<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - segfault in llvm_shutdown with -load module using RegisterStandardPasses"
href="https://bugs.llvm.org/show_bug.cgi?id=39321">39321</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>segfault in llvm_shutdown with -load module using RegisterStandardPasses
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>6.0
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>System Library
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>cjd@cjdns.fr
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>This was reproduced on Ubuntu AMD64 (travis-ci) and ARM armbian using LLVM-5
and LLVM-6.
Reproduced with package:
<a href="https://packages.debian.org/source/stretch-backports/llvm-toolchain-6.0">https://packages.debian.org/source/stretch-backports/llvm-toolchain-6.0</a> (and
5.0) (ARM hf, armbien)
And also with package: llvm-toolchain-trusty-6.0 (and 5.0) from
<a href="https://apt.llvm.org/">https://apt.llvm.org/</a> (Ubuntu Trusty: travis-ci)
This issue is the source of some problems for people who are using AFL fuzzer:
<a href="https://groups.google.com/forum/#!topic/afl-users/D3-jbylxHeg">https://groups.google.com/forum/#!topic/afl-users/D3-jbylxHeg</a>
<a href="https://groups.google.com/forum/#!msg/afl-users/TDLrTu3V_Pw/K4svutarAAAJ">https://groups.google.com/forum/#!msg/afl-users/TDLrTu3V_Pw/K4svutarAAAJ</a>
<a href="https://groups.google.com/forum/#!topic/afl-users/1WqZpGXvYY0">https://groups.google.com/forum/#!topic/afl-users/1WqZpGXvYY0</a>
The module is built with:
clang++ -I/usr/local/clang-5.0.0/include -fPIC -fvisibility-inlines-hidden
-Werror=date-time -std=c++11 -Wall -W -Wno-unused-parameter -Wwrite-strings
-Wcast-qual -Wmissing-field-initializers -pedantic -Wno-long-long
-Wcovered-switch-default -Wnon-virtual-dtor -Wdelete-non-virtual-dtor
-Wstring-conversion -ffunction-sections -fdata-sections -O3 -DNDEBUG
-fno-exceptions -fno-rtti -DLLVM_BUILD_GLOBAL_ISEL -D_GNU_SOURCE
-D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -fno-rtti
-fpic -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign
-DVERSION="2.52b" -Wno-variadic-macros -shared afl-llvm-pass.so.cc -o
../afl-llvm-pass.so -L/usr/local/clang-5.0.0/lib
Test execution with (-disable-free does not seem to have an effect):
gdb `which clang` -ex 'r -cc1 -load ../afl-llvm-pass.so -disable-free -x c
../test-instr.c'
Results in:
Program received signal SIGSEGV, Segmentation fault.
0xb6ff56c4 in ?? ()
(gdb) bt
warning: Could not find DWO CU
CMakeFiles/LLVMipo.dir/PassManagerBuilder.cpp.dwo(0xb0102d3ec8553c17)
referenced by CU at offset 0xd34c [in module
/usr/lib/debug/.build-id/03/4dc09456f470ea4060703c7d9e782204e534bc.debug]
#0 0xb6ff56c4 in ?? ()
#1 0xb5679096 in
llvm::object_deleter<llvm::SmallVector<std::pair<llvm::PassManagerBuilder::ExtensionPointTy,
std::function<void (llvm::PassManagerBuilder const&,
llvm::legacy::PassManagerBase&)> >, 8u> >::call(void*) () at
/usr/include/c++/6/functional:1690
warning: Could not find DWO CU
CMakeFiles/LLVMSupport.dir/ManagedStatic.cpp.dwo(0xa326de4ee48dabe5) referenced
by CU at offset 0x8d0 [in module
/usr/lib/debug/.build-id/03/4dc09456f470ea4060703c7d9e782204e534bc.debug]
#2 0xb4ebfb66 in llvm::ManagedStaticBase::destroy() const () at
/build/llvm-toolchain-5.0-GMVJjV/llvm-toolchain-5.0-5.0.1/lib/Support/ManagedStatic.cpp:75
#3 0xb4ebfc7a in llvm::llvm_shutdown() () at
/build/llvm-toolchain-5.0-GMVJjV/llvm-toolchain-5.0-5.0.1/lib/Support/ManagedStatic.cpp:87
#4 0x0079e3d0 in main ()
(gdb)
Commenting out the line `PM.add(new AFLCoverage());` in afl-llvm-pass.so.cc (
<a href="https://github.com/mirrorer/afl/blob/master/llvm_mode/afl-llvm-pass.so.cc#L176">https://github.com/mirrorer/afl/blob/master/llvm_mode/afl-llvm-pass.so.cc#L176</a>
) which ought to make the module do absolutely nothing, does not fix the issue,
there is still a crash.
Known workaround:
Overriding dlclose() with a function that does nothing prevents the crash (
see: <a href="https://github.com/cjdelisle/cjdnslop/blob/master/afl/catch-dlclose.patch">https://github.com/cjdelisle/cjdnslop/blob/master/afl/catch-dlclose.patch</a>
).
Demonstration on travis-ci:
Here you can see it compiling with no dlclose() override:
<a href="https://travis-ci.org/cjdelisle/cjdnslop/builds/442107146">https://travis-ci.org/cjdelisle/cjdnslop/builds/442107146</a>
Here you can see with the dlclose() override:
<a href="https://travis-ci.org/cjdelisle/cjdnslop/builds/442107180">https://travis-ci.org/cjdelisle/cjdnslop/builds/442107180</a>
It seems that perhaps LLVM attempts to free memory which belongs to the module
after it has been dlclose()'d
Related issues:
<a class="bz_bug_link
bz_status_NEW "
title="NEW - OPT crashes with custom pass"
href="show_bug.cgi?id=34573">https://bugs.llvm.org/show_bug.cgi?id=34573</a></pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>