<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/62342>62342</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
LLD COFF driver crash when working with bitcode files
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
inawildflower
</td>
</tr>
</table>
<pre>
LinkerDriver::addBuffer (lld\coff\driver.cpp) handles adding files to symtab. During this process, it initializes the table with not just instances of ObjFile but also a variety of other accepted formats, including BitcodeFile.
```cpp
case file_magic::bitcode:
ctx.symtab.addFile(make<BitcodeFile>(ctx, mbref, "", 0, lazy));
break;
case file_magic::coff_object:
case file_magic::coff_import_library:
ctx.symtab.addFile(make<ObjFile>(ctx, mbref, lazy));
break;
case file_magic::pdb:
ctx.symtab.addFile(make<PDBInputFile>(ctx, mbref));
break;
```
However, other code in the linker does not take this into account. In particular, PDBLinker::addPublicsToPDB() iterates over all entries in symtab and passes it to createPublic
```cpp
ctx.symtab.forEachSymbol([&publics, this](Symbol *s) {
[...]
publics.push_back(createPublic(ctx, def));
});
static pdb::BulkPublic createPublic(COFFLinkerContext &ctx, Defined *def) {
[...]
if (auto *d = dyn_cast<DefinedCOFF>(def)) {
if (d->getCOFFSymbol().isFunctionDefinition())
flags = PublicSymFlags::Function;
}
[...]
}
COFFSymbolRef DefinedCOFF::getCOFFSymbol() {
size_t symSize = cast<ObjFile>(file)->getCOFFObj()->getSymbolTableEntrySize();
if (symSize == sizeof(coff_symbol16))
return COFFSymbolRef(reinterpret_cast<const coff_symbol16 *>(sym));
assert(symSize == sizeof(coff_symbol32));
return COFFSymbolRef(reinterpret_cast<const coff_symbol32 *>(sym));
}
```
When compiled with assertions on, the cast inside getCOFFSymbol will fail, however, it being disabled will lead to type confusion leading to memory corruption. It would appear that there are several other places where getCOFFSymbol or the underlying file object is used in a similarly unsafe manner.
Crash callstack:
```
ucrtbase!wassert
lld!llvm::cast [llvm\llvm\include\llvm\Support\Casting.h @ 579]
lld!lld::coff::DefinedCOFF::getCOFFSymbol [llvm\lld\COFF\Symbols.cpp @ 101]
lld!createPublic [llvm\lld\COFF\PDB.cpp @ 1134]
lld!<lambda_>::operator() [llvm\lld\COFF\PDB.cpp @ 1219]
lld!lld::coff::SymbolTable::forEachSymbol<<lambda> > [llvm\lld\COFF\SymbolTable.h @ 120]
lld!`anonymous namespace'::PDBLinker::addPublicsToPDB [llvm\lld\COFF\PDB.cpp @ 1223]
lld!lld::coff::createPDB [llvm\lld\COFF\PDB.cpp @ 1605]
lld!`anonymous namespace'::Writer::run [llvm\lld\COFF\Writer.cpp @ 697]
lld!lld::coff::writeResult [llvm\lld\COFF\Writer.cpp @ 323]
lld!lld::coff::LinkerDriver::linkerMain [llvm\lld\COFF\Driver.cpp @ 2458]
lld!lld::coff::link [llvm\lld\COFF\Driver.cpp @ 76]
lld!lldMain [llvm\lld\tools\lld\lld.cpp @ 168]
lld!lld_main [llvm\lld\tools\lld\lld.cpp @ 230]
```
Callstack for the allocation of the bitcode file object
```
lld!llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator,4096,4096,128>::Allocate [llvm\llvm\include\llvm\Support\Allocator.h @ 195]
lld!lld::make<lld::coff::BitcodeFile,lld::coff::COFFLinkerContext &,llvm::MemoryBufferRef &,char const (&)[1],int,bool &> [llvm\lld\include\lld\Common\Memory.h @ 61]
lld!lld::coff::LinkerDriver::addBuffer [llvm\lld\COFF\Driver.cpp @ 207]
lld!<lambda_>::operator() [llvm\lld\COFF\Driver.cpp @ 256]
lld!lld::coff::LinkerDriver::run [llvm\lld\COFF\Driver.cpp @ 1050]
lld!lld::coff::LinkerDriver::linkerMain [llvm\lld\COFF\Driver.cpp @ 2006]
lld!lld::coff::link [llvm\lld\COFF\Driver.cpp @ 76]
lld!lldMain [llvm\lld\tools\lld\lld.cpp @ 168]
lld!lld_main [llvm\lld\tools\lld\lld.cpp @ 230]
```
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJy0WF-P2rgW_zTm5agocUiABx6GUHQrddXRdqV9HDmxA-44dmQ7pfTTXx07A4Eyc5nuXSkzSeyT3_nrn49hzsmdFmJF8jXJNxPW-72xK6nZQSreKHMQdlIZflx9lvpZ2I2V34Ul2QPJHhjn675phAVCF0pxkpe1aRqSlzxITeuuI3QJe6a5Eg4Y51LvoJH44g24Y-tZNYVNb3Hc76WDzppaOEdoCdKD1NJLpuRP_GAvwLNKCThIvwdtPHzrHco4z3QtHJgGvlTftlIJqHoPTDkDDL4zK4U_4qzxe2GB1bXovODQGNsyH3XpWvXBurX0teECUaYk2ZDkYfhfJPFCp8IIQM2cCO48tWwn6xiVKgLgyyAGUPsf08FbxjliE7po2bMgWTlSSLKPhC5q_wNNaisrGnwglIarhAT_KfbzSOgSr2x9VlFZwZ5HIzdtw_Q8meqbqP3IvtdFZdsZ65-UrCyzx7tdGrJw251_Yn_Hq7MRb1nwuFl_0l3vXzPjUv2l7lOmx-n_jzkILHxaDlWEOQOpQ1mqsDSAG-FCXXr2LGI5S-0NFpzptZ_CJw0ds17WvWIB6nGzjsvqtKAe-0rJ2v1lHjdrQhe4fKQXlnms7-9YvUqB0N5KgejDGgKmOXTMORz0uLZqK5gXEe1_lPEojo2xH1m9_3psK6NQfb4mtOiiTWgwOkXyDaGLKAOEPjg0ksxPmSP5ejqdolQcGD6fdr3bP1WsfsZsjM07JYf_mhog883VQLg7z7ysYSiI7GHdq-cIB1fY5ZftNga5NNqLHx4ILQaFG9FILTh6EXWP_Lh2A2SDPMd6b4I8kGwD_KifauY8ycoBC9XFijt5Mw7OCwz_QLKPO-FR_BxuupxKt-117aXRAVDiU5zC64QC0Ci2c8GI6OrXY7vFoRiPF5CrSN5O0WnmbM2fooELjxD0hr1j35z8KZ48luRX-VME04bYXBBCE1bqchSAL9W3iDaMRQV_Idl_1N4eEW6IwdmdGMeRMtSHJpgGKwrpywWctLgOnhW-txouvCV0YYXUXtjOCv-S1Npo5-ECDJMfHXHH9rpccQlaf59dGf2l2P-BYRl9y7BThm-S2997oaE2bSeV4HF7jY5Iox1g_ZWB51A37reSC7ioBThIpaBhUqHo_syV0kMlcFvl0mE6eZRUgnFkKX_sBNRGN72TRofh0AkYaEVr7BFqY23foR1T-OThYHrFgXWdYBb8nnk0ywpgVoBDnUwN9Nwphi3BIUxf2mpscKbXXFh1fOlIIG6LIB30TnDkVgZOtlIxq47Qa8caAS3TWtiLxqC0zO2hZko5j-SWXTNtfO1r6yvmBKHpYaiSMI59E02V-t4O-y7GmOTrMJKXwy32J-I88LXvcGsmeVky56XeTfdAZgnk8yXJN3CJzc9benx6e2VfqMeuLsjlZZx12NYFXWmSXusac-9rMI-b9RkizWbXGCQrFWsrzp6wmoN5psMt0NgXzrkDmKb3BGLENHHgcgfMypMxJPsI4e-t2ASgIRMpTX7xrEiYNvrYmt6BZq1wHasFofOo--1u4D6vaXaH10OW7sQskvydjvxtsWeJz7bXr2mJYidFxXJ-h-0H_OhP4Xrl78TN7orJr8eb2NX9weSrDmxOx5ygiM7yxR2aEPdOxHlxA--mRd4Y5U5vSvFR_m4Z9dS-D4VmyblduLWHlC8EiMeqQLBMKVMz5G48e-HIcDQa8-1NxGtOXPdt9-jtQwQ09lPb4do8C_wRdJ3mCS1nybI431K6OHHJICXeRbIn6JfFvcxP4bhK9HACuZH48UmP3hK42aoG0ZOjYVuMp25s0eJ8vWd4IMGOIDBkaHjydRo69VJqT2hZmdCtF7c4bOx4KEbTtkaTvIzqBp-L9DWX31pFox8J7ltEyfxKzW_vB9fIefE7DrxBYFcK0iRPfkfD-4kmSe5w5b088_-gmX-DZSZ8lfFltmQTsUqLBZ0ldLZYTvarpkiZEMucJ2K-EMsZF2mSJs28zqu0orNsIlc0oVkyo3lSJCmdTYslT7NmkSbzuiqyxZzMEtEyqaZo39TY3UQ614tVQbMZnShWCeXCL2OUanGAMEkoJflmYlf4zYeq3zkyS5R03p1RvPRKrD5_3oRWHuLPYVCHTvGAzfbB2GfsPEOvPaZFN-mtWu2978JBjm4J3e6k3_fVtDYtodsQyXj70FkTOJRug2WO0G2w_L8BAAD__-WoAjY">