[llvm-bugs] [Bug 41734] New: -fsanitize-coverage=inline-8bit-counters + ThinLTO = lld crash

via llvm-bugs llvm-bugs at lists.llvm.org
Fri May 3 10:27:51 PDT 2019 

https://bugs.llvm.org/show_bug.cgi?id=41734

            Bug ID: 41734
           Summary: -fsanitize-coverage=inline-8bit-counters + ThinLTO =
                    lld crash
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Miscellaneous Instrumentation passes
          Assignee: unassignedbugs at nondot.org
          Reporter: lebedev.ri at gmail.com
                CC: llvm-bugs at lists.llvm.org

I know that no one will bother to look at the bug if there isn't a simple
self-contained reproducer, but i'm not sure how to create it here :S

This bug appears to originate from -fsanitize-coverage=inline-8bit-counters,
and only happens if ThinLTO (and lld) is used.
I can't tell if this is LLD bug, or instrumentation bug.

The observable effect of the bug:

ld.lld: /build/llvm/include/llvm/MC/MCSymbol.h:267: llvm::MCSection&
llvm::MCSymbol::getSection() const: Assertion `isInSection() && "Invalid
accessor!"' failed.
Stack dump:
0.      Program arguments: /build/llvm-build-GCC-release/bin/ld.lld
--hash-style=both --build-id --eh-frame-hdr -m elf_x86_64 -dynamic-linker
/lib64/ld-linux-x86-64.so.2 -o
fuzz/librawspeed/decompressors/VC5DecompressorFuzzer
/usr/lib64/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/crt1.o
/usr/lib64/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/crti.o
/usr/lib64/gcc/x86_64-linux-gnu/8/crtbegin.o
-L/usr/lib64/gcc/x86_64-linux-gnu/8
-L/usr/lib64/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu
-L/usr/lib64/gcc/x86_64-linux-gnu/8/../../../../lib64 -L/lib/x86_64-linux-gnu
-L/lib/../lib64 -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib64
-L/usr/lib/x86_64-linux-gnu/../../lib64
-L/usr/lib64/gcc/x86_64-linux-gnu/8/../../.. -L/usr/lib/llvm-9/bin/../lib
-L/lib -L/usr/lib -plugin /usr/lib/llvm-9/bin/../lib/LLVMgold.so
-plugin-opt=mcpu=x86-64 -plugin-opt=O3 -plugin-opt=thinlto --whole-archive
/usr/lib/llvm-9/lib/clang/9.0.0/lib/linux/libclang_rt.ubsan_standalone-x86_64.a
--no-whole-archive
--dynamic-list=/usr/lib/llvm-9/lib/clang/9.0.0/lib/linux/libclang_rt.ubsan_standalone-x86_64.a.syms
--whole-archive
/usr/lib/llvm-9/lib/clang/9.0.0/lib/linux/libclang_rt.ubsan_standalone_cxx-x86_64.a
--no-whole-archive
--dynamic-list=/usr/lib/llvm-9/lib/clang/9.0.0/lib/linux/libclang_rt.ubsan_standalone_cxx-x86_64.a.syms
--as-needed
--thinlto-cache-dir=/home/lebedevri/rawspeed/build/clang-thinlto-cache
--thinlto-cache-policy cache_size_bytes=1g
fuzz/librawspeed/decompressors/CMakeFiles/VC5DecompressorFuzzer.dir/VC5Decompressor.cpp.o
librawspeed.a fuzz/librawspeed_fuzz.a librawspeed.a
/usr/lib/x86_64-linux-gnu/libpugixml.so /usr/lib/x86_64-linux-gnu/libjpeg.so
/usr/lib/x86_64-linux-gnu/libz.so /usr/lib/llvm-9/lib/libomp.so -lstdc++ -lm
--no-as-needed -lpthread -lrt -lm -ldl -lgcc_s -lgcc -lc -lc -lgcc_s -lgcc
/usr/lib64/gcc/x86_64-linux-gnu/8/crtend.o
/usr/lib64/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/crtn.o 
 #0 0x00007f2dd1bbaaca llvm::sys::PrintStackTrace(llvm::raw_ostream&)
/build/llvm/lib/Support/Unix/Signals.inc:494:22
 #1 0x00007f2dd1bb88f4 llvm::sys::RunSignalHandlers()
/build/llvm/lib/Support/Signals.cpp:68:20
 #2 0x00007f2dd1bb8a55 SignalHandler(int)
/build/llvm/lib/Support/Unix/Signals.inc:357:1
 #3 0x00007f2dd19b2730 __restore_rt
(/lib/x86_64-linux-gnu/libpthread.so.0+0x12730)
 #4 0x00007f2dd112f7bb raise (/lib/x86_64-linux-gnu/libc.so.6+0x377bb)
 #5 0x00007f2dd111a535 abort (/lib/x86_64-linux-gnu/libc.so.6+0x22535)
 #6 0x00007f2dd111a40f (/lib/x86_64-linux-gnu/libc.so.6+0x2240f)
 #7 0x00007f2dd1128102 (/lib/x86_64-linux-gnu/libc.so.6+0x30102)
 #8 0x00007f2dcf8092e0 llvm::MCSymbol::getVariableValue(bool) const
/build/llvm/include/llvm/MC/MCSymbol.h:300:12
 #9 0x00007f2dcf8092e0 llvm::MCSymbol::getFragment(bool) const
/build/llvm/include/llvm/MC/MCSymbol.h:387:65
#10 0x00007f2dcf8092e0 llvm::MCSymbol::getFragment(bool) const
/build/llvm/include/llvm/MC/MCSymbol.h:383:15
#11 0x00007f2dcf8092e0 llvm::MCSymbol::isUndefined(bool) const
/build/llvm/include/llvm/MC/MCSymbol.h:257:23
#12 0x00007f2dcf8092e0 llvm::MCSymbol::isDefined() const
/build/llvm/include/llvm/MC/MCSymbol.h:247:47
#13 0x00007f2dcf8092e0 llvm::MCSymbol::isInSection() const
/build/llvm/include/llvm/MC/MCSymbol.h:252:21
#14 0x00007f2dcf8092e0 llvm::MCSymbol::getSection() const
/build/llvm/include/llvm/MC/MCSymbol.h:267:5
#15 0x00007f2dcf810c36 llvm::isa_impl_cl<llvm::MCSectionELF, llvm::MCSection
const*>::doit(llvm::MCSection const*)
/build/llvm/include/llvm/Support/Casting.h:105:5
#16 0x00007f2dcf810c36 llvm::isa_impl_wrap<llvm::MCSectionELF, llvm::MCSection
const*, llvm::MCSection const*>::doit(llvm::MCSection const* const&)
/build/llvm/include/llvm/Support/Casting.h:132:40
#17 0x00007f2dcf810c36 llvm::isa_impl_wrap<llvm::MCSectionELF, llvm::MCSection*
const, llvm::MCSection const*>::doit(llvm::MCSection* const&)
/build/llvm/include/llvm/Support/Casting.h:123:60
#18 0x00007f2dcf810c36 bool llvm::isa<llvm::MCSectionELF,
llvm::MCSection*>(llvm::MCSection* const&)
/build/llvm/include/llvm/Support/Casting.h:143:74
#19 0x00007f2dcf810c36 llvm::cast_retty<llvm::MCSectionELF,
llvm::MCSection*>::ret_type llvm::cast<llvm::MCSectionELF,
llvm::MCSection>(llvm::MCSection*)
/build/llvm/include/llvm/Support/Casting.h:264:3
#20 0x00007f2dcf810c36 writeSection
/build/llvm/lib/MC/ELFObjectWriter.cpp:1031:49
#21 0x00007f2dcf810c36 writeSectionHeader
/build/llvm/lib/MC/ELFObjectWriter.cpp:1067:17
#22 0x00007f2dcf810c36 (anonymous
namespace)::ELFWriter::writeObject(llvm::MCAssembler&, llvm::MCAsmLayout
const&) (.constprop.465) /build/llvm/lib/MC/ELFObjectWriter.cpp:1224:21
#23 0x00007f2dcf811b37 std::vector<llvm::MCSectionELF const*,
std::allocator<llvm::MCSectionELF const*> >::~vector()
/usr/include/c++/8/bits/stl_vector.h:567:15
#24 0x00007f2dcf811b37 ~ELFWriter /build/llvm/lib/MC/ELFObjectWriter.cpp:101:8

Reproduction is easy and hard at the same time.
I'm not sure how to write a minimal reproducer by hand, and i'm not sure how to
reduce the existing "reproducer".
Just to star somewhere, i'll state the whole reproduction process:
$ git clone https://github.com/darktable-org/rawspeed.git
$ cd rawspeed && mkdir build && cd build
$ CC=clang CXX=clang++ CFLAGS="-fsanitize-coverage=inline-8bit-counters"
CXXFLAGS="-fsanitize-coverage=inline-8bit-counters" cmake
-DCMAKE_BUILD_TYPE=Release ../ -DRAWSPEED_ENABLE_LTO=ON -GNinja && ninja
VC5DecompressorFuzzer
$ # you may want to pass some cmake options to disable some (or all!) deps,
although there is nothing heavy. See
https://github.com/google/oss-fuzz/blob/ae9398deefdf485c50bb625a20fd44a2def49418/projects/librawspeed/build.sh#L32-L38
$ [80/80] Linking CXX executable
fuzz/librawspeed/decompressors/VC5DecompressorFuzzer
FAILED: fuzz/librawspeed/decompressors/VC5DecompressorFuzzer 
: && /usr/local/bin/clang++  -fsanitize-coverage=inline-8bit-counters
-std=c++14 -flto=thin -fforce-emit-vtables -fwhole-program-vtables
-fstrict-vtable-pointers -Wall -Wextra -Weverything -Wno-c++98-compat
-Wno-c++98-compat-pedantic -Wno-conversion -Wno-covered-switch-default
-Wno-deprecated -Wno-double-promotion -Wno-exit-time-destructors
-Wno-global-constructors -Wno-gnu-zero-variadic-macro-arguments
-Wno-old-style-cast -Wno-padded -Wno-switch-enum -Wno-unused-macros
-Wno-unused-parameter -Wno-weak-vtables -Wno-zero-as-null-pointer-constant
-Wextra-semi -Wframe-larger-than=4096 -Wlarger-than=32768 -O3 -DNDEBUG -O3 
-Wl,--as-needed -flto=thin -fuse-ld="/usr/local/bin/ld.lld"
-Wl,--thinlto-cache-dir="/home/lebedevri/rawspeed/build/clang-thinlto-cache"
-Wl,--thinlto-cache-policy,cache_size_bytes=1g
fuzz/librawspeed/decompressors/CMakeFiles/VC5DecompressorFuzzer.dir/VC5Decompressor.cpp.o
 -o fuzz/librawspeed/decompressors/VC5DecompressorFuzzer  librawspeed.a
fuzz/librawspeed_fuzz.a librawspeed.a /usr/lib/x86_64-linux-gnu/libpugixml.so
/usr/lib/x86_64-linux-gnu/libjpeg.so /usr/lib/x86_64-linux-gnu/libz.so
/usr/lib/llvm-9/lib/libomp.so && :
ld.lld: error: lto.tmp: invalid sh_link index: 0
clang: error: linker command failed with exit code 1 (use -v to see invocation)
ninja: build stopped: subcommand failed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20190503/dd8c4e41/attachment.html>

More information about the llvm-bugs mailing list