[LLVMbugs] [Bug 8494] New: segmentation faults in lli

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Thu Oct 28 06:08:30 PDT 2010 

http://llvm.org/bugs/show_bug.cgi?id=8494

           Summary: segmentation faults in lli
           Product: new-bugs
           Version: trunk
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: new bugs
        AssignedTo: unassignedbugs at nondot.org
        ReportedBy: iisaev at ispras.ru
                CC: llvmbugs at cs.uiuc.edu


Created an attachment (id=5687)
 --> (http://llvm.org/bugs/attachment.cgi?id=5687)
exploit input

user at machine:/space/iisaev/avalanche5/branches/distributed-avalanche$ gdb
--args llvm-repos/inst/bin/lli ~/branch1_exploit_36_0 
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) run
Starting program:
/space/iisaev/avalanche5/branches/distributed-avalanche/llvm-repos/inst/bin/lli
/home/iisaev/branch1_exploit_36_0
[Thread debugging using libthread_db enabled]
[New Thread 0xb7c766d0 (LWP 27919)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7c766d0 (LWP 27919)]
0x085279d0 in llvm::Type::isPointerTy (this=0x0)
    at
/space/iisaev/avalanche5/branches/distributed-avalanche/llvm-repos/include/llvm/Type.h:254
254      bool isPointerTy() const { return ID == PointerTyID; }
(gdb) bt
#0  0x085279d0 in llvm::Type::isPointerTy (this=0x0)
    at
/space/iisaev/avalanche5/branches/distributed-avalanche/llvm-repos/include/llvm/Type.h:254
#1  0x08526b61 in llvm::BitcodeReader::ParseModule (this=0x9909e70) at
BitcodeReader.cpp:1471
#2  0x08527660 in llvm::BitcodeReader::ParseBitcodeInto (this=0x9909e70,
M=0x990a380) at BitcodeReader.cpp:1590
#3  0x0852776b in llvm::getLazyBitcodeModule (Buffer=0x990a210,
Context=@0x99011f0, ErrMsg=0xbf958844)
    at BitcodeReader.cpp:2620
#4  0x08514969 in main (argc=2, argv=0xbf958924, envp=0xbf958930) at
lli.cpp:142
(gdb) p this
$1 = (const llvm::Type * const) 0x0
(gdb) up
#1  0x08526b61 in llvm::BitcodeReader::ParseModule (this=0x9909e70) at
BitcodeReader.cpp:1471
1471          if (!Ty->isPointerTy())
(gdb) p Ty
$2 = (const class llvm::Type *) 0x0
(gdb) list
1466        //             alignment, section, visibility, gc]
1467        case bitc::MODULE_CODE_FUNCTION: {
1468          if (Record.size() < 8)
1469            return Error("Invalid MODULE_CODE_FUNCTION record");
1470          const Type *Ty = getTypeByID(Record[0]);
1471          if (!Ty->isPointerTy())
1472            return Error("Function not a pointer type!");
1473          const FunctionType *FTy =
1474           
dyn_cast<FunctionType>(cast<PointerType>(Ty)->getElementType());
1475          if (!FTy)

Ty is NULL and is dereferenced at BitcodeReader.cpp:1471

Another crash:

iisaev at aether:/space/iisaev/avalanche5/branches/distributed-avalanche$ gdb
--args llvm-repos/inst/bin/lli exploit_33_0 
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) run
Starting program:
/space/iisaev/avalanche5/branches/distributed-avalanche/llvm-repos/inst/bin/lli
exploit_33_0
[Thread debugging using libthread_db enabled]
[New Thread 0xb7cd86d0 (LWP 27926)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7cd86d0 (LWP 27926)]
0x085350aa in llvm::BitstreamCursor::Read (this=0xa4a2304, NumBits=1)
    at
/space/iisaev/avalanche5/branches/distributed-avalanche/llvm-repos/include/llvm/Bitcode/BitstreamReader.h:284
284                  (NextChar[2] << 16) | (NextChar[3] << 24);
(gdb) bt
#0  0x085350aa in llvm::BitstreamCursor::Read (this=0xa4a2304, NumBits=1)
    at
/space/iisaev/avalanche5/branches/distributed-avalanche/llvm-repos/include/llvm/Bitcode/BitstreamReader.h:284
#1  0x08535289 in llvm::BitstreamCursor::ReadCode (this=0xa4a2304)
    at
/space/iisaev/avalanche5/branches/distributed-avalanche/llvm-repos/include/llvm/Bitcode/BitstreamReader.h:353
#2  0x08525cc2 in llvm::BitcodeReader::ParseModule (this=0xa4a22d8) at
BitcodeReader.cpp:1282
#3  0x08527660 in llvm::BitcodeReader::ParseBitcodeInto (this=0xa4a22d8,
M=0xa4a3370) at BitcodeReader.cpp:1590
#4  0x0852776b in llvm::getLazyBitcodeModule (Buffer=0xa4a3210,
Context=@0xa49a1f0, ErrMsg=0xbfab91b4)
    at BitcodeReader.cpp:2620
#5  0x08514969 in main (argc=2, argv=0xbfab9294, envp=0xbfab92a0) at
lli.cpp:142
(gdb) list
279    
280        unsigned R = CurWord;
281    
282        // Read the next word from the stream.
283        CurWord = (NextChar[0] <<  0) | (NextChar[1] << 8) |
284                  (NextChar[2] << 16) | (NextChar[3] << 24);
285        NextChar += 4;
286    
287        // Extract NumBits-BitsInCurWord from what we just read.
288        unsigned BitsLeft = NumBits-BitsInCurWord;
(gdb) p NextChar
$1 = (const unsigned char *) 0x5da333c <Address 0x5da333c out of bounds>
(gdb) p NextChar[2]
Cannot access memory at address 0x5da333e

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list