[lld] r307726 - [PDB] Tweak bad type index error handling
Reid Kleckner via llvm-commits
llvm-commits at lists.llvm.org
Wed Jul 12 09:34:25 PDT 2017
Thanks. I think this is an OOB relocation issue. I minimized the input YAML
object file, but I didn't update the relocation offsets into the debug info
section.
LLD doesn't currently do bounds checks before applying relocations. We
should probably do that.
On Tue, Jul 11, 2017 at 9:35 PM, Vitaly Buka <vitalybuka at google.com> wrote:
> Reverted by r307752
>
> On Tue, Jul 11, 2017 at 7:05 PM, Vitaly Buka <vitalybuka at google.com>
> wrote:
>
>> http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fast/builds/6344/steps/check-lld%20asan/logs/stdio
>>
>>
>> ================================================================
>> ==13156==ERROR: AddressSanitizer: use-after-poison on address 0x62100001b9d0 at pc 0x0000008e1e99 bp 0x7ffdbf3ae890 sp 0x7ffdbf3ae888
>> READ of size 4 at 0x62100001b9d0 thread T0
>> #0 0x8e1e98 in read<unsigned int, 1> /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/Support/Endian.h:69:3
>> #1 0x8e1e98 in read<unsigned int, llvm::support::endianness::little, 1> /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/Support/Endian.h:80
>> #2 0x8e1e98 in operator unsigned int /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/Support/Endian.h:216
>> #3 0x8e1e98 in read<unsigned int, llvm::support::endianness::little> /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/Support/Endian.h:345
>> #4 0x8e1e98 in read32<llvm::support::endianness::little> /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/Support/Endian.h:362
>> #5 0x8e1e98 in read32le /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/Support/Endian.h:369
>> #6 0x8e1e98 in add32 /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/Chunks.cpp:52
>> #7 0x8e1e98 in applySecRel /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/Chunks.cpp:66
>> #8 0x8e1e98 in lld::coff::SectionChunk::applyRelX64(unsigned char*, unsigned short, lld::coff::OutputSection*, unsigned long, unsigned long) const /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/Chunks.cpp:89
>> #9 0x8e417f in lld::coff::SectionChunk::writeTo(unsigned char*) const /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/Chunks.cpp:241:7
>> #10 0x912488 in relocateDebugChunk /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/PDB.cpp:287:15
>> #11 0x912488 in addObjectsToPDB /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/PDB.cpp:336
>> #12 0x912488 in lld::coff::createPDB(lld::coff::SymbolTable*, llvm::ArrayRef<unsigned char>, llvm::codeview::DebugInfo const*) /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/PDB.cpp:480
>> #13 0x8c493c in (anonymous namespace)::Writer::run() /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/Writer.cpp:242:5
>> #14 0x8b89bb in lld::coff::writeResult(lld::coff::SymbolTable*) /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/Writer.cpp:160:46
>> #15 0x844568 in lld::coff::LinkerDriver::link(llvm::ArrayRef<char const*>) /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/Driver.cpp:1137:3
>> #16 0x82ee68 in lld::coff::link(llvm::ArrayRef<char const*>, llvm::raw_ostream&) /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/Driver.cpp:63:11
>> #17 0x70cfa9 in main /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/tools/lld/lld.cpp:106:13
>> #18 0x7fa93596182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>> #19 0x61f3b8 in _start (/mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm_build_asan/bin/lld+0x61f3b8)
>>
>> 0x62100001b9d0 is located 208 bytes inside of 4096-byte region [0x62100001b900,0x62100001c900)
>> allocated by thread T0 here:
>> #0 0x6dcd28 in __interceptor_malloc /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67
>> #1 0x7e30bb in Allocate /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/Support/Allocator.h:97:12
>> #2 0x7e30bb in StartNewSlab /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/Support/Allocator.h:341
>> #3 0x7e30bb in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator, 4096ul, 4096ul>::Allocate(unsigned long, unsigned long) /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/Support/Allocator.h:258
>> #4 0x912430 in Allocate /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/Support/Allocator.h:57:43
>> #5 0x912430 in Allocate<unsigned char> /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/Support/Allocator.h:79
>> #6 0x912430 in relocateDebugChunk /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/PDB.cpp:284
>> #7 0x912430 in addObjectsToPDB /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/PDB.cpp:336
>> #8 0x912430 in lld::coff::createPDB(lld::coff::SymbolTable*, llvm::ArrayRef<unsigned char>, llvm::codeview::DebugInfo const*) /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/PDB.cpp:480
>> #9 0x8c493c in (anonymous namespace)::Writer::run() /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/Writer.cpp:242:5
>> #10 0x8b89bb in lld::coff::writeResult(lld::coff::SymbolTable*) /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/Writer.cpp:160:46
>> #11 0x844568 in lld::coff::LinkerDriver::link(llvm::ArrayRef<char const*>) /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/Driver.cpp:1137:3
>> #12 0x82ee68 in lld::coff::link(llvm::ArrayRef<char const*>, llvm::raw_ostream&) /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/COFF/Driver.cpp:63:11
>> #13 0x70cfa9 in main /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/lld/tools/lld/lld.cpp:106:13
>> #14 0x7fa93596182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>>
>> SUMMARY: AddressSanitizer: use-after-poison /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/Support/Endian.h:69:3 in read<unsigned int, 1>
>> Shadow bytes around the buggy address:
>> 0x0c427fffb6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> 0x0c427fffb6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> 0x0c427fffb700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> 0x0c427fffb710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> 0x0c427fffb720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> =>0x0c427fffb730: 00 00 00 00 00 00 00 00 00 04[f7]f7 f7 f7 f7 f7
>> 0x0c427fffb740: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
>> 0x0c427fffb750: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
>> 0x0c427fffb760: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
>> 0x0c427fffb770: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
>> 0x0c427fffb780: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
>> Shadow byte legend (one shadow byte represents 8 application bytes):
>> Addressable: 00
>> Partially addressable: 01 02 03 04 05 06 07
>> Heap left redzone: fa
>> Freed heap region: fd
>> Stack left redzone: f1
>> Stack mid redzone: f2
>> Stack right redzone: f3
>> Stack after return: f5
>> Stack use after scope: f8
>> Global redzone: f9
>> Global init order: f6
>> Poisoned by user: f7
>> Container overflow: fc
>> Array cookie: ac
>> Intra object redzone: bb
>> ASan internal: fe
>> Left alloca redzone: ca
>> Right alloca redzone: cb
>> ==13156==ABORTING
>>
>> --
>>
>> ********************
>> Testing: 0 .. 10.. 20.. 30.. 40.. 50.. 60.. 70.. 80.. 90..
>> Testing Time: 25.85s
>> ********************
>> Failing Tests (1):
>> lld :: COFF/pdb-invalid-func-type.yaml
>>
>>
>>
>>
>> On Tue, Jul 11, 2017 at 4:40 PM, Reid Kleckner via llvm-commits <
>> llvm-commits at lists.llvm.org> wrote:
>>
>>> On Tue, Jul 11, 2017 at 4:10 PM, Rui Ueyama <ruiu at google.com> wrote:
>>>
>>>> On Tue, Jul 11, 2017 at 4:04 PM, Reid Kleckner <rnk at google.com> wrote:
>>>>
>>>>> On Tue, Jul 11, 2017 at 3:42 PM, Rui Ueyama <ruiu at google.com> wrote:
>>>>>
>>>>>> -static bool remapTypesInSymbolRecord(ObjectFile *File,
>>>>>>> +static void remapTypesInSymbolRecord(ObjectFile *File,
>>>>>>> MutableArrayRef<uint8_t>
>>>>>>> Contents,
>>>>>>> ArrayRef<TypeIndex>
>>>>>>> TypeIndexMap,
>>>>>>> ArrayRef<TiReference>
>>>>>>> TypeRefs) {
>>>>>>> for (const TiReference &Ref : TypeRefs) {
>>>>>>> unsigned ByteSize = Ref.Count * sizeof(TypeIndex);
>>>>>>> - if (Contents.size() < Ref.Offset + ByteSize) {
>>>>>>> - log("ignoring short symbol record");
>>>>>>> - return false;
>>>>>>> - }
>>>>>>> + if (Contents.size() < Ref.Offset + ByteSize)
>>>>>>> + fatal("ignoring short symbol record");
>>>>>>>
>>>>>>
>>>>>> If you use `fatal`, it doesn't ignore records but exits immediately.
>>>>>>
>>>>>
>>>>> This is intentional. A short record is more indicative of data
>>>>> corruption than an invalid type index. An invalid type index probably means
>>>>> we just can't find the PDB.
>>>>>
>>>>
>>>> The error message is a bit confusing, isn't it? It says "ignoring" but
>>>> what it does is to abort immediately.
>>>>
>>>
>>> Oh, good point. :)
>>>
>>> _______________________________________________
>>> llvm-commits mailing list
>>> llvm-commits at lists.llvm.org
>>> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20170712/e41180c8/attachment.html>
More information about the llvm-commits
mailing list