| Issue |
136772
|
| Summary |
[DWARF] llvm-debuginfo-analyzer crashes on dead code?
|
| Labels |
new issue
|
| Assignees |
|
| Reporter |
Mrmaxmeier
|
Hi,
I've encountered a segfault with `llvm-debuginfo-analyzer` that reproduces with `v19.1.7` and the current main branch. I've attached my original reproducer below. (`llvm-debuginfo-analyzer out/lzma-lzmadec.wasm --print=instructions`)
<details>
<summary>Crash backtrace</summary>
```
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0. Program arguments: llvm-debuginfo-analyzer out/lzma-lzmadec.wasm --print=instructions
#0 0x000073f2de41a730 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /usr/src/debug/llvm/llvm-19.1.7.src/lib/Support/Unix/Signals.inc:723:22
#1 0x000073f2de4176bd llvm::sys::RunSignalHandlers() /usr/src/debug/llvm/llvm-19.1.7.src/lib/Support/Signals.cpp:105:20
#2 0x000073f2de4176bd SignalHandler /usr/src/debug/llvm/llvm-19.1.7.src/lib/Support/Unix/Signals.inc:403:31
#3 0x000073f2dd64bcd0 (/usr/lib/libc.so.6+0x3dcd0)
#4 0x000073f2e29711fd nextByte /usr/src/debug/llvm/llvm-19.1.7.src/lib/Target/WebAssembly/Disassembler/WebAssemblyDisassembler.cpp:81:22
#5 0x000073f2e29711fd getInstruction /usr/src/debug/llvm/llvm-19.1.7.src/lib/Target/WebAssembly/Disassembler/WebAssemblyDisassembler.cpp:167:21
#6 0x000073f2e0c90192 llvm::logicalview::LVBinaryReader::createInstructions(llvm::logicalview::LVScope*, unsigned long, std::pair<unsigned long, unsigned long> const&) /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/Readers/LVBinaryReader.cpp:466:5
#7 0x000073f2e0c90fb8 llvm::Error::getPtr() const /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:282:12
#8 0x000073f2e0c90fb8 llvm::Error::operator bool() /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:242:22
#9 0x000073f2e0c90fb8 llvm::logicalview::LVBinaryReader::createInstructions() /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/Readers/LVBinaryReader.cpp:572:73
#10 0x000073f2e0cc9501 llvm::Error::getPtr() const /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:282:12
#11 0x000073f2e0cc9501 llvm::Error::operator bool() /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:242:22
#12 0x000073f2e0cc9501 llvm::logicalview::LVDWARFReader::createScopes() /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/Readers/LVDWARFReader.cpp:960:41
#13 0x000073f2e0c500c3 llvm::logicalview::LVReader::doLoad() /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/Core/LVReader.cpp:236:3
#14 0x000073f2e0c810f8 llvm::logicalview::LVReaderHandler::createReader(llvm::StringRef, std::vector<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>, std::allocator<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>>>&, llvm::PointerUnion<llvm::object::ObjectFile*, llvm::pdb::PDBFile*>&, llvm::StringRef, llvm::StringRef) /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/LVReaderHandler.cpp:72:1
#15 0x000073f2e0c86205 llvm::logicalview::LVReaderHandler::handleObject(std::vector<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>, std::allocator<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>>>&, llvm::StringRef, llvm::object::Binary&) /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/LVReaderHandler.cpp:247:71
#16 0x000073f2e0c831c4 std::unique_ptr<llvm::object::Binary, std::default_delete<llvm::object::Binary>>::~unique_ptr() /usr/include/c++/14.2.1/bits/unique_ptr.h:397:12
#17 0x000073f2e0c831c4 llvm::Expected<std::unique_ptr<llvm::object::Binary, std::default_delete<llvm::object::Binary>>>::~Expected() /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:564:34
#18 0x000073f2e0c831c4 llvm::Expected<std::unique_ptr<llvm::object::Binary, std::default_delete<llvm::object::Binary>>>::~Expected() /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:561:3
#19 0x000073f2e0c831c4 llvm::logicalview::LVReaderHandler::handleBuffer(std::vector<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>, std::allocator<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>>>&, llvm::StringRef, llvm::MemoryBufferRef, llvm::StringRef) /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/LVReaderHandler.cpp:198:1
#20 0x000073f2e0c847b7 std::default_delete<llvm::MemoryBuffer>::operator()(llvm::MemoryBuffer*) const /usr/include/c++/14.2.1/bits/unique_ptr.h:93:2
#21 0x000073f2e0c847b7 std::unique_ptr<llvm::MemoryBuffer, std::default_delete<llvm::MemoryBuffer>>::~unique_ptr() /usr/include/c++/14.2.1/bits/unique_ptr.h:398:17
#22 0x000073f2e0c847b7 llvm::logicalview::LVReaderHandler::handleFile(std::vector<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>, std::allocator<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>>>&, llvm::StringRef, llvm::StringRef) /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/LVReaderHandler.cpp:214:1
#23 0x000073f2e0c848d9 llvm::Error::getPtr() const /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:282:12
#24 0x000073f2e0c848d9 llvm::Error::operator bool() /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:242:22
#25 0x000073f2e0c848d9 llvm::logicalview::LVReaderHandler::createReaders() /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/LVReaderHandler.cpp:281:50
#26 0x000073f2e0c84c6d llvm::logicalview::LVReaderHandler::process() /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/LVReaderHandler.cpp:30:3
#27 0x00005fc85b4ed745 llvm::Error::getPtr() const /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:282:12
#28 0x00005fc85b4ed745 llvm::Error::operator bool() /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:242:22
#29 0x00005fc85b4ed745 main /usr/src/debug/llvm/llvm-19.1.7.src/tools/llvm-debuginfo-analyzer/llvm-debuginfo-analyzer.cpp:137:42
#30 0x000073f2dd635488 __libc_start_call_main /usr/src/debug/glibc/glibc/csu/../sysdeps/nptl/libc_start_call_main.h:74:3
#31 0x000073f2dd63554c call_init /usr/src/debug/glibc/glibc/csu/../csu/libc-start.c:128:20
#32 0x000073f2dd63554c __libc_start_main /usr/src/debug/glibc/glibc/csu/../csu/libc-start.c:347:5
#33 0x00005fc85b4f4af5 (/usr/bin/llvm-debuginfo-analyzer+0xeaf5)
fish: Job 1, 'llvm-debuginfo-analyzer out/lzmā¦' terminated by signal SIGSEGV (Address boundary error)
```
</details>
Looking into the crash a bit, we're crashing due to an out-of-bounds pointer that is created [here](https://github.com/llvm/llvm-project/blob/2c2ba7efd4d5f270e7dea2e6a5f0a22bd7aaecd0/llvm/lib/DebugInfo/LogicalView/Readers/LVBinaryReader.cpp#L434-L437):
```cpp
ArrayRef<uint8_t> Bytes = arrayRefFromStringRef(*SectionContentsOrErr);
uint64_t Offset = Address - SectionAddress;
uint8_t const *Begin = Bytes.data() + Offset;
uint8_t const *End = Bytes.data() + Offset + Size;
```
where `Offset` is larger than `Bytes`.
The large `Offset` happens because `LVBinaryReader::createInstructions` is called with a `LVNameInfo` of `{0x1000004bf, 0x14}` in the reproducer. It seems like the name's `LVAddress` is calculated from a "dead code" record that is encoded as `0xffffffff` in the DWARF.
`llvm-dwarfdump out/lzma-lzmadec.wasm --all` shows it like this:
```
0x000002b3: DW_TAG_subprogram
DW_AT_low_pc (dead code)
DW_AT_high_pc (0x00000362)
DW_AT_frame_base (DW_OP_WASM_location 0x0 0x6, DW_OP_stack_value)
```
I'm not familiar with DWARF and am not sure if the binary I'm using respects the DWARF spec, but it was produced by `clang`, and it seems like trusting offsets in the DWARF is probably not intended :upside_down_face:
[crasher.zip](https://github.com/user-attachments/files/19856861/crasher.zip)
Thanks!
![]()
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
