfoAssert/llvm-linux-x86_64/bin
clang: note: diagnostic msg: Error generating preprocessed source(s) - no preprocessable inputs.

[ellishg]

I was able to bisect and found the blame to be llvm@de6da6a which seems a little obvious in hindsight. The error goes away if we add -Xclang -fexperimental-assignment-tracking=disabled.

[ellishg]

CC @OCHyams

[OCHyams]

Hi @ellishg, thanks for the reproducer, I'll take a look

[OCHyams]

The upstream LLVM main branch does not crash.

Are you able to provide a bit more information about the version and setup/environment you're seeing the crash in? And are you able to reproduce this using any upstream version of clang?

The crash trace says clang 17.0.0 but I can't reproduce the issue using upstream clang version 17.0.0 (88bf774c565080e30e0a073676c316ab175303af) (tag llvmorg-17.0.0).

[ellishg]

I was only able to reproduce on apple branches like next. I actually picked llvm@91d7ca9 and it appears to fix the issue (I had to remove getDbgRecordRange() because it doesn't exist on the branch yet). Thanks!