[llvm-bugs] [Bug 25891] New: [ms] clang-cl emits code that causes link.exe /incremental to write broken binaries, related to function pointers

via llvm-bugs llvm-bugs at lists.llvm.org
Fri Dec 18 11:03:18 PST 2015


            Bug ID: 25891
           Summary: [ms] clang-cl emits code that causes link.exe
                    /incremental to write broken binaries, related to
                    function pointers
           Product: clang
           Version: unspecified
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: normal
          Priority: P
         Component: LLVM Codegen
          Assignee: unassignedclangbugs at nondot.org
          Reporter: nicolasweber at gmx.de
                CC: llvm-bugs at lists.llvm.org
    Classification: Unclassified

First, create these 3 files:

C:\src\chrome\src\net>type s3.h
typedef struct ssl_st SSL;
struct ssl_st {
  void* f[21];  // <- !
  int (*handshake_func)(SSL *);
  void (*info_callback)();

C:\src\chrome\src\net>type s3_clnt.c
#include "s3.h"

#include <stddef.h>

void f();

#define FOO0 f(); f();
#define FOO1 FOO0 FOO0
#define FOO2 FOO1 FOO1
#define FOO3 FOO2 FOO2
#define FOO4 FOO3 FOO3
#define FOO5 FOO4 FOO4
#define FOO6 FOO5 FOO5
#define FOO7 FOO6 FOO6
#define FOO8 FOO7 FOO7
#define FOO9 FOO8 FOO8
#define FOO10 FOO9 FOO9
#define FOO11 FOO10 FOO10

int ssl3_connect(SSL *s) {
  if (s->info_callback != NULL)

  // Bloat code size a bit so it's more likely link.exe writes a new version
  // of this function.
  return 0;

C:\src\chrome\src\net>type s3_lib.c
#include <stdlib.h>
#include <string.h>

#include "s3.h"

int ssl3_connect(SSL *s);

void f() {}

int main() {
  SSL *s = (SSL *)malloc(sizeof(SSL));
  memset(s, 0, sizeof(SSL));
  s->handshake_func = ssl3_connect;

Then build them like so:
/c s3_clnt.c /O2

/c s3_lib.c /O2

C:\src\chrome\src\net>link /incremental s3_clnt.obj s3_lib.obj
Microsoft (R) Incremental Linker Version 12.00.31101.0
Copyright (C) Microsoft Corporation.  All rights reserved.

Now run net_repro.exe. It should exit fine.

Now increment the number in the line marked "// <- !" by one, rerun the three
build commands, and run the executable again. You my need to do this 2-5 times,
but sometimes once is enough. Eventually, the executable will crash with a
stack overflow. It looks like `s->handshake_func(s)` jumps to an old version of
ssl3_connect() where the offset is 8 bytes too low, so that `s->info_callback`
isn't NULL but points ot `s->handshake_func` again.

You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20151218/b11a13f2/attachment.html>

More information about the llvm-bugs mailing list