New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Verified
Owner: ----
Closed: Aug 28
Cc:
Type: Bug



Sign in to add a comment
link

Issue 5537: llvm/clang-proto-fuzzer: ASSERT: isLoopInvariant(Operands[i], L) && "SCEVAddRecExpr operand is not loop-invariant

Reported by ClusterFuzz-External, Jan 21 2018 Project Member

Issue description

Detailed report: https://oss-fuzz.com/testcase?key=6643839252037632

Project: llvm
Fuzzer: libFuzzer_llvm_clang-proto-fuzzer
Fuzz target binary: clang-proto-fuzzer
Job Type: libfuzzer_asan_llvm
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  isLoopInvariant(Operands[i], L) && "SCEVAddRecExpr operand is not loop-invariant
  llvm::ScalarEvolution::getAddRecExpr
  llvm::ScalarEvolution::getMulExpr
  
Sanitizer: address (ASAN)

Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_llvm&range=201712190608:201712210617

Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=6643839252037632

Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

When you fix this bug, please
  * mention the fix revision(s).
  * state whether the bug was a short-lived regression or an old bug in any stable releases.
  * add any other useful information.
This information can help downstream consumers.

If you have questions for the OSS-Fuzz team, please file an issue at https://github.com/google/oss-fuzz/issues.
 

Comment 1 by ClusterFuzz-External, Jan 21 2018

Project Member
Labels: OS-Linux

Comment 2 by kcc@google.com, Jan 22 2018

Project Member
C reproducer: 
% cat 5537.c 
void foo(int *a) {
  a[0] = (15164);
  while (((((a[0] * a[0]) * a[0]) * ((a[0] * a[0]) * a[0])) * a[0])) {
    a[0] = (a[72] + a[0]);
  }
  while (((((a[72] * a[0]) * a[0]) * (a[0] * a[0])) * a[0])) {
    a[0] = ((1073741824) + a[0]);
  }
  (void)0;
  while ((1 ^ (a[84] & 1))) {
  }
  while ((1 / (a[0] + (a[0] + 1)))) {
    (void)0;
    a[28] = 1;
    a[0] = (a[0] + (0));
    a[0] = (1 / (1 ^ (a[0] + 1)));
  }
  while ((40)) {
    if (a[0]) {
      (void)0;
    } else {
    }
  }
}
% clang -cc1 -triple x86_64-unknown-linux-gnu -emit-obj -O3 5537.c PS1=%
clang: lib/Analysis/ScalarEvolution.cpp:3269: const llvm::SCEV *llvm::ScalarEvolution::getAddRecExpr(SmallVectorImpl<const llvm::SCEV *> &, const llvm::Loop *, SCEV::NoWrapFlags): Assertion `isLoopInvariant(Operands[i], L) && "SCEVAddRecExpr operand is not loop-invariant!"' failed.

Comment 3 by mascasa@google.com, Feb 2 2018

Smaller reproducer:

$ cat repro.c 
void foo(int *a) {
  a[0] = 1;
  while ((a[32] * a[0])) {
    a[0] = (1 + a[0]);
  }
  while ((((a[0] * a[0]) * (a[0] * a[0])) * a[0])) {
    a[0] = ((1073741824) + a[0]);
  }
}
$ clang -cc1 -triple x86_64-unknown-linux-gnu -O2 -emit-obj repro.c
clang: lib/Analysis/ScalarEvolution.cpp:3269: const llvm::SCEV *llvm::ScalarEvolution::getAddRecExpr(SmallVectorImpl<const llvm::SCEV *> &, const llvm::Loop *, SCEV::NoWrapFlags): Assertion `isLoopInvariant(Operands[i], L) && "SCEVAddRecExpr operand is not loop-invariant!"' failed.

Comment 4 by sheriffbot@chromium.org, Apr 16 2018

Project Member
Labels: Deadline-Approaching
This bug is approaching its deadline for being fixed, and will be automatically derestricted within 7 days. If a fix is planned within 2 weeks after the deadline has passed, a grace extension can be granted.

- Your friendly Sheriffbot

Comment 5 by ClusterFuzz-External, Jun 4 2018

Project Member
Cc: jfb@chromium.org

Comment 6 by ClusterFuzz-External, Jul 3 2018

Project Member
Cc: eneyman@google.com

Comment 7 by ClusterFuzz-External, Aug 28

Project Member
ClusterFuzz has detected this issue as fixed in range 201808271555:201808280130.

Detailed report: https://oss-fuzz.com/testcase?key=6643839252037632

Project: llvm
Fuzzer: libFuzzer_llvm_clang-proto-fuzzer
Fuzz target binary: clang-proto-fuzzer
Job Type: libfuzzer_asan_llvm
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  isLoopInvariant(Operands[i], L) && "SCEVAddRecExpr operand is not loop-invariant
  llvm::ScalarEvolution::getAddRecExpr
  llvm::ScalarEvolution::getMulExpr
  
Sanitizer: address (ASAN)

Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_llvm&range=201712190608:201712210617
Fixed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_llvm&range=201808271555:201808280130

Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=6643839252037632

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 8 by ClusterFuzz-External, Aug 28

Project Member
Labels: ClusterFuzz-Verified
Status: Verified (was: New)
ClusterFuzz testcase 6643839252037632 is verified as fixed, so closing issue as verified.

If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new

Comment 9 by mmoroz@google.com, Feb 6

Project Member
Cc: mitchp@google.com

Comment 10 by mmoroz@google.com, Feb 14 (4 days ago)

Project Member
Cc: bigchees...@gmail.com

Sign in to add a comment