<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/67388>67388</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Possible SEGV (null pointer) in MetadataLoader::MetadataLoaderImpl::parseOneMetadata()
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          GJDuck
      </td>
    </tr>
</table>

<pre>
    There seems to be a possible NULL pointer dereference in `parseOneMetadata()`.  The problem occurs [here](https://github.com/llvm/llvm-project/blob/ea0ee55c02b41b66d34f2830bd144ed6882137e9/llvm/lib/Bitcode/Reader/MetadataLoader.cpp#L1368):

```
 unsigned TyID = Record[0];
    Type *Ty = Callbacks.GetTypeByID(TyID); // <--- GetTypeByID() may return NULL
    if (Ty->isMetadataTy() || Ty->isVoidTy())   // <--- No NULL check = SEGV
      return error("Invalid record");
```

According to GDB, the `GetTypeByID()` callback routes to `BitcodeReader::getTypeByID()` ([here](https://github.com/llvm/llvm-project/blob/ea0ee55c02b41b66d34f2830bd144ed6882137e9/llvm/lib/Bitcode/Reader/BitcodeReader.cpp#L1323)) .  This method will return `nullptr` on unexpected input, leading to a crash.

To reproduce, decompress [bug.o.gz](https://github.com/llvm/llvm-project/files/12721417/bug.o.gz) then run:

        $ llvm-lto bug.o

Tested with latest LLVM head and LLVM-15.  Other LLVM tools also seem to crash on this file.

Crash report:

```
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.  Program arguments: debug/llvm-project/llvm/build/bin/llvm-lto bug.o
 #0 0x0000558dac706f32 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) ./debug/llvm-project/llvm/lib/Support/Unix/Signals.inc:723:22
 #1 0x0000558dac70734e PrintStackTraceSignalHandler(void*) ./debug/llvm-project/llvm/lib/Support/Unix/Signals.inc:798:1
 #2 0x0000558dac70471b llvm::sys::RunSignalHandlers() ./debug/llvm-project/llvm/lib/Support/Signals.cpp:105:20
 #3 0x0000558dac7067d6 SignalHandler(int) ./debug/llvm-project/llvm/lib/Support/Unix/Signals.inc:413:1
 #4 0x00007f6eece3c4b0 (/lib/x86_64-linux-gnu/libc.so.6+0x3c4b0)
 #5 0x0000558da93a248e llvm::Type::getTypeID() const ./debug/llvm-project/llvm/include/llvm/IR/Type.h:137:37
 #6 0x0000558dab3cbb56 llvm::Type::isMetadataTy() const ./debug/llvm-project/llvm/include/llvm/IR/Type.h:222:53
 #7 0x0000558dab427c56 llvm::MetadataLoader::MetadataLoaderImpl::parseOneMetadata(llvm::SmallVectorImpl<unsigned long>&, unsigned int, (anonymous namespace)::(anonymous namespace)::PlaceholderQueue&, llvm::StringRef, unsigned int&) ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:1369:28
 #8 0x0000558dab426580 llvm::MetadataLoader::MetadataLoaderImpl::parseMetadata(bool) ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:1133:60
 #9 0x0000558dab431624 llvm::MetadataLoader::parseMetadata(bool) ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:2464:1
#10 0x0000558dab3cbf2f llvm::MetadataLoader::parseModuleMetadata() ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.h:61:61
#11 0x0000558dab3add37 (anonymous namespace)::BitcodeReader::parseModule(unsigned long, bool, llvm::ParserCallbacks) ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:4300:56
#12 0x0000558dab3af098 (anonymous namespace)::BitcodeReader::parseBitcodeInto(llvm::Module*, bool, bool, llvm::ParserCallbacks) ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:4500:58
#13 0x0000558dab3c5b62 llvm::BitcodeModule::getModuleImpl(llvm::LLVMContext&, bool, bool, bool, llvm::ParserCallbacks) ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:7941:61
#14 0x0000558dab3c73eb llvm::BitcodeModule::parseModule(llvm::LLVMContext&, llvm::ParserCallbacks) ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:8141:62
#15 0x0000558dab3c7529 llvm::parseBitcodeFile(llvm::MemoryBufferRef, llvm::LLVMContext&, llvm::ParserCallbacks) ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:8153:44
#16 0x0000558dac265bbf parseBitcodeFileImpl(llvm::MemoryBufferRef, llvm::LLVMContext&, bool) ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:185:59
#17 0x0000558dac265d7c llvm::LTOModule::makeLTOModule(llvm::MemoryBufferRef, llvm::TargetOptions const&, llvm::LLVMContext&, bool) ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:198:57
#18 0x0000558dac2654d5 llvm::LTOModule::createFromFile(llvm::LLVMContext&, llvm::StringRef, llvm::TargetOptions const&) ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:121:47
#19 0x0000558da9017a75 main ./debug/llvm-project/llvm/tools/llvm-lto/llvm-lto.cpp:1031:43
#20 0x00007f6eece23a90 __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:74:3
#21 0x00007f6eece23b49 call_init ./csu/../csu/libc-start.c:128:20
#22 0x00007f6eece23b49 __libc_start_main ./csu/../csu/libc-start.c:347:5
#23 0x0000558da9014125 _start (debug/llvm-project/llvm/build/bin/llvm-lto+0x5d6125)
```

Stack trace (GDB):

```
#0  0x0000555555eb848e in llvm::Type::getTypeID (this=0x0) at ./debug/llvm-project/llvm/include/llvm/IR/Type.h:137
#1 0x0000555557ee1b56 in llvm::Type::isMetadataTy (this=0x0) at ./debug/llvm-project/llvm/include/llvm/IR/Type.h:222
#2 0x0000555557f3dc56 in llvm::MetadataLoader::MetadataLoaderImpl::parseOneMetadata (this=0x555561cea620, Record=..., Code=2, Placeholders=..., Blob=..., NextMetadataNo=@0x7fffffffc2d4: 7)
    at ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:1369
#3 0x0000555557f3c580 in llvm::MetadataLoader::MetadataLoaderImpl::parseMetadata (this=0x555561cea620, ModuleLevel=true) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:1133
#4 0x0000555557f47624 in llvm::MetadataLoader::parseMetadata (this=0x555561cea0f8, ModuleLevel=true) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:2463
#5 0x0000555557ee1f2f in llvm::MetadataLoader::parseModuleMetadata (this=0x555561cea0f8) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.h:61
#6 0x0000555557ec3d37 in (anonymous namespace)::BitcodeReader::parseModule (this=0x555561ce9dd0, ResumeBit=0, ShouldLazyLoadMetadata=false, Callbacks=...) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:4300
#7 0x0000555557ec5098 in (anonymous namespace)::BitcodeReader::parseBitcodeInto (this=0x555561ce9dd0, M=0x555561c7d270, ShouldLazyLoadMetadata=false, IsImporting=false, Callbacks=...)
    at ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:4500
#8 0x0000555557edbb62 in llvm::BitcodeModule::getModuleImpl (this=0x7fffffffcfa0, Context=..., MaterializeAll=true, ShouldLazyLoadMetadata=false, IsImporting=false, Callbacks=...)
    at ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:7941
#9 0x0000555557edd3eb in llvm::BitcodeModule::parseModule (this=0x7fffffffcfa0, Context=..., Callbacks=...) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:8141
#10 0x0000555557edd529 in llvm::parseBitcodeFile (Buffer=..., Context=..., Callbacks=...) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:8153
#11 0x0000555558d7bbbf in parseBitcodeFileImpl (Buffer=..., Context=..., ShouldBeLazy=false) at ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:185
#12 0x0000555558d7bd7c in llvm::LTOModule::makeLTOModule (Buffer=..., options=..., Context=..., ShouldBeLazy=false) at ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:198
#13 0x0000555558d7b4d5 in llvm::LTOModule::createFromFile (Context=..., path=..., options=...) at ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:121
#14 0x0000555555b2da75 in main (argc=2, argv=0x7fffffffdff8) at ./debug/llvm-project/llvm/tools/llvm-lto/llvm-lto.cpp:1030
```
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzUWtly2zoS_Rr4BWUVCHB98INsRRlPOYkn9s2rCyRbEicQwQLBxLpfP9VcxMWyLS9J7qhcMsUFOOegu4EDSZZlts4Bzoh3TrzFiazsRpuzj_9eVMn3k1inu7PbDRigJcC2pFbTGKikhS7LLFZAP_91dUULneUWDE3BwAoM5AnQLKfEZ4U0JXzJ4RNYmUorCQ8Jj4jPZpTeboAWRscKtlQnSWVKSrxz7Ix4C8LDjbVFScSc8CXhy3VmN1U8S_SW8KVSP7p_p4XR_4XEEr6MlY4JX4JkAJ6XMB67Tuz7qXBXPBQsTh3XhdQPQ-6IAKJBOxk-d57ZRKdA-PIryBQM4csO9pXGE7OkKAgXV47waxZiTtiCsO7dZ-1f_ZFWea1sSm93lwtKxIJ-hUSblHjnDAmK8_ZGSuntrgBK-Px2V994IZWKZfK9nH0Ei9fOd5eoyG39LyLinDaiUCIuTk9P6fg2wiO6lTtqwFYmr4eo7ypb0bqlUyI-ZGVH8HbXPkeCCxJc0O76N52l3TW8TCcdf9ZNBCQbSL7X2G8-fPzW90Y7EGCMNnU7_DL_IVWWUtPIwXlD6aCKzfs8wTuzfI3x93FxTvgFtRvAAHvAnPiMJq1-1OjKQh21xGft-LaDK-ZEzNeHnsajf1gcjqD3YchFOyx1NmUl3YLd6JT-zJTqhCc-yyulCmuQm85plcN9AYmFlGZ5UVkUU4Hs5JU0MbLczIb632pqoDA6rRLA21NI9LYwUNYZG1frmZ6t_36lWqtMQUn40uEBd1wnQAG7FnmE45xTU-WTbKPti3CX1g0qLE343Ag4lMjzZ2Y3VEkLpaVXV98-0Q3IlMo8rT-dOt6M0i92A6a5arVWJZWq1HXVQ1VqTVA9izIj5JFAF_VlA4U29umycH31YX7zgZZVvM0slQi5fQ67ebF4WVlWtXo1myxPVJVCnRsNYswCa2TSwb2xmBZptS32MLEUXxu9NnJLpVlXW8gtYqApxNX6YZctkLjKVIr_s7y7ZzIElHDBKLtnjDHPC1OZBMxfCV6PV5N_5a5sDq5Nltsa3C2iJTzsbzLy550urQG5JdzH-MtyW0c94cunQTYJdVMV9cDw5V95do8nsnUuVTnL8oSIecAFEXPOe9TOBHUgXKATiE0b_5J5qjBFwx86SwmfvyeuKCRi7vSw-ASWGzjxITG_VvkIXdnW9pfj6gBhxRFzh3koFOsRienwBqlPp8q872i5jhir4rYYgpUPkIBI3Lip4V2D96F_57unKsur-9N1XjUXklmpZz7h5-y-fgQr6b5Nb8grEpK7IQyUxjljNIHsp91E56U9gmqbqf2Jy6-EL7Gp2QbpiYCIuQh6RP4QUSySOPb8g4gOzOnvBIpzTsTcEz2oYATK5UEyAjVePR06d7ktVHP-wEKxb-hmK5X6BonV7RMX-8WV0vmaiA9tYdifrmPuAsNA5jrfbXVV0lxuoSzq6hI17T5z-VrJBDZapWD-U0EFbScDXNZk-forrB727b8k5I9beWJY-AiNh_0QhJMh8L2QvWUIBvrHWqtfwsIRmML-oI5EYxbC8dtp_XEWvwstd323Lzg4ObBpKq746iiwOq3UxAm9I1xMUd9p3vZYnTFWmaYieC4rDqyTB_gJD8fJxy9oo_0wM67xAbP3MW9k-nD5K-auYAzLkd-T5ROyKxaFryXbnr_MrR6Vok6E-ZD3H-HvNfzDnr-YBKYX-8PFVttKy6CbvpqPdRUY8sSF8IXOLdzbtuxNyf4J0kHkTiPcnZAOBMRPkx4H81OUfye10Gmo8Z6aN6Xm8WiAaRiny2xC5hNstdmdV6sVmHaC-ucw9bD-u27PdLS6SbjvxfGKTvk9iNEXcnzpDHF1-6V5b2Klm71CXAR7UQ8-mIJPg2QIpGug-biV36E_dTSdW2nWYL8UNtN52azoHgzdL6NcGxEv6CmHU8pu6j1OOTEgLSyN3j4I06cicbS6el6JN7PkmH_ugOVoVRIxJ5CBR7cyy4_oqd5DGBjjweHeTYm6Q7HvkLOxleFCRoze3aFbuSutNPYukUrd7SEkJZqZGR6WuzKFAnvMC6taizN9qF4jBLicGXTqTDuN3ajeQbvL8sxO-2kOsfHTuvFZUksXDowhNsoPNTpicojEwcaFi17I69sWk2FxHe7RplWc7V-zbVHbQC_1He7tfeDBnchm_6TeUcG-6r3IZzaC612QPWR8QRyin8zypy0ldmA3WUnEgt2jP6XynazlPsKHsAIAB03lI7CGvvLXIOO8n_v4CNlKpMkU2VvM5Qg_9uA7CUifM6w07S69WMwwJi_oBU5pYsHxeOAIy_6Oc6Xj_tNnuLddR581EQviMnYfrJpXwlPMPxr0-w2UHiffK7xiJ6eYyJmgS3ybnEdp2RTYK_gBioiFNeihjwyWV3jKjq07ZusG6CafZXsEK7YKfysr7vo9K2-arGg7j2Q1cp5PcHtnFpvxWt0fM0gEmtEsf5sfPcgmStM2l8tqi2tIvIonbja6UumV_HuHEPdeXCxWUpX1dxv9yrfN6Ldq8qh57WQJJrJ4aFtfL8vAuT6pzafh2SDlwZECXZaX20Ibm-Xrp3V7r_L2qPvtBAzHAqYx-t5RZjxnfUdC7Uv1SrJmAmjWp_sK_0laMJlU2d8wV30J-L8Rr3bRnXjRRLwU_fNz4j2Wf89K91uyq7bSB7brWoLookcEp0YTKTU2bLgK-DNMPHFoM8_DtW8Qo0vO8oNG-SgOTbyeA0ZsH44vIvK4ST6wLdfCRn88GoCnLPIhIroxf3-EWXRww61lhjb4KWZjJ4zUHiAvpN08yvQ9CPCDm2f4inmKDjfLG5OL849ZJ93aV5r1j1GSp6sXLBmO8sNsYqBO0jORRiKSJ3Dm-JHnRz73vJPNGQslhI4bMCnEikESsRUwz-crmaxCj8NJdsYZFyziPuOu63iz0Ev9leMJYHHiBB4nLoOtzNQMUcy0WZ_UX6Wf-YEIwxMlY1Bl_ZsoznP4SeuLhHPiLU7MWY08rtYlcZnKSlv2rdjMKji77n4edfPh4zcUMq-U6n4mRZr688ZvxwiPTiqjzl7_k4Ga6v8CAAD__4bOl9Q">