LibCallSimplifier (of instcombine) crashes on aliased lib function

[llvmbot]

Bugzilla Link	39177
Resolution	FIXED
Resolved on	Oct 13, 2018 09:02
Version	trunk
OS	Linux
Attachments	minimal test case
Reporter	LLVM Bugzilla Contributor
CC	@davidbolvansky,@rotateright
Fixed by commit(s)	344454

Extended Description

While trying to test some programs with KLEE, David Laprell came up with an issue previously noted here: http://lists.llvm.org/pipermail/llvm-dev/2017-July/115957.html
David was able to reduce the input to KLEE (still linking against klee-uclibc) to a minimum.

From this I was able to reduce it to the attached program crashing opt -instcombine / clang -O1 (version 8.0.0, trunk 343759). In this program, "frwite" is aliased to "__fwrite_alias".

The core issue seems to be in lib/Transforms/Utils/BuildLibCalls.cpp's method llvm::emitFWrite():

Constant *F = M->getOrInsertFunction(
FWriteName, DL.getIntPtrType(Context), B.getInt8PtrTy(),
DL.getIntPtrType(Context), DL.getIntPtrType(Context), File->getType());

if (File->getType()->isPointerTy())
inferLibFuncAttributes(*M->getFunction(FWriteName), *TLI);

The code assumes that after calling getOrInsertFunction(), it is safe to say that a function of FWriteName will exist.
This is not true, as getOrInsertFunction() returns a GlobalAlias, but getFunction() returns nullptr (as GlobalAlias cannot be casted to Function).

The same pattern (and thus problem) seems to be present accross most llvm::emit* functions in BuildLibCalls.cpp, but I haven't investigated it further.

Steps to reproduce:

$ ../llvm-trunk/build/bin/clang -Xclang -disable-O0-optnone -c -emit-llvm crash.c
$ ../llvm-trunk/build/bin/opt -instcombine crash.bc -o crash.opt.bc
Stack dump:
0. Program arguments: ../llvm-trunk/build/bin/opt -instcombine crash.bc -o crash.opt.bc

1. Running pass 'Function Pass Manager' on module 'crash.bc'.
2. Running pass 'Combine redundant instructions' on function '@main'
   [...]
   #​4 0x00007f742729e1b0 __restore_rt (/lib64/libpthread.so.0+0x121b0)
   #​5 0x0000000001245bd6 llvm::GlobalValue::getParent() const /home/jb/llvm-trunk/build/../include/llvm/IR/GlobalValue.h:567:0
   #​6 0x00000000018f1e9d llvm::TargetLibraryInfoImpl::getLibFunc(llvm::Function const&, llvm::LibFunc&) const /home/jb/llvm-trunk/build/../lib/Analysis/TargetLibraryInfo.cpp:1375:0
   #​7 0x0000000001616716 llvm::TargetLibraryInfo::getLibFunc(llvm::Function const&, llvm::LibFunc&) const /home/jb/llvm-trunk/build/../include/llvm/Analysis/TargetLibraryInfo.h:237:0
   #​8 0x0000000002872a22 llvm::inferLibFuncAttributes(llvm::Function&, llvm::TargetLibraryInfo const&) /home/jb/llvm-trunk/build/../lib/Transforms/Utils/BuildLibCalls.cpp:126:0
   #​9 0x0000000002876ab1 llvm::emitFWrite(llvm::Value*, llvm::Value*, llvm::Value*, llvm::IRBuilder<llvm::ConstantFolder, llvm::IRBuilderDefaultInserter>&, llvm::DataLayout const&, llvm::TargetLibraryInfo const*) /home/jb/llvm-trunk/build/../lib/Transforms/Utils/BuildLibCalls.cpp:1093:0
   [...]
   Segmentation fault (core dumped)

This behavior was found in the course of the SYMBIOSYS research project at COMSYS, RWTH Aachen University. This research is supported by the European Research Council (ERC) under the EU's Horizon 2020 Research and Innovation Programme grant agreement n. 647295 (SYMBIOSYS).

[davidbolvansky]

https://reviews.llvm.org/D53129

[davidbolvansky]

Resolved in r344454

[llvmbot]

mentioned in issue llvm/llvm-bugzilla-archive#39507