[llvm-bugs] [Bug 37303] LLD + -fsanitize=address segfaults in scandir.
via llvm-bugs
llvm-bugs at lists.llvm.org
Tue Jan 15 07:33:35 PST 2019
https://bugs.llvm.org/show_bug.cgi?id=37303
Peter Wu <peter at lekensteyn.nl> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |peter at lekensteyn.nl
Status|RESOLVED |REOPENED
Resolution|WORKSFORME |---
--- Comment #7 from Peter Wu <peter at lekensteyn.nl> ---
Re-opening as I am still able to reproduce the issue with lld from trunk, but
using an *older* compiler-rt.
Initially reproduced with lld 7.0.1-1 on Arch Linux x86_64, it indeed crashed
in the scandir interceptor of compiler-rt. Whether the object file was compiled
with GCC/clang did not make a difference.
-fuse-ld=gold and -fuse-ld=bfd (binutils 2.31.1-4) works, -fuse-ld=lld produces
broken binaries (as does -fuse-ld=/path/to/trunk/ld.lld).
# Broken with 7.0.1, works on trunk:
clang -fsanitize=address repro.o && ./a.out
# Broken with both 7.0.1 and trunk clang+lld (but using compiler-rt 7.0.1)
clang -fuse-ld=lld /usr/lib/clang/7.0.1/lib/linux/libclang_rt.asan-x86_64.a
-ldl -pthread -lrt -lm repro.o && ./a.out
(Note: the above command with -fuse-ld=bfd seems to ignore the static library,
use "clang -v" to see the link command and replace the
libclang_rt.asan-x86_64.a and --dynamic-list=... paths and change ld.lld ->
ld.bfd or ld.gold for testing.)
Disassembly of __interceptor_scandir64.part.126 for a working (bfd-linked)
binary:
add85: ff 15 05 7b 0c 00 callq *0xc7b05(%rip) # 175890
<_ZN14__interception11real_strlenE>
add8b: 4c 8d 60 01 lea 0x1(%rax),%r12
add8f: 48 89 d8 mov %rbx,%rax
add92: 4c 01 e0 add %r12,%rax
add95: 0f 82 5d 03 00 00 jb ae0f8
<__interceptor_scandir64.part.126+0x398>
add9b: 4c 89 e6 mov %r12,%rsi
add9e: 48 89 df mov %rbx,%rdi
adda1: e8 9a a0 f8 ff callq 37e40
<_ZN6__asanL29QuickCheckForUnpoisonedRegionEmm>
adda6: 84 c0 test %al,%al
adda8: 0f 84 b2 02 00 00 je ae060
<__interceptor_scandir64.part.126+0x300>
addae: 66 66 66 66 64 48 8b data16 data16 data16 data16 mov
%fs:0x0,%rax
addb5: 04 25 00 00 00 00
addbb: 48 8d 0d ee 98 f8 ff lea -0x76712(%rip),%rcx #
376b0
<_ZL24wrapped_scandir64_comparPPKN11__sanitizer20__sanitizer_dirent64ES3_>
Disassembly of __interceptor_scandir64.part.126 for a broken (lld-linked)
binary:
e4d35: ff 15 d5 40 09 00 callq *0x940d5(%rip) # 178e10
<_ZN14__interception11real_strlenE>
e4d3b: 4c 8d 60 01 lea 0x1(%rax),%r12
e4d3f: 48 89 d8 mov %rbx,%rax
e4d42: 4c 01 e0 add %r12,%rax
e4d45: 0f 82 5d 03 00 00 jb e50a8
<__interceptor_scandir64.part.126+0x398>
e4d4b: 4c 89 e6 mov %r12,%rsi
e4d4e: 48 89 df mov %rbx,%rdi
e4d51: e8 9a a0 f8 ff callq 6edf0
<_ZN6__asanL29QuickCheckForUnpoisonedRegionEmm>
e4d56: 84 c0 test %al,%al
e4d58: 0f 84 b2 02 00 00 je e5010
<__interceptor_scandir64.part.126+0x300>
e4d5e: 66 66 66 64 48 8b 04 data16 data16 data16 mov %fs:0x0,%rax
e4d65: 25 00 00 00 00
e4d6a: 00 48 8d add %cl,-0x73(%rax)
e4d6d: 0d ee 98 f8 ff or $0xfff898ee,%eax
The "data16" instruction looks wrong, the "add %cl,-0x73(%rax)" is the one that
corrupts RAX and causes a crash down the line.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20190115/e7d996b8/attachment-0001.html>
More information about the llvm-bugs
mailing list