[llvm-bugs] [Bug 39321] New: segfault in llvm_shutdown with -load module using RegisterStandardPasses

via llvm-bugs llvm-bugs at lists.llvm.org
Tue Oct 16 03:51:06 PDT 2018 

https://bugs.llvm.org/show_bug.cgi?id=39321

            Bug ID: 39321
           Summary: segfault in llvm_shutdown with -load module using
                    RegisterStandardPasses
           Product: libraries
           Version: 6.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: System Library
          Assignee: unassignedbugs at nondot.org
          Reporter: cjd at cjdns.fr
                CC: llvm-bugs at lists.llvm.org

This was reproduced on Ubuntu AMD64 (travis-ci) and ARM armbian using LLVM-5
and LLVM-6.

Reproduced with package:
https://packages.debian.org/source/stretch-backports/llvm-toolchain-6.0  (and
5.0)  (ARM hf, armbien)
And also with package: llvm-toolchain-trusty-6.0 (and 5.0) from
https://apt.llvm.org/ (Ubuntu Trusty: travis-ci)

This issue is the source of some problems for people who are using AFL fuzzer:
https://groups.google.com/forum/#!topic/afl-users/D3-jbylxHeg
https://groups.google.com/forum/#!msg/afl-users/TDLrTu3V_Pw/K4svutarAAAJ
https://groups.google.com/forum/#!topic/afl-users/1WqZpGXvYY0


The module is built with:

clang++ -I/usr/local/clang-5.0.0/include -fPIC -fvisibility-inlines-hidden
-Werror=date-time -std=c++11 -Wall -W -Wno-unused-parameter -Wwrite-strings
-Wcast-qual -Wmissing-field-initializers -pedantic -Wno-long-long
-Wcovered-switch-default -Wnon-virtual-dtor -Wdelete-non-virtual-dtor
-Wstring-conversion -ffunction-sections -fdata-sections -O3 -DNDEBUG
-fno-exceptions -fno-rtti -DLLVM_BUILD_GLOBAL_ISEL -D_GNU_SOURCE
-D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -fno-rtti
-fpic -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign
-DVERSION="2.52b" -Wno-variadic-macros -shared afl-llvm-pass.so.cc -o
../afl-llvm-pass.so -L/usr/local/clang-5.0.0/lib


Test execution with (-disable-free does not seem to have an effect):

gdb `which clang` -ex 'r -cc1 -load ../afl-llvm-pass.so -disable-free -x c
../test-instr.c'

Results in:

Program received signal SIGSEGV, Segmentation fault.
0xb6ff56c4 in ?? ()
(gdb) bt
warning: Could not find DWO CU
CMakeFiles/LLVMipo.dir/PassManagerBuilder.cpp.dwo(0xb0102d3ec8553c17)
referenced by CU at offset 0xd34c [in module
/usr/lib/debug/.build-id/03/4dc09456f470ea4060703c7d9e782204e534bc.debug]
#0  0xb6ff56c4 in ?? ()
#1  0xb5679096 in
llvm::object_deleter<llvm::SmallVector<std::pair<llvm::PassManagerBuilder::ExtensionPointTy,
std::function<void (llvm::PassManagerBuilder const&,
llvm::legacy::PassManagerBase&)> >, 8u> >::call(void*) () at
/usr/include/c++/6/functional:1690
warning: Could not find DWO CU
CMakeFiles/LLVMSupport.dir/ManagedStatic.cpp.dwo(0xa326de4ee48dabe5) referenced
by CU at offset 0x8d0 [in module
/usr/lib/debug/.build-id/03/4dc09456f470ea4060703c7d9e782204e534bc.debug]
#2  0xb4ebfb66 in llvm::ManagedStaticBase::destroy() const () at
/build/llvm-toolchain-5.0-GMVJjV/llvm-toolchain-5.0-5.0.1/lib/Support/ManagedStatic.cpp:75
#3  0xb4ebfc7a in llvm::llvm_shutdown() () at
/build/llvm-toolchain-5.0-GMVJjV/llvm-toolchain-5.0-5.0.1/lib/Support/ManagedStatic.cpp:87
#4  0x0079e3d0 in main ()
(gdb)


Commenting out the line `PM.add(new AFLCoverage());` in afl-llvm-pass.so.cc (
https://github.com/mirrorer/afl/blob/master/llvm_mode/afl-llvm-pass.so.cc#L176
) which ought to make the module do absolutely nothing, does not fix the issue,
there is still a crash.


Known workaround:

Overriding dlclose() with a function that does nothing prevents the crash (
see: https://github.com/cjdelisle/cjdnslop/blob/master/afl/catch-dlclose.patch
).

Demonstration on travis-ci:

Here you can see it compiling with no dlclose() override:
https://travis-ci.org/cjdelisle/cjdnslop/builds/442107146
Here you can see with the dlclose() override:
https://travis-ci.org/cjdelisle/cjdnslop/builds/442107180


It seems that perhaps LLVM attempts to free memory which belongs to the module
after it has been dlclose()'d

Related issues:
https://bugs.llvm.org/show_bug.cgi?id=34573

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20181016/cbacff72/attachment-0001.html>

More information about the llvm-bugs mailing list