LLVM Bugzilla is read-only and represents the historical archive of all LLVM issues filled before November 26, 2021. Use github to submit LLVM bugs

Bug 24645 - Segmentation fault in llvm-as inside LLParser::ParseValueAsMetadata
Summary: Segmentation fault in llvm-as inside LLParser::ParseValueAsMetadata
Status: RESOLVED FIXED
Alias: None
Product: new-bugs
Classification: Unclassified
Component: new bugs (show other bugs)
Version: trunk
Hardware: PC Linux
: P normal
Assignee: Karl Schimpf
URL:
Keywords:
Depends on:
Blocks: 24639
  Show dependency tree
 
Reported: 2015-08-31 17:36 PDT by Karl Schimpf
Modified: 2015-09-03 11:56 PDT (History)
2 users (show)

See Also:
Fixed By Commit(s):


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karl Schimpf 2015-08-31 17:36:04 PDT
When you run:

echo '     !3=!    {%..d04 *asm" !6!={!H)4" ,""  ' | llvm-as - -o /dev/null

You get the following:

#0 0x667656 llvm::sys::PrintStackTrace(llvm::raw_ostream&) (/workspace/llvm-dev/install/bin/llvm-as+0x667656)
#1 0x66796b PrintStackTraceSignalHandler(void*) (/workspace/llvm-dev/install/bin/llvm-as+0x66796b)
#2 0x6660e7 llvm::sys::RunSignalHandlers() (/workspace/llvm-dev/install/bin/llvm-as+0x6660e7)
#3 0x6665be SignalHandler(int) (/workspace/llvm-dev/install/bin/llvm-as+0x6665be)
#4 0x7fd548e92340 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x10340)
#5 0x415166 llvm::Type::getSubclassData() const (/workspace/llvm-dev/install/bin/llvm-as+0x415166)
#6 0x41555e llvm::FunctionType::isVarArg() const (/workspace/llvm-dev/install/bin/llvm-as+0x41555e)
#7 0x5878a4 llvm::InlineAsm::Verify(llvm::FunctionType*, llvm::StringRef) (/workspace/llvm-dev/install/bin/llvm-as+0x5878a4)
#8 0x4318c2 llvm::LLParser::ConvertValIDToValue(llvm::Type*, llvm::ValID&, llvm::Value*&, llvm::LLParser::PerFunctionState*) (/workspace/llvm-dev/install/bin/llvm-as+0x4318c2)
#9 0x43235a llvm::LLParser::ParseValue(llvm::Type*, llvm::Value*&, llvm::LLParser::PerFunctionState*) (/workspace/llvm-dev/install/bin/llvm-as+0x43235a)
#10 0x4314eb llvm::LLParser::ParseValueAsMetadata(llvm::Metadata*&, llvm::Twine const&, llvm::LLParser::PerFunctionState*) (/workspace/llvm-dev/install/bin/llvm-as+0x4314eb)
#11 0x4315c0 llvm::LLParser::ParseMetadata(llvm::Metadata*&, llvm::LLParser::PerFunctionState*) (/workspace/llvm-dev/install/bin/llvm-as+0x4315c0)
#12 0x43b109 llvm::LLParser::ParseMDNodeVector(llvm::SmallVectorImpl<llvm::Metadata*>&) (/workspace/llvm-dev/install/bin/llvm-as+0x43b109)
#13 0x427835 llvm::LLParser::ParseMDTuple(llvm::MDNode*&, bool) (/workspace/llvm-dev/install/bin/llvm-as+0x427835)
#14 0x41ce3e llvm::LLParser::ParseStandaloneMetadata() (/workspace/llvm-dev/install/bin/llvm-as+0x41ce3e)
#15 0x41b3f6 llvm::LLParser::ParseTopLevelEntities() (/workspace/llvm-dev/install/bin/llvm-as+0x41b3f6)
#16 0x41a216 llvm::LLParser::Run() (/workspace/llvm-dev/install/bin/llvm-as+0x41a216)
#17 0x408307 llvm::parseAssemblyInto(llvm::MemoryBufferRef, llvm::Module&, llvm::SMDiagnostic&, llvm::SlotMapping*) (/workspace/llvm-dev/install/bin/llvm-as+0x408307)
#18 0x4083f1 llvm::parseAssembly(llvm::MemoryBufferRef, llvm::SMDiagnostic&, llvm::LLVMContext&, llvm::SlotMapping*) (/workspace/llvm-dev/install/bin/llvm-as+0x4083f1)
#19 0x40873c llvm::parseAssemblyFile(llvm::StringRef, llvm::SMDiagnostic&, llvm::LLVMContext&, llvm::SlotMapping*) (/workspace/llvm-dev/install/bin/llvm-as+0x40873c)
#20 0x4055f6 main (/workspace/llvm-dev/install/bin/llvm-as+0x4055f6)
#21 0x7fd5482beec5 __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:321:0
#22 0x404579 _start (/workspace/llvm-dev/install/bin/llvm-as+0x404579)
Stack dump:
0.	Program arguments: llvm-as - -o /dev/null 
Segmentation fault
Comment 1 Karl Schimpf 2015-09-01 10:36:15 PDT
It should be noted that this bug was found using lib/Fuzzer (via llvm-as-fuzzer).
Comment 2 Karl Schimpf 2015-09-01 11:18:00 PDT
Turned on assertions, which causes the following assertion to fire:

llvm-as: /workspace/llvm-dev/llvm/lib/AsmParser/LLParser.cpp:4131: bool llvm::LLParser::ConvertValIDToValue(llvm::Type *, llvm::ValID &, llvm::Value *&, llvm::LLParser::PerFunctionState *, llvm::LLParser::OperatorConstraint): Assertion `ID.FTy' failed.
#0 0x454141 backtrace /workspace/llvm-dev/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3248:0
#1 0xe3a252 llvm::sys::PrintStackTrace(llvm::raw_ostream&) /workspace/llvm-dev/llvm/lib/Support/Unix/Signals.inc:404:15
#2 0xe36c0d operator!=<std::pair<void (*)(void *), void *> *, std::vector<std::pair<void (*)(void *), void *>, std::allocator<std::pair<void (*)(void *), void *> > > > /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_iterator.h:825:27
#3 0xe36c0d llvm::sys::RunSignalHandlers() /workspace/llvm-dev/llvm/lib/Support/Signals.cpp:34:0
#4 0xe40e19 SignalHandler(int) /workspace/llvm-dev/llvm/lib/Support/Unix/Signals.inc:211:1
#5 0x7f5ff1e4b340 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x10340)
#6 0x7f5ff1073cc9 gsignal /build/buildd/eglibc-2.19/signal/../nptl/sysdeps/unix/sysv/linux/raise.c:56:0
#7 0x7f5ff10770d8 abort /build/buildd/eglibc-2.19/stdlib/abort.c:91:0
#8 0x7f5ff106cb86 __assert_fail_base /build/buildd/eglibc-2.19/assert/assert.c:92:0
#9 0x7f5ff106cc32 (/lib/x86_64-linux-gnu/libc.so.6+0x2fc32)
#10 0x5825c7 Twine /workspace/llvm-dev/llvm/include/llvm/ADT/Twine.h:271:21
#11 0x5825c7 llvm::LLParser::ConvertValIDToValue(llvm::Type*, llvm::ValID&, llvm::Value*&, llvm::LLParser::PerFunctionState*, llvm::LLParser::OperatorConstraint) /workspace/llvm-dev/llvm/lib/AsmParser/LLParser.cpp:4220:0
#12 0x5a5bcc ParseValue /workspace/llvm-dev/llvm/lib/AsmParser/LLParser.cpp:4254:33
#13 0x5a5bcc llvm::LLParser::ParseValueAsMetadata(llvm::Metadata*&, llvm::Twine const&, llvm::LLParser::PerFunctionState*) /workspace/llvm-dev/llvm/lib/AsmParser/LLParser.cpp:4046:0
#14 0x5a50a4 llvm::LLParser::ParseMetadata(llvm::Metadata*&, llvm::LLParser::PerFunctionState*) /workspace/llvm-dev/llvm/lib/AsmParser/LLParser.cpp:4073:12
#15 0x583043 llvm::LLParser::ParseMDNodeVector(llvm::SmallVectorImpl<llvm::Metadata*>&) /workspace/llvm-dev/llvm/lib/AsmParser/LLParser.cpp:6043:9
#16 0x52213e ParseMDTuple /workspace/llvm-dev/llvm/lib/AsmParser/LLParser.cpp:3146:7
#17 0x52213e llvm::LLParser::ParseStandaloneMetadata() /workspace/llvm-dev/llvm/lib/AsmParser/LLParser.cpp:631:0
#18 0x511a4a llvm::LLParser::ParseTopLevelEntities() /workspace/llvm-dev/llvm/lib/AsmParser/LLParser.cpp:226:33
#19 0x5117e2 llvm::LLParser::Run() /workspace/llvm-dev/llvm/lib/AsmParser/LLParser.cpp:48:34
#20 0x4f1da2 llvm::parseAssemblyInto(llvm::MemoryBufferRef, llvm::Module&, llvm::SMDiagnostic&, llvm::SlotMapping*) /workspace/llvm-dev/llvm/lib/AsmParser/Parser.cpp:31:10
#21 0x4f2e5b parseAssembly /workspace/llvm-dev/llvm/lib/AsmParser/Parser.cpp:41:7
#22 0x4f2e5b llvm::parseAssemblyFile(llvm::StringRef, llvm::SMDiagnostic&, llvm::LLVMContext&, llvm::SlotMapping*) /workspace/llvm-dev/llvm/lib/AsmParser/Parser.cpp:59:0
#23 0x4ee601 get /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/unique_ptr.h:234:16
#24 0x4ee601 main /workspace/llvm-dev/llvm/tools/llvm-as/llvm-as.cpp:105:0
#25 0x7f5ff105eec5 __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:321:0
#26 0x425b7c _start (/workspace/llvm-dev/build-as-test/bin/llvm-as+0x425b7c)
Stack dump:
0.	Program arguments: /workspace/llvm-dev/build-as-test/bin/llvm-as - -o /dev/null 
Aborted
Comment 3 Kostya Serebryany 2015-09-01 11:25:05 PDT
With similar tests I often see stack-buffer-overflows, heap-buffer-overflows and other crazy stuff. 

This is what msan has to say: 

==3119==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7f6628661750 in llvm::LLParser::ConvertValIDToValue llvm/lib/AsmParser/LLParser.cpp:4131:5
    #1 0x7f6628675683 in llvm::LLParser::ParseValue llvm/lib/AsmParser/LLParser.cpp:4254:33
    #2 0x7f6628675296 in llvm::LLParser::ParseValueAsMetadata llvm/lib/AsmParser/LLParser.cpp:4046:7
    #3 0x7f6628674d2d in llvm::LLParser::ParseMetadata llvm/lib/AsmParser/LLParser.cpp:4073:12
    #4 0x7f6628661b71 in llvm::LLParser::ParseMDNodeVector llvm/lib/AsmParser/LLParser.cpp:6043:9
    #5 0x7f662863a919 in llvm::LLParser::ParseMDTuple llvm/lib/AsmParser/LLParser.cpp:3146:7
    #6 0x7f662862aa2d in llvm::LLParser::ParseStandaloneMetadata llvm/lib/AsmParser/LLParser.cpp:631:14
    #7 0x7f6628620596 in llvm::LLParser::ParseTopLevelEntities llvm/lib/AsmParser/LLParser.cpp:226:33
    #8 0x7f662861fc0f in llvm::LLParser::Run llvm/lib/AsmParser/LLParser.cpp:48:10
    #9 0x7f66285ee4c4 in llvm::parseAssemblyInto llvm/lib/AsmParser/Parser.cpp:31:10
    #10 0x7f66285ee7a2 in llvm::parseAssembly llvm/lib/AsmParser/Parser.cpp:41:7
    #11 0x7f66285eeff9 in llvm::parseAssemblyFile llvm/lib/AsmParser/Parser.cpp:59:10
    #12 0x7f66285e5c1b in main llvm/tools/llvm-as/llvm-as.cpp:96:31
    
  Uninitialized value was created by an allocation of 'ID' in the stack frame of function '_ZN4llvm8LLParser10ParseValueEPNS_4TypeERPNS_5ValueEPNS0_16PerFunctionStateENS0_18OperatorConstraintE'
    #0 0x7f66286753e0 in llvm::LLParser::ParseValue llvm/lib/AsmParser/LLParser.cpp:4251

The havoc is caused by an uninitialized field ValID::FTy 

If I initialize the value to nullptr in the CTOR all the crazy errors transform into 
Assertion `ID.FTy' failed (lib/AsmParser/LLParser.cpp:4131)

--- lib/AsmParser/LLParser.h	(revision 246552)
+++ lib/AsmParser/LLParser.h	(working copy)
@@ -59,7 +59,7 @@
 
     LLLexer::LocTy Loc;
     unsigned UIntVal;
-    FunctionType *FTy;
+    FunctionType *FTy = nullptr;
     std::string StrVal, StrVal2;
     APSInt APSIntVal;
     APFloat APFloatVal{0.0};
Comment 4 Kostya Serebryany 2015-09-01 11:29:35 PDT
This might be a reasonable fix:

Index: lib/AsmParser/LLParser.cpp
===================================================================
--- lib/AsmParser/LLParser.cpp	(revision 246552)
+++ lib/AsmParser/LLParser.cpp	(working copy)
@@ -4128,7 +4128,8 @@
     V = PFS->GetVal(ID.StrVal, Ty, ID.Loc, OC);
     return V == nullptr;
   case ValID::t_InlineAsm: {
-    assert(ID.FTy);
+    if (!ID.FTy)
+      return Error(ID.Loc, "Empty FTy");
     if (!InlineAsm::Verify(ID.FTy, ID.StrVal2))
       return Error(ID.Loc, "invalid type for inline asm constraint string");
     V = InlineAsm::get(ID.FTy, ID.StrVal, ID.StrVal2, ID.UIntVal & 1,
Index: lib/AsmParser/LLParser.h
===================================================================
--- lib/AsmParser/LLParser.h	(revision 246552)
+++ lib/AsmParser/LLParser.h	(working copy)
@@ -59,7 +59,7 @@
 
     LLLexer::LocTy Loc;
     unsigned UIntVal;
-    FunctionType *FTy;
+    FunctionType *FTy = nullptr;
     std::string StrVal, StrVal2;
     APSInt APSIntVal;
     APFloat APFloatVal{0.0};
Comment 5 Karl Schimpf 2015-09-01 17:16:58 PDT
See https://reviews.llvm.org/D12538 for fix (based on kcc's suggestion).
Comment 6 Karl Schimpf 2015-09-03 11:56:24 PDT
Committed: https://reviews.llvm.org/rL246779