iAI icon indicating copy to clipboard operation
iAI copied to clipboard
verified publisher icon aimuch

LLVM Buffer Overflow LLVMPointsToSet.Global_01

Open blipper opened this issue 4 years ago • 3 comments

Bug description

Running with ASAN I get failed on Global but intra and inter pass

[ RUN ] LLVMPointsToSet.Global_01

==2106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040002c3dc8 at pc 0x7f7fdfa84a12 bp 0x7ffe1fc04520 sp 0x7ffe1fc04518 READ of size 1 at 0x6040002c3dc8 thread T0 #0 0x7f7fdfa84a11 in getValueID third_party/llvm/llvm-project/llvm/include/llvm/IR/Value.h:532:12 #1 0x7f7fdfa84a11 in getOpcode third_party/llvm/llvm-project/llvm/include/llvm/IR/Instruction.h:160:39 #2 0x7f7fdfa84a11 in isTerminator third_party/llvm/llvm-project/llvm/include/llvm/IR/Instruction.h:163:51 #3 0x7f7fdfa84a11 in llvm::BasicBlock::getTerminator() const third_party/llvm/llvm-project/llvm/lib/IR/BasicBlock.cpp:149:44 #4 0x7f7fdfc67462 in getTerminator third_party/llvm/llvm-project/llvm/include/llvm/IR/BasicBlock.h:125:48 #5 0x7f7fdfc67462 in succ_begin third_party/llvm/llvm-project/llvm/include/llvm/IR/CFG.h:268:28 #6 0x7f7fdfc67462 in child_begin third_party/llvm/llvm-project/llvm/include/llvm/IR/CFG.h:304:60 #7 0x7f7fdfc67462 in children<llvm::BasicBlock > third_party/llvm/llvm-project/llvm/include/llvm/ADT/GraphTraits.h:122:21 #8 0x7f7fdfc67462 in llvm::SmallVector<llvm::BasicBlock, 8u> llvm::DomTreeBuilder::SemiNCAInfo<llvm::DominatorTreeBase<llvm::BasicBlock, false> >::getChildren(llvm::BasicBlock*) third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:118:14 #9 0x7f7fdfc63fa8 in getChildren third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:111:12 #10 0x7f7fdfc63fa8 in unsigned int llvm::DomTreeBuilder::SemiNCAInfo<llvm::DominatorTreeBase<llvm::BasicBlock, false> >::runDFS<false, bool ()(llvm::BasicBlock, llvm::BasicBlock*)>(llvm::BasicBlock*, unsigned int, bool ()(llvm::BasicBlock, llvm::BasicBlock*), unsigned int, llvm::DenseMap<llvm::BasicBlock*, unsigned int, llvm::DenseMapInfollvm::BasicBlock*, llvm::detail::DenseMapPair<llvm::BasicBlock*, unsigned int> > const*) third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:197:25 #11 0x7f7fdfc60a70 in void llvm::DomTreeBuilder::SemiNCAInfo<llvm::DominatorTreeBase<llvm::BasicBlock, false> >::doFullDFSWalk<bool ()(llvm::BasicBlock, llvm::BasicBlock*)>(llvm::DominatorTreeBase<llvm::BasicBlock, false> const&, bool ()(llvm::BasicBlock, llvm::BasicBlock*)) third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:551:7 #12 0x7f7fdfc42d36 in llvm::DomTreeBuilder::SemiNCAInfo<llvm::DominatorTreeBase<llvm::BasicBlock, false> >::CalculateFromScratch(llvm::DominatorTreeBase<llvm::BasicBlock, false>&, llvm::DomTreeBuilder::SemiNCAInfo<llvm::DominatorTreeBase<llvm::BasicBlock, false> >::BatchUpdateInfo*) third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:579:10 #13 0x7f7fdfc2f378 in Calculate<llvm::DominatorTreeBase<llvm::BasicBlock, false> > third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:1563:3 #14 0x7f7fdfc2f378 in recalculate third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTree.h:780:5 #15 0x7f7fdfc2f378 in llvm::DominatorTreeAnalysis::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/lib/IR/Dominators.cpp:363:6 #16 0x7f8147561118 in llvm::detail::AnalysisPassModel<llvm::Function, llvm::DominatorTreeAnalysis, llvm::PreservedAnalyses, llvm::AnalysisManagerllvm::Function::Invalidator>::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:315:14 #17 0x7f7fdfe651b1 in llvm::AnalysisManagerllvm::Function::getResultImpl(llvm::AnalysisKey*, llvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerImpl.h:75:35 #18 0x7f8031443db4 in getResultllvm::DominatorTreeAnalysis third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManager.h:789:9 #19 0x7f8031443db4 in llvm::BasicAA::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/lib/Analysis/BasicAliasAnalysis.cpp:1758:18 #20 0x7f814756d0d3 in llvm::detail::AnalysisPassModel<llvm::Function, llvm::BasicAA, llvm::PreservedAnalyses, llvm::AnalysisManagerllvm::Function::Invalidator>::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:315:14 #21 0x7f7fdfe651b1 in llvm::AnalysisManagerllvm::Function::getResultImpl(llvm::AnalysisKey*, llvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerImpl.h:75:35 #22 0x7f8148266e66 in getResultllvm::BasicAA third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManager.h:789:9 #23 0x7f8148266e66 in void llvm::AAManager::getFunctionAAResultImplllvm::BasicAA(llvm::Function&, llvm::AnalysisManagerllvm::Function&, llvm::AAResults&) third_party/llvm/llvm-project/llvm/include/llvm/Analysis/AliasAnalysis.h:1248:39 #24 0x7f80313df107 in llvm::AAManager::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/lib/Analysis/AliasAnalysis.cpp:927:5 #25 0x7f814826cf95 in llvm::detail::AnalysisPassModel<llvm::Function, llvm::AAManager, llvm::PreservedAnalyses, llvm::AnalysisManagerllvm::Function::Invalidator>::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:315:14 #26 0x7f7fdfe651b1 in llvm::AnalysisManagerllvm::Function::getResultImpl(llvm::AnalysisKey*, llvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerImpl.h:75:35 #27 0x7f814825d22f in getResultllvm::AAManager third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManager.h:789:9 #28 0x7f814825d22f in psr::LLVMBasedPointsToAnalysis::computePointsToInfo(llvm::Function&) third_party/phasar/lib/PhasarLLVM/Pointer/LLVMBasedPointsToAnalysis.cpp:92:30 #29 0x7f814829bc60 in getAAResults third_party/phasar/include/phasar/PhasarLLVM/Pointer/LLVMBasedPointsToAnalysis.h:55:7 #30 0x7f814829bc60 in psr::LLVMPointsToSet::LLVMPointsToSet(psr::ProjectIRDB&, bool, psr::PointerAnalysisType) third_party/phasar/lib/PhasarLLVM/Pointer/LLVMPointsToSet.cpp:50:22 #31 0x7f81488f8a3a in LLVMPointsToSet_Global_01_Test::TestBody() third_party/phasar/unittests/PhasarLLVM/Pointer/LLVMPointsToSetTest.cpp:43:19 #32 0x7f7ff4907041 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::)(), char const) third_party/googletest/googletest/src/gtest.cc #33 0x7f7ff48bdaa0 in testing::Test::Run() third_party/googletest/googletest/src/gtest.cc:2682:5 #34 0x7f7ff48bfcc4 in testing::TestInfo::Run() third_party/googletest/googletest/src/gtest.cc:2861:11 #35 0x7f7ff48c1a4f in testing::TestSuite::Run() third_party/googletest/googletest/src/gtest.cc:3015:28 #36 0x7f7ff48f625f in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/googletest/src/gtest.cc:5851:44 #37 0x7f7ff48f548b in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> third_party/googletest/googletest/src/gtest.cc #38 0x7f7ff48f548b in testing::UnitTest::Run() third_party/googletest/googletest/src/gtest.cc:5434:10 #39 0x7f81488f969f in RUN_ALL_TESTS third_party/googletest/googletest/include/gtest/gtest.h:2495:46 #40 0x7f81488f969f in main third_party/phasar/unittests/PhasarLLVM/Pointer/LLVMPointsToSetTest.cpp:61:10 #41 0x7f813c68cbbc in __libc_start_main (/usr/grte/v4/lib64/libc.so.6+0x38bbc) #42 0x560b118a4ca8 in _start /usr/grte/v4/debug-src/src/csu/../sysdeps/x86_64/start.S:108

0x6040002c3dc8 is located 8 bytes to the left of 40-byte region [0x6040002c3dd0,0x6040002c3df8) allocated by thread T0 here: #0 0x560b11958bdd in operator new(unsigned long) third_party/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99:3 #1 0x7f7fdfcd119f in __libcpp_operator_new third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/new:235:10 #2 0x7f7fdfcd119f in __libcpp_allocate third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/new:261:10 #3 0x7f7fdfcd119f in allocate third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/memory:784:38 #4 0x7f7fdfcd119f in llvm::Function::BuildLazyArguments() const third_party/llvm/llvm-project/llvm/lib/IR/Function.cpp:396:44 #5 0x7f81408ca73a in CheckLazyArguments third_party/llvm/llvm-project/llvm/include/llvm/IR/Function.h:113:7 #6 0x7f81408ca73a in arg_begin third_party/llvm/llvm-project/llvm/include/llvm/IR/Function.h:780:5 #7 0x7f81408ca73a in llvm::LLParser::parseFunctionHeader(llvm::Function*&, bool) third_party/llvm/llvm-project/llvm/lib/AsmParser/LLParser.cpp:5927:38 #8 0x7f81408bcad9 in llvm::LLParser::parseDeclare() third_party/llvm/llvm-project/llvm/lib/AsmParser/LLParser.cpp:553:7 #9 0x7f81408b5bc5 in llvm::LLParser::parseTopLevelEntities() third_party/llvm/llvm-project/llvm/lib/AsmParser/LLParser.cpp:348:11 #10 0x7f81408b57d3 in llvm::LLParser::Run(bool, llvm::function_ref<llvm::Optional<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > (llvm::StringRef)>) third_party/llvm/llvm-project/llvm/lib/AsmParser/LLParser.cpp:80:10 #11 0x7f81409b0797 in parseAssemblyInto(llvm::MemoryBufferRef, llvm::Module*, llvm::ModuleSummaryIndex*, llvm::SMDiagnostic&, llvm::SlotMapping*, bool, llvm::function_ref<llvm::Optional<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > (llvm::StringRef)>) third_party/llvm/llvm-project/llvm/lib/AsmParser/Parser.cpp:36:8 #12 0x7f81409b0b5e in parseAssemblyInto third_party/llvm/llvm-project/llvm/lib/AsmParser/Parser.cpp:43:10 #13 0x7f81409b0b5e in llvm::parseAssembly(llvm::MemoryBufferRef, llvm::SMDiagnostic&, llvm::LLVMContext&, llvm::SlotMapping*, llvm::function_ref<llvm::Optional<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > (llvm::StringRef)>) third_party/llvm/llvm-project/llvm/lib/AsmParser/Parser.cpp:54:7 #14 0x7f8140f1dd97 in llvm::parseIR(llvm::MemoryBufferRef, llvm::SMDiagnostic&, llvm::LLVMContext&, llvm::function_ref<llvm::Optional<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > (llvm::StringRef)>) third_party/llvm/llvm-project/llvm/lib/IRReader/IRReader.cpp:88:10 #15 0x7f8140f1eb73 in llvm::parseIRFile(llvm::StringRef, llvm::SMDiagnostic&, llvm::LLVMContext&, llvm::function_ref<llvm::Optional<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > (llvm::StringRef)>) third_party/llvm/llvm-project/llvm/lib/IRReader/IRReader.cpp:102:10 #16 0x7f8147fb55df in psr::ProjectIRDB::ProjectIRDB(std::__u::vector<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator >, std::__u::allocator<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > > const&, psr::IRDBOptions) third_party/phasar/lib/DB/ProjectIRDB.cpp:69:41 #17 0x7f81488f896d in LLVMPointsToSet_Global_01_Test::TestBody() third_party/phasar/unittests/PhasarLLVM/Pointer/LLVMPointsToSetTest.cpp:42:15 #18 0x7f7ff4907041 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::)(), char const) third_party/googletest/googletest/src/gtest.cc #19 0x7f7ff48bdaa0 in testing::Test::Run() third_party/googletest/googletest/src/gtest.cc:2682:5 #20 0x7f7ff48bfcc4 in testing::TestInfo::Run() third_party/googletest/googletest/src/gtest.cc:2861:11 #21 0x7f7ff48c1a4f in testing::TestSuite::Run() third_party/googletest/googletest/src/gtest.cc:3015:28 #22 0x7f7ff48f625f in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/googletest/src/gtest.cc:5851:44 #23 0x7f7ff48f548b in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> third_party/googletest/googletest/src/gtest.cc #24 0x7f7ff48f548b in testing::UnitTest::Run() third_party/googletest/googletest/src/gtest.cc:5434:10 #25 0x7f81488f969f in RUN_ALL_TESTS third_party/googletest/googletest/include/gtest/gtest.h:2495:46 #26 0x7f81488f969f in main third_party/phasar/unittests/PhasarLLVM/Pointer/LLVMPointsToSetTest.cpp:61:10 #27 0x7f813c68cbbc in __libc_start_main (/usr/grte/v4/lib64/libc.so.6+0x38bbc) #28 0x560b118a4ca8 in _start /usr/grte/v4/debug-src/src/csu/../sysdeps/x86_64/start.S:108

SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/llvm/llvm-project/llvm/include/llvm/IR/Value.h:532:12 in getValueID Shadow bytes around the buggy address: 0x0c0880050760: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa 0x0c0880050770: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 05 0x0c0880050780: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 02 fa 0x0c0880050790: fa fa 00 00 00 00 06 fa fa fa 00 00 00 00 00 fa 0x0c08800507a0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa =>0x0c08800507b0: fa fa 00 00 00 00 00 fa fa[fa]00 00 00 00 00 fa 0x0c08800507c0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa 0x0c08800507d0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa 0x0c08800507e0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa 0x0c08800507f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c0880050800: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2106==ABORTING E0416 11:33:31.865778 2106 allocator.cc:201] RAW:

*** Would you like to find many more bugs? *** *** See http://go/google3-fuzzing ***

-- Forge runner: Test failed with exit code 1 while running on ixc1.prod.google.com

Steps to reproduce

Use latest LLVM Run tests with ASan

blipper avatar Apr 16 '21 18:04 blipper

Running the opt basic pass works without a crash

rossmartin@thebeast:/google/src/cloud/rossmartin/phasar/google3$ blaze run --config=asan //third_party/llvm/llvm-project/llvm:opt -- -basic-aa /tmp/aes_ctr_boringssl_test.bc -disable-output -stats INFO: Build options --cc_output_directory_tag, --compiler, --copt, and 8 more have changed, discarding analysis cache. INFO: Analyzed target //third_party/llvm/llvm-project/llvm:opt (0 packages loaded, 17657 targets configured). INFO: Found 1 target... Target //third_party/llvm/llvm-project/llvm:opt up-to-date: blaze-bin/third_party/llvm/llvm-project/llvm/opt INFO: Elapsed time: 20.098s, Forge stats: 7/16 actions cached, 27.2s CPU used, 0.0s queue time, 405.9 MB ObjFS output (novel bytes: 365.9 MB), 0.0 MB local output, Critical Path: 18.35s, Remote (95.09% of the time): [queue: 0.00%, setup: 13.89%, process: 72.41%] INFO: Build completed successfully, 14 total actions INFO: Build completed successfully, 14 total actions ===-------------------------------------------------------------------------=== ... Statistics Collected ... ===-------------------------------------------------------------------------===

2028956 bitcode-reader - Number of Metadata records loaded 296451 bitcode-reader - Number of MDStrings loaded

rossmartin@thebeast:/google/src/cloud/rossmartin/phasar/google3$

blipper avatar Apr 16 '21 19:04 blipper

Disabling BasicAA allows this to continue

blipper avatar Apr 16 '21 21:04 blipper

@blipper does the issue still exist?

MMory avatar May 06 '22 14:05 MMory

Closing as it does not seem to be relevant any more.

MMory avatar Dec 01 '22 13:12 MMory