| Issue |
122066
|
| Summary |
Assertion `Uses->count(DRE) && "DRE not found or claimed by multiple matchers!"' failed.
|
| Labels |
new issue
|
| Assignees |
|
| Reporter |
marckwei
|
[reproduce.zip](https://github.com/user-attachments/files/18344134/reproduce.zip)
[1463/2448] Building CXX object Source/_javascript_Core/CMak...ivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o
FAILED: Source/_javascript_Core/CMakeFiles/_javascript_Core.dir/__/__/_javascript_Core/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o
/data/workspace/WasmAFL/afl-clang-fast++ -DBUILDING_JSCONLY__ -DBUILDING_JavaScriptCore -DBUILDING_WEBKIT=1 -DBUILDING_WITH_CMAKE=1 -DHAVE_CONFIG_H=1 -DPAS_BMALLOC=1 -DSTATICALLY_LINKED_WITH_WTF -DSTATICALLY_LINKED_WITH_bmalloc -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/_javascript_Core/Headers -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug -I/data/workspace/WebKit/Source/_javascript_Core -I/data/workspace/WebKit/Source/_javascript_Core/API -I/data/workspace/WebKit/Source/_javascript_Core/assembler -I/data/workspace/WebKit/Source/_javascript_Core/b3 -I/data/workspace/WebKit/Source/_javascript_Core/b3/air -I/data/workspace/WebKit/Source/_javascript_Core/bindings -I/data/workspace/WebKit/Source/_javascript_Core/builtins -I/data/workspace/WebKit/Source/_javascript_Core/bytecode -I/data/workspace/WebKit/Source/_javascript_Core/bytecompiler -I/data/workspace/WebKit/Source/_javascript_Core/dfg -I/data/workspace/WebKit/Source/_javascript_Core/disassembler -I/data/workspace/WebKit/Source/_javascript_Core/disassembler/ARM64 -I/data/workspace/WebKit/Source/_javascript_Core/disassembler/zydis/Zydis -I/data/workspace/WebKit/Source/_javascript_Core/domjit -I/data/workspace/WebKit/Source/_javascript_Core/ftl -I/data/workspace/WebKit/Source/_javascript_Core/fuzzilli -I/data/workspace/WebKit/Source/_javascript_Core/heap -I/data/workspace/WebKit/Source/_javascript_Core/debugger -I/data/workspace/WebKit/Source/_javascript_Core/inspector -I/data/workspace/WebKit/Source/_javascript_Core/inspector/agents -I/data/workspace/WebKit/Source/_javascript_Core/inspector/augmentable -I/data/workspace/WebKit/Source/_javascript_Core/inspector/remote -I/data/workspace/WebKit/Source/_javascript_Core/interpreter -I/data/workspace/WebKit/Source/_javascript_Core/jit -I/data/workspace/WebKit/Source/_javascript_Core/llint -I/data/workspace/WebKit/Source/_javascript_Core/parser -I/data/workspace/WebKit/Source/_javascript_Core/profiler -I/data/workspace/WebKit/Source/_javascript_Core/runtime -I/data/workspace/WebKit/Source/_javascript_Core/tools -I/data/workspace/WebKit/Source/_javascript_Core/wasm -I/data/workspace/WebKit/Source/_javascript_Core/wasm/js -I/data/workspace/WebKit/Source/_javascript_Core/yarr -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/_javascript_Core/DerivedSources -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/_javascript_Core/DerivedSources/inspector -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/_javascript_Core/DerivedSources/runtime -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/_javascript_Core/DerivedSources/yarr -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/WTF/Headers -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/bmalloc/Headers -fdiagnostics-color=always -fcolor-diagnostics -Wextra -Wall -Werror=undefined-internal -Werror=undefined-inline -pipe -Wno-noexcept-type -Wno-psabi -Wno-misleading-indentation -Wno-parentheses-equality -Qunused-arguments -Wundef -Wpointer-arith -Wmissing-format-attribute -Wformat-security -Wcast-align -Wno-tautological-compare -fasynchronous-unwind-tables -fdebug-types-section -fno-strict-aliasing -fno-exceptions -fno-rtti -fcoroutines -ffunction-sections -fdata-sections -O0 -g3 -fno-inline -fno-omit-frame-pointer -fsanitize=address -fPIC -fvisibility=hidden -fvisibility-inlines-hidden -Wunsafe-buffer-usage -fsafe-buffer-usage-suggestions -ffp-contract=off -fno-slp-vectorize -std=c++2b -MD -MT Source/_javascript_Core/CMakeFiles/_javascript_Core.dir/__/__/_javascript_Core/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o -MF Source/_javascript_Core/CMakeFiles/_javascript_Core.dir/__/__/_javascript_Core/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o.d -o Source/_javascript_Core/CMakeFiles/_javascript_Core.dir/__/__/_javascript_Core/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o -c /data/workspace/WebKit/wasmasan/JSCOnly/Debug/_javascript_Core/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp
clang++.original: /data/workspace/llvm-project/clang/lib/Analysis/UnsafeBufferUsage.cpp:835: void {anonymous}::DeclUseTracker::claimUse(const clang::DeclRefExpr*): Assertion `Uses->count(DRE) && "DRE not found or claimed by multiple matchers!"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0. Program arguments: /usr/local/llvm-17/bin/clang++.original -Wno-unused-command-line-argument -fpass-plugin=/data/workspace/WasmAFL/SanitizerCoveragePCGUARD.so -DBUILDING_JSCONLY__ -DBUILDING_JavaScriptCore -DBUILDING_WEBKIT=1 -DBUILDING_WITH_CMAKE=1 -DHAVE_CONFIG_H=1 -DPAS_BMALLOC=1 -DSTATICALLY_LINKED_WITH_WTF -DSTATICALLY_LINKED_WITH_bmalloc -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/_javascript_Core/Headers -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug -I/data/workspace/WebKit/Source/_javascript_Core -I/data/workspace/WebKit/Source/_javascript_Core/API -I/data/workspace/WebKit/Source/_javascript_Core/assembler -I/data/workspace/WebKit/Source/_javascript_Core/b3 -I/data/workspace/WebKit/Source/_javascript_Core/b3/air -I/data/workspace/WebKit/Source/_javascript_Core/bindings -I/data/workspace/WebKit/Source/_javascript_Core/builtins -I/data/workspace/WebKit/Source/_javascript_Core/bytecode -I/data/workspace/WebKit/Source/_javascript_Core/bytecompiler -I/data/workspace/WebKit/Source/_javascript_Core/dfg -I/data/workspace/WebKit/Source/_javascript_Core/disassembler -I/data/workspace/WebKit/Source/_javascript_Core/disassembler/ARM64 -I/data/workspace/WebKit/Source/_javascript_Core/disassembler/zydis/Zydis -I/data/workspace/WebKit/Source/_javascript_Core/domjit -I/data/workspace/WebKit/Source/_javascript_Core/ftl -I/data/workspace/WebKit/Source/_javascript_Core/fuzzilli -I/data/workspace/WebKit/Source/_javascript_Core/heap -I/data/workspace/WebKit/Source/_javascript_Core/debugger -I/data/workspace/WebKit/Source/_javascript_Core/inspector -I/data/workspace/WebKit/Source/_javascript_Core/inspector/agents -I/data/workspace/WebKit/Source/_javascript_Core/inspector/augmentable -I/data/workspace/WebKit/Source/_javascript_Core/inspector/remote -I/data/workspace/WebKit/Source/_javascript_Core/interpreter -I/data/workspace/WebKit/Source/_javascript_Core/jit -I/data/workspace/WebKit/Source/_javascript_Core/llint -I/data/workspace/WebKit/Source/_javascript_Core/parser -I/data/workspace/WebKit/Source/_javascript_Core/profiler -I/data/workspace/WebKit/Source/_javascript_Core/runtime -I/data/workspace/WebKit/Source/_javascript_Core/tools -I/data/workspace/WebKit/Source/_javascript_Core/wasm -I/data/workspace/WebKit/Source/_javascript_Core/wasm/js -I/data/workspace/WebKit/Source/_javascript_Core/yarr -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/_javascript_Core/DerivedSources -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/_javascript_Core/DerivedSources/inspector -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/_javascript_Core/DerivedSources/runtime -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/_javascript_Core/DerivedSources/yarr -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/WTF/Headers -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/bmalloc/Headers -fdiagnostics-color=always -fcolor-diagnostics -Wextra -Wall -Werror=undefined-internal -Werror=undefined-inline -pipe -Wno-noexcept-type -Wno-psabi -Wno-misleading-indentation -Wno-parentheses-equality -Qunused-arguments -Wundef -Wpointer-arith -Wmissing-format-attribute -Wformat-security -Wcast-align -Wno-tautological-compare -fasynchronous-unwind-tables -fdebug-types-section -fno-strict-aliasing -fno-exceptions -fno-rtti -fcoroutines -ffunction-sections -fdata-sections -O0 -g3 -fno-inline -fno-omit-frame-pointer -fsanitize=address -fPIC -fvisibility=hidden -fvisibility-inlines-hidden -Wunsafe-buffer-usage -fsafe-buffer-usage-suggestions -ffp-contract=off -fno-slp-vectorize -std=c++2b -MD -MT Source/_javascript_Core/CMakeFiles/_javascript_Core.dir/__/__/_javascript_Core/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o -MF Source/_javascript_Core/CMakeFiles/_javascript_Core.dir/__/__/_javascript_Core/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o.d -o Source/_javascript_Core/CMakeFiles/_javascript_Core.dir/__/__/_javascript_Core/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o -c /data/workspace/WebKit/wasmasan/JSCOnly/Debug/_javascript_Core/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp -U_FORTIFY_SOURCE -g -funroll-loops -D__AFL_COMPILER=1 -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 "-D__AFL_COVERAGE()=int __afl_selective_coverage = 1;extern \"C\" void __afl_coverage_discard();extern \"C\" void __afl_coverage_skip();extern \"C\" void __afl_coverage_on();extern \"C\" void __afl_coverage_off();" "-D__AFL_COVERAGE_START_OFF()=int __afl_selective_coverage_start_off = 1;" -D__AFL_COVERAGE_ON()=__afl_coverage_on() -D__AFL_COVERAGE_OFF()=__afl_coverage_off() -D__AFL_COVERAGE_DISCARD()=__afl_coverage_discard() -D__AFL_COVERAGE_SKIP()=__afl_coverage_skip() -D__AFL_HAVE_MANUAL_CONTROL=1 "-D__AFL_FUZZ_INIT()=int __afl_sharedmem_fuzzing = 1;extern __attribute__((visibility(\"default\"))) unsigned int *__afl_fuzz_len;extern __attribute__((visibility(\"default\"))) unsigned char *__afl_fuzz_ptr;unsigned char __afl_fuzz_alt[1048576];unsigned char *__afl_fuzz_alt_ptr = __afl_fuzz_alt;" "-D__AFL_FUZZ_TESTCASE_BUF=(__afl_fuzz_ptr ? __afl_fuzz_ptr : __afl_fuzz_alt_ptr)" "-D__AFL_FUZZ_TESTCASE_LEN=(__afl_fuzz_ptr ? *__afl_fuzz_len : (*__afl_fuzz_len = read(0, __afl_fuzz_alt_ptr, 1048576)) == 0xffffffff ? 0 : *__afl_fuzz_len)" "-D__AFL_LOOP(_A)=({ static volatile const char *_B __attribute__((used,unused)); _B = (const char*)\"##SIG_AFL_PERSISTENT##\"; extern __attribute__((visibility(\"default\"))) int __afl_connected;__attribute__((visibility(\"default\"))) int _L(unsigned int) __asm__(\"__afl_persistent_loop\"); _L(__afl_connected ? _A : 1); })" "-D__AFL_INIT()=do { static volatile const char *_A __attribute__((used,unused)); _A = (const char*)\"##SIG_AFL_DEFER_FORKSRV##\"; __attribute__((visibility(\"default\"))) void _I(void) __asm__(\"__afl_manual_init\"); _I(); } while (0)"
1. <eof> parser at end of file
#0 0x000055a136cb05b0 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/local/llvm-17/bin/clang++.original+0x3c9f5b0)
#1 0x000055a136cadecf llvm::sys::RunSignalHandlers() (/usr/local/llvm-17/bin/clang++.original+0x3c9cecf)
#2 0x000055a136bfab08 CrashRecoverySignalHandler(int) CrashRecoveryContext.cpp:0:0
#3 0x00007f5a39dd8520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
#4 0x00007f5a39e2c9fc __pthread_kill_implementation ./nptl/pthread_kill.c:44:76
#5 0x00007f5a39e2c9fc __pthread_kill_internal ./nptl/pthread_kill.c:78:10
#6 0x00007f5a39e2c9fc pthread_kill ./nptl/pthread_kill.c:89:10
#7 0x00007f5a39dd8476 gsignal ./signal/../sysdeps/posix/raise.c:27:6
#8 0x00007f5a39dbe7f3 abort ./stdlib/abort.c:81:7
#9 0x00007f5a39dbe71b _nl_load_domain ./intl/loadmsgcat.c:1177:9
#10 0x00007f5a39dcfe96 (/lib/x86_64-linux-gnu/libc.so.6+0x39e96)
#11 0x000055a139f8d3ed findGadgets(clang::Decl const*, clang::UnsafeBufferUsageHandler const&, bool) UnsafeBufferUsage.cpp:0:0
#12 0x000055a139f949bd clang::checkUnsafeBufferUsage(clang::Decl const*, clang::UnsafeBufferUsageHandler&, bool) (/usr/local/llvm-17/bin/clang++.original+0x6f839bd)
#13 0x000055a139e43310 clang::RecursiveASTVisitor<CallableVisitor>::TraverseFunctionDecl(clang::FunctionDecl*) (/usr/local/llvm-17/bin/clang++.original+0x6e32310)
#14 0x000055a139e2d77a clang::RecursiveASTVisitor<CallableVisitor>::TraverseDeclContextHelper(clang::DeclContext*) (.part.0) AnalysisBasedWarnings.cpp:0:0
#15 0x000055a139e2c995 clang::RecursiveASTVisitor<CallableVisitor>::TraverseDecl(clang::Decl*) (/usr/local/llvm-17/bin/clang++.original+0x6e1b995)
#16 0x000055a139e2d77a clang::RecursiveASTVisitor<CallableVisitor>::TraverseDeclContextHelper(clang::DeclContext*) (.part.0) AnalysisBasedWarnings.cpp:0:0
#17 0x000055a139e4375f clang::RecursiveASTVisitor<CallableVisitor>::TraverseTranslationUnitDecl(clang::TranslationUnitDecl*) (/usr/local/llvm-17/bin/clang++.original+0x6e3275f)
#18 0x000055a139e43915 clang::sema::AnalysisBasedWarnings::IssueWarnings(clang::TranslationUnitDecl*) (/usr/local/llvm-17/bin/clang++.original+0x6e32915)
#19 0x000055a1393be283 clang::Sema::ActOnEndOfTranslationUnit() (/usr/local/llvm-17/bin/clang++.original+0x63ad283)
#20 0x000055a13925cf35 clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&, clang::Sema::ModuleImportState&) (/usr/local/llvm-17/bin/clang++.original+0x624bf35)
#21 0x000055a13924d15a clang::ParseAST(clang::Sema&, bool, bool) (/usr/local/llvm-17/bin/clang++.original+0x623c15a)
#22 0x000055a137761559 clang::FrontendAction::Execute() (/usr/local/llvm-17/bin/clang++.original+0x4750559)
#23 0x000055a1376e453e clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/usr/local/llvm-17/bin/clang++.original+0x46d353e)
#24 0x000055a13783056f clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/usr/local/llvm-17/bin/clang++.original+0x481f56f)
#25 0x000055a13408e633 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/usr/local/llvm-17/bin/clang++.original+0x107d633)
#26 0x000055a134087623 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&) driver.cpp:0:0
#27 0x000055a13752ac2d void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const::'lambda'()>(long) Job.cpp:0:0
#28 0x000055a136bfafd0 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (/usr/local/llvm-17/bin/clang++.original+0x3be9fd0)
#29 0x000055a13752b4ae clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const (.part.0) Job.cpp:0:0
#30 0x000055a1374f126a clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (/usr/local/llvm-17/bin/clang++.original+0x44e026a)
#31 0x000055a1374f1d3d clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&, bool) const (/usr/local/llvm-17/bin/clang++.original+0x44e0d3d)
#32 0x000055a1374fd27c clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&) (/usr/local/llvm-17/bin/clang++.original+0x44ec27c)
#33 0x000055a13408cb0e clang_main(int, char**, llvm::ToolContext const&) (/usr/local/llvm-17/bin/clang++.original+0x107bb0e)
#34 0x000055a133f931c3 main (/usr/local/llvm-17/bin/clang++.original+0xf821c3)
#35 0x00007f5a39dbfd90 __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#36 0x00007f5a39dbfe40 call_init ./csu/../csu/libc-start.c:128:20
#37 0x00007f5a39dbfe40 __libc_start_main ./csu/../csu/libc-start.c:379:5
#38 0x000055a134086265 _start (/usr/local/llvm-17/bin/clang++.original+0x1075265)
clang++: error: clang frontend command failed with exit code 134 (use -v to see invocation)
clang version 17.0.6 (https://github.com/llvm/llvm-project.git 6009708b4367171ccdbf4b5905cb6a803753fe18)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/llvm-17/bin
clang++: note: diagnostic msg:
********************
PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang++: note: diagnostic msg: /tmp/UnifiedSource-3a52ce78-1-c5efaa.cpp
clang++: note: diagnostic msg: /tmp/UnifiedSource-3a52ce78-1-c5efaa.sh
clang++: note: diagnostic msg:
********************
![]()
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
