[llvm-bugs] [Bug 50182] New: Segmentation fault / null pointer exception

via llvm-bugs llvm-bugs at lists.llvm.org
Fri Apr 30 09:08:18 PDT 2021 

https://bugs.llvm.org/show_bug.cgi?id=50182

            Bug ID: 50182
           Summary: Segmentation fault / null pointer exception
           Product: tools
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: llvm-symbolizer
          Assignee: unassignedbugs at nondot.org
          Reporter: marcel.swidersky at stud.tu-darmstadt.de
                CC: llvm-bugs at lists.llvm.org

Created attachment 24816
  --> https://bugs.llvm.org/attachment.cgi?id=24816&action=edit
A minimal example program that causes the crash + Makefile that generates the
three cases I described

When compiling one of the CFI-showcase programs (attached) with CFI
instrumentation and recovery a nullpointer exception in llvm-symbolizer occurs.

The program is not clean by design - this is the point of a CFI showcase -  but
it runs fine without any instrumentation enabled.

It also runs fine with instrumentation enabled (-fsanitize=cfi-icall) - the
violation is reported and the program aborts gracefully.

However, with instrumentation (-fsanitize=cfi-icall) AND recovery
(-fsanitize-recover=all) enabled, the program does not resume execution after
the CFI violation has been reported. A nullpointer exception causes a crash.

All other CFI showcase programs resume correctly, only this one case causes a
crash.

Expected behavior:
$ ./cfi_skip_entrypoint
cfi_skip_entrypoint.c:35:15: runtime error: control flow integrity check for
type 'int (int)' failed during indirect function call
CFI ensures control flow only transfers to potentially valid destinations
In not_entry_point: (0)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you can read this, execution has resumed!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

>>> The program should report the violation and continue execution

Actual behavior:
$ ./cfi_skip_entrypoint
cfi_skip_entrypoint.c:35:15: runtime error: control flow integrity check for
type 'int (int)' failed during indirect function call
(/mnt/clang-cfi-showcase/cfi_skip_entrypoint+0x423c40): note: __libc_csu_init
defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
cfi_skip_entrypoint.c:35:15 in 
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==23263==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address
0x000000000000 (pc 0x000000423c71 bp 0x000000086ce8 sp 0x7ffe258018d8 T23263)
==23263==The signal is caused by a READ memory access.
==23263==Hint: address points to the zero page.
    #0 0x423c71 in __libc_csu_init
(/mnt/clang-cfi-showcase/cfi_skip_entrypoint+0x423c71)
    #1 0x423c2f  (/mnt/clang-cfi-showcase/cfi_skip_entrypoint+0x423c2f)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV
(/mnt/clang-cfi-showcase/cfi_skip_entrypoint+0x423c71) in __libc_csu_init
==23263==ABORTING

>>> The program reports the violation but cannot resume because of a nullpointer exception



This is what I got after debugging it in gdb:
--------------------------------------------------------------------------------
Thread 2.1 "llvm-symbolizer" received signal SIGSEGV, Segmentation fault.

Run till exit from #0  __libc_start_main (main=0x423ad0 <main>, argc=1,
argv=0x7fffffffe758, init=0x423c30 <__libc_csu_init>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe748) at ../csu/libc-start.c:268
cfi_skip_entrypoint.c:35:15: runtime error: control flow integrity check for
type 'int (int)' failed during indirect function call

>>> CFI violation is reported correctly <<<

[Attaching after Thread 0x7ffff78bdb80 (LWP 35794) fork to child process 35828]
[New inferior 2 (process 35828)]
[Detaching after fork from parent process 35794]
[Inferior 1 (process 35794) detached]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
process 35828 is executing new program: /usr/lib/llvm-11/bin/llvm-symbolizer

>>> Execution resumes, llvm-symbolizer is called <<<

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Thread 2.1 "llvm-symbolizer" received signal SIGSEGV, Segmentation fault.
--------------------------------------------------------------------------------

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20210430/daf6c39e/attachment.html>

More information about the llvm-bugs mailing list