<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Segmentation fault / null pointer exception"
   href="https://bugs.llvm.org/show_bug.cgi?id=50182">50182</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Segmentation fault / null pointer exception
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>tools
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>trunk
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>llvm-symbolizer
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>marcel.swidersky@stud.tu-darmstadt.de
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=24816" name="attach_24816" title="A minimal example program that causes the crash + Makefile that generates the three cases I described">attachment 24816</a> <a href="attachment.cgi?id=24816&action=edit" title="A minimal example program that causes the crash + Makefile that generates the three cases I described">[details]</a></span>
A minimal example program that causes the crash + Makefile that generates the
three cases I described

When compiling one of the CFI-showcase programs (attached) with CFI
instrumentation and recovery a nullpointer exception in llvm-symbolizer occurs.

The program is not clean by design - this is the point of a CFI showcase -  but
it runs fine without any instrumentation enabled.

It also runs fine with instrumentation enabled (-fsanitize=cfi-icall) - the
violation is reported and the program aborts gracefully.

However, with instrumentation (-fsanitize=cfi-icall) AND recovery
(-fsanitize-recover=all) enabled, the program does not resume execution after
the CFI violation has been reported. A nullpointer exception causes a crash.

All other CFI showcase programs resume correctly, only this one case causes a
crash.

Expected behavior:
$ ./cfi_skip_entrypoint
cfi_skip_entrypoint.c:35:15: runtime error: control flow integrity check for
type 'int (int)' failed during indirect function call
CFI ensures control flow only transfers to potentially valid destinations
In not_entry_point: (0)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you can read this, execution has resumed!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<span class="quote">>>> The program should report the violation and continue execution</span >

Actual behavior:
$ ./cfi_skip_entrypoint
cfi_skip_entrypoint.c:35:15: runtime error: control flow integrity check for
type 'int (int)' failed during indirect function call
(/mnt/clang-cfi-showcase/cfi_skip_entrypoint+0x423c40): note: __libc_csu_init
defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
cfi_skip_entrypoint.c:35:15 in 
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==23263==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address
0x000000000000 (pc 0x000000423c71 bp 0x000000086ce8 sp 0x7ffe258018d8 T23263)
==23263==The signal is caused by a READ memory access.
==23263==Hint: address points to the zero page.
    #0 0x423c71 in __libc_csu_init
(/mnt/clang-cfi-showcase/cfi_skip_entrypoint+0x423c71)
    #1 0x423c2f  (/mnt/clang-cfi-showcase/cfi_skip_entrypoint+0x423c2f)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV
(/mnt/clang-cfi-showcase/cfi_skip_entrypoint+0x423c71) in __libc_csu_init
==23263==ABORTING

<span class="quote">>>> The program reports the violation but cannot resume because of a nullpointer exception</span >



This is what I got after debugging it in gdb:
--------------------------------------------------------------------------------
Thread 2.1 "llvm-symbolizer" received signal SIGSEGV, Segmentation fault.

Run till exit from #0  __libc_start_main (main=0x423ad0 <main>, argc=1,
argv=0x7fffffffe758, init=0x423c30 <__libc_csu_init>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe748) at ../csu/libc-start.c:268
cfi_skip_entrypoint.c:35:15: runtime error: control flow integrity check for
type 'int (int)' failed during indirect function call

<span class="quote">>>> CFI violation is reported correctly <<<</span >

[Attaching after Thread 0x7ffff78bdb80 (LWP 35794) fork to child process 35828]
[New inferior 2 (process 35828)]
[Detaching after fork from parent process 35794]
[Inferior 1 (process 35794) detached]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
process 35828 is executing new program: /usr/lib/llvm-11/bin/llvm-symbolizer

<span class="quote">>>> Execution resumes, llvm-symbolizer is called <<<</span >

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Thread 2.1 "llvm-symbolizer" received signal SIGSEGV, Segmentation fault.
--------------------------------------------------------------------------------</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>