[llvm] r366017 - [BitcodeReader] Use tighter upper bound to validate forward references.
Florian Hahn via llvm-commits
llvm-commits at lists.llvm.org
Sun Jul 14 05:35:50 PDT 2019
Author: fhahn
Date: Sun Jul 14 05:35:50 2019
New Revision: 366017
URL: http://llvm.org/viewvc/llvm-project?rev=366017&view=rev
Log:
[BitcodeReader] Use tighter upper bound to validate forward references.
At the moment, bitcode files with invalid forward reference can easily
cause the bitcode reader to run out of memory, by creating a forward
reference with a very high index.
We can use the size of the bitcode file as an upper bound, because a
valid bitcode file can never contain more records. This should be
sufficient to fail early in most cases. The only exception is large
files with invalid forward references close to the file size.
There are a couple of clusterfuzz runs that fail with out-of-memory
because of very high forward references and they should be fixed by this
patch.
A concrete example for this is D64507, which causes out-of-memory on
systems with low memory, like the hexagon upstream bots.
Reviewers: t.p.northover, thegameg, jfb, efriedma, hfinkel
Reviewed By: jfb
Differential Revision: https://reviews.llvm.org/D64577
Modified:
llvm/trunk/include/llvm/Bitstream/BitstreamReader.h
llvm/trunk/lib/Bitcode/Reader/BitcodeReader.cpp
llvm/trunk/lib/Bitcode/Reader/MetadataLoader.cpp
llvm/trunk/lib/Bitcode/Reader/ValueList.cpp
llvm/trunk/lib/Bitcode/Reader/ValueList.h
llvm/trunk/test/Bitcode/pr18704.ll
Modified: llvm/trunk/include/llvm/Bitstream/BitstreamReader.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/include/llvm/Bitstream/BitstreamReader.h?rev=366017&r1=366016&r2=366017&view=diff
==============================================================================
--- llvm/trunk/include/llvm/Bitstream/BitstreamReader.h (original)
+++ llvm/trunk/include/llvm/Bitstream/BitstreamReader.h Sun Jul 14 05:35:50 2019
@@ -294,6 +294,9 @@ public:
BitsInCurWord = 0;
}
+ /// Return the size of the stream in bytes.
+ size_t SizeInBytes() const { return BitcodeBytes.size(); }
+
/// Skip to the end of the file.
void skipToEnd() { NextChar = BitcodeBytes.size(); }
};
@@ -364,17 +367,18 @@ public:
explicit BitstreamCursor(MemoryBufferRef BitcodeBytes)
: SimpleBitstreamCursor(BitcodeBytes) {}
- using SimpleBitstreamCursor::canSkipToPos;
using SimpleBitstreamCursor::AtEndOfStream;
+ using SimpleBitstreamCursor::canSkipToPos;
+ using SimpleBitstreamCursor::fillCurWord;
using SimpleBitstreamCursor::getBitcodeBytes;
using SimpleBitstreamCursor::GetCurrentBitNo;
using SimpleBitstreamCursor::getCurrentByteNo;
using SimpleBitstreamCursor::getPointerToByte;
using SimpleBitstreamCursor::JumpToBit;
- using SimpleBitstreamCursor::fillCurWord;
using SimpleBitstreamCursor::Read;
using SimpleBitstreamCursor::ReadVBR;
using SimpleBitstreamCursor::ReadVBR64;
+ using SimpleBitstreamCursor::SizeInBytes;
/// Return the number of bits used to encode an abbrev #.
unsigned getAbbrevIDWidth() const { return CurCodeSize; }
Modified: llvm/trunk/lib/Bitcode/Reader/BitcodeReader.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Bitcode/Reader/BitcodeReader.cpp?rev=366017&r1=366016&r2=366017&view=diff
==============================================================================
--- llvm/trunk/lib/Bitcode/Reader/BitcodeReader.cpp (original)
+++ llvm/trunk/lib/Bitcode/Reader/BitcodeReader.cpp Sun Jul 14 05:35:50 2019
@@ -858,7 +858,7 @@ BitcodeReader::BitcodeReader(BitstreamCu
StringRef ProducerIdentification,
LLVMContext &Context)
: BitcodeReaderBase(std::move(Stream), Strtab), Context(Context),
- ValueList(Context) {
+ ValueList(Context, Stream.SizeInBytes()) {
this->ProducerIdentification = ProducerIdentification;
}
Modified: llvm/trunk/lib/Bitcode/Reader/MetadataLoader.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Bitcode/Reader/MetadataLoader.cpp?rev=366017&r1=366016&r2=366017&view=diff
==============================================================================
--- llvm/trunk/lib/Bitcode/Reader/MetadataLoader.cpp (original)
+++ llvm/trunk/lib/Bitcode/Reader/MetadataLoader.cpp Sun Jul 14 05:35:50 2019
@@ -130,8 +130,15 @@ class BitcodeReaderMetadataList {
LLVMContext &Context;
+ /// Maximum number of valid references. Forward references exceeding the
+ /// maximum must be invalid.
+ unsigned RefsUpperBound;
+
public:
- BitcodeReaderMetadataList(LLVMContext &C) : Context(C) {}
+ BitcodeReaderMetadataList(LLVMContext &C, size_t RefsUpperBound)
+ : Context(C),
+ RefsUpperBound(std::min((size_t)std::numeric_limits<unsigned>::max(),
+ RefsUpperBound)) {}
// vector compatibility methods
unsigned size() const { return MetadataPtrs.size(); }
@@ -218,6 +225,10 @@ void BitcodeReaderMetadataList::assignVa
}
Metadata *BitcodeReaderMetadataList::getMetadataFwdRef(unsigned Idx) {
+ // Bail out for a clearly invalid value.
+ if (Idx >= RefsUpperBound)
+ return nullptr;
+
if (Idx >= size())
resize(Idx + 1);
@@ -625,9 +636,10 @@ public:
BitcodeReaderValueList &ValueList,
std::function<Type *(unsigned)> getTypeByID,
bool IsImporting)
- : MetadataList(TheModule.getContext()), ValueList(ValueList),
- Stream(Stream), Context(TheModule.getContext()), TheModule(TheModule),
- getTypeByID(std::move(getTypeByID)), IsImporting(IsImporting) {}
+ : MetadataList(TheModule.getContext(), Stream.SizeInBytes()),
+ ValueList(ValueList), Stream(Stream), Context(TheModule.getContext()),
+ TheModule(TheModule), getTypeByID(std::move(getTypeByID)),
+ IsImporting(IsImporting) {}
Error parseMetadata(bool ModuleLevel);
Modified: llvm/trunk/lib/Bitcode/Reader/ValueList.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Bitcode/Reader/ValueList.cpp?rev=366017&r1=366016&r2=366017&view=diff
==============================================================================
--- llvm/trunk/lib/Bitcode/Reader/ValueList.cpp (original)
+++ llvm/trunk/lib/Bitcode/Reader/ValueList.cpp Sun Jul 14 05:35:50 2019
@@ -97,6 +97,10 @@ void BitcodeReaderValueList::assignValue
}
Constant *BitcodeReaderValueList::getConstantFwdRef(unsigned Idx, Type *Ty) {
+ // Bail out for a clearly invalid value.
+ if (Idx >= RefsUpperBound)
+ return nullptr;
+
if (Idx >= size())
resize(Idx + 1);
@@ -114,8 +118,8 @@ Constant *BitcodeReaderValueList::getCon
Value *BitcodeReaderValueList::getValueFwdRef(unsigned Idx, Type *Ty,
Type **FullTy) {
- // Bail out for a clearly invalid value. This would make us call resize(0)
- if (Idx == std::numeric_limits<unsigned>::max())
+ // Bail out for a clearly invalid value.
+ if (Idx >= RefsUpperBound)
return nullptr;
if (Idx >= size())
Modified: llvm/trunk/lib/Bitcode/Reader/ValueList.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Bitcode/Reader/ValueList.h?rev=366017&r1=366016&r2=366017&view=diff
==============================================================================
--- llvm/trunk/lib/Bitcode/Reader/ValueList.h (original)
+++ llvm/trunk/lib/Bitcode/Reader/ValueList.h Sun Jul 14 05:35:50 2019
@@ -46,8 +46,15 @@ class BitcodeReaderValueList {
ResolveConstantsTy ResolveConstants;
LLVMContext &Context;
+ /// Maximum number of valid references. Forward references exceeding the
+ /// maximum must be invalid.
+ unsigned RefsUpperBound;
+
public:
- BitcodeReaderValueList(LLVMContext &C) : Context(C) {}
+ BitcodeReaderValueList(LLVMContext &C, size_t RefsUpperBound)
+ : Context(C),
+ RefsUpperBound(std::min((size_t)std::numeric_limits<unsigned>::max(),
+ RefsUpperBound)) {}
~BitcodeReaderValueList() {
assert(ResolveConstants.empty() && "Constants not resolved?");
Modified: llvm/trunk/test/Bitcode/pr18704.ll
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Bitcode/pr18704.ll?rev=366017&r1=366016&r2=366017&view=diff
==============================================================================
--- llvm/trunk/test/Bitcode/pr18704.ll (original)
+++ llvm/trunk/test/Bitcode/pr18704.ll Sun Jul 14 05:35:50 2019
@@ -1,6 +1,6 @@
; RUN: not llvm-dis < %s.bc 2>&1 | FileCheck %s
-; CHECK: llvm-dis{{(\.EXE|\.exe)?}}: error: Never resolved value found in function
+; CHECK: llvm-dis{{(\.EXE|\.exe)?}}: error: Invalid record
; pr18704.ll.bc has an instruction referring to invalid type.
; The test checks that LLVM reports the error and doesn't access freed memory
More information about the llvm-commits
mailing list