-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LLVM Buffer Overflow LLVMPointsToSet.Global_01 #318
Comments
Running the opt basic pass works without a crash rossmartin@thebeast:/google/src/cloud/rossmartin/phasar/google3$ blaze run --config=asan //third_party/llvm/llvm-project/llvm:opt -- -basic-aa /tmp/aes_ctr_boringssl_test.bc -disable-output -stats 2028956 bitcode-reader - Number of Metadata records loaded rossmartin@thebeast:/google/src/cloud/rossmartin/phasar/google3$ |
Disabling BasicAA allows this to continue |
@blipper does the issue still exist? |
Closing as it does not seem to be relevant any more. |
Bug description
Running with ASAN I get failed on Global but intra and inter pass
[ RUN ] LLVMPointsToSet.Global_01
==2106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040002c3dc8 at pc 0x7f7fdfa84a12 bp 0x7ffe1fc04520 sp 0x7ffe1fc04518
READ of size 1 at 0x6040002c3dc8 thread T0
#0 0x7f7fdfa84a11 in getValueID third_party/llvm/llvm-project/llvm/include/llvm/IR/Value.h:532:12
#1 0x7f7fdfa84a11 in getOpcode third_party/llvm/llvm-project/llvm/include/llvm/IR/Instruction.h:160:39
#2 0x7f7fdfa84a11 in isTerminator third_party/llvm/llvm-project/llvm/include/llvm/IR/Instruction.h:163:51
#3 0x7f7fdfa84a11 in llvm::BasicBlock::getTerminator() const third_party/llvm/llvm-project/llvm/lib/IR/BasicBlock.cpp:149:44
#4 0x7f7fdfc67462 in getTerminator third_party/llvm/llvm-project/llvm/include/llvm/IR/BasicBlock.h:125:48
#5 0x7f7fdfc67462 in succ_begin third_party/llvm/llvm-project/llvm/include/llvm/IR/CFG.h:268:28
#6 0x7f7fdfc67462 in child_begin third_party/llvm/llvm-project/llvm/include/llvm/IR/CFG.h:304:60
#7 0x7f7fdfc67462 in children<llvm::BasicBlock > third_party/llvm/llvm-project/llvm/include/llvm/ADT/GraphTraits.h:122:21
#8 0x7f7fdfc67462 in llvm::SmallVector<llvm::BasicBlock, 8u> llvm::DomTreeBuilder::SemiNCAInfo<llvm::DominatorTreeBase<llvm::BasicBlock, false> >::getChildren(llvm::BasicBlock*) third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:118:14
#9 0x7f7fdfc63fa8 in getChildren third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:111:12
#10 0x7f7fdfc63fa8 in unsigned int llvm::DomTreeBuilder::SemiNCAInfo<llvm::DominatorTreeBase<llvm::BasicBlock, false> >::runDFS<false, bool ()(llvm::BasicBlock, llvm::BasicBlock*)>(llvm::BasicBlock*, unsigned int, bool ()(llvm::BasicBlock, llvm::BasicBlock*), unsigned int, llvm::DenseMap<llvm::BasicBlock*, unsigned int, llvm::DenseMapInfollvm::BasicBlock*, llvm::detail::DenseMapPair<llvm::BasicBlock*, unsigned int> > const*) third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:197:25
#11 0x7f7fdfc60a70 in void llvm::DomTreeBuilder::SemiNCAInfo<llvm::DominatorTreeBase<llvm::BasicBlock, false> >::doFullDFSWalk<bool ()(llvm::BasicBlock, llvm::BasicBlock*)>(llvm::DominatorTreeBase<llvm::BasicBlock, false> const&, bool ()(llvm::BasicBlock, llvm::BasicBlock*)) third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:551:7
#12 0x7f7fdfc42d36 in llvm::DomTreeBuilder::SemiNCAInfo<llvm::DominatorTreeBase<llvm::BasicBlock, false> >::CalculateFromScratch(llvm::DominatorTreeBase<llvm::BasicBlock, false>&, llvm::DomTreeBuilder::SemiNCAInfo<llvm::DominatorTreeBase<llvm::BasicBlock, false> >::BatchUpdateInfo*) third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:579:10
#13 0x7f7fdfc2f378 in Calculate<llvm::DominatorTreeBase<llvm::BasicBlock, false> > third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:1563:3
#14 0x7f7fdfc2f378 in recalculate third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTree.h:780:5
#15 0x7f7fdfc2f378 in llvm::DominatorTreeAnalysis::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/lib/IR/Dominators.cpp:363:6
#16 0x7f8147561118 in llvm::detail::AnalysisPassModel<llvm::Function, llvm::DominatorTreeAnalysis, llvm::PreservedAnalyses, llvm::AnalysisManagerllvm::Function::Invalidator>::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:315:14
#17 0x7f7fdfe651b1 in llvm::AnalysisManagerllvm::Function::getResultImpl(llvm::AnalysisKey*, llvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerImpl.h:75:35
#18 0x7f8031443db4 in getResultllvm::DominatorTreeAnalysis third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManager.h:789:9
#19 0x7f8031443db4 in llvm::BasicAA::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/lib/Analysis/BasicAliasAnalysis.cpp:1758:18
#20 0x7f814756d0d3 in llvm::detail::AnalysisPassModel<llvm::Function, llvm::BasicAA, llvm::PreservedAnalyses, llvm::AnalysisManagerllvm::Function::Invalidator>::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:315:14
#21 0x7f7fdfe651b1 in llvm::AnalysisManagerllvm::Function::getResultImpl(llvm::AnalysisKey*, llvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerImpl.h:75:35
#22 0x7f8148266e66 in getResultllvm::BasicAA third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManager.h:789:9
#23 0x7f8148266e66 in void llvm::AAManager::getFunctionAAResultImplllvm::BasicAA(llvm::Function&, llvm::AnalysisManagerllvm::Function&, llvm::AAResults&) third_party/llvm/llvm-project/llvm/include/llvm/Analysis/AliasAnalysis.h:1248:39
#24 0x7f80313df107 in llvm::AAManager::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/lib/Analysis/AliasAnalysis.cpp:927:5
#25 0x7f814826cf95 in llvm::detail::AnalysisPassModel<llvm::Function, llvm::AAManager, llvm::PreservedAnalyses, llvm::AnalysisManagerllvm::Function::Invalidator>::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:315:14
#26 0x7f7fdfe651b1 in llvm::AnalysisManagerllvm::Function::getResultImpl(llvm::AnalysisKey*, llvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerImpl.h:75:35
#27 0x7f814825d22f in getResultllvm::AAManager third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManager.h:789:9
#28 0x7f814825d22f in psr::LLVMBasedPointsToAnalysis::computePointsToInfo(llvm::Function&) third_party/phasar/lib/PhasarLLVM/Pointer/LLVMBasedPointsToAnalysis.cpp:92:30
#29 0x7f814829bc60 in getAAResults third_party/phasar/include/phasar/PhasarLLVM/Pointer/LLVMBasedPointsToAnalysis.h:55:7
#30 0x7f814829bc60 in psr::LLVMPointsToSet::LLVMPointsToSet(psr::ProjectIRDB&, bool, psr::PointerAnalysisType) third_party/phasar/lib/PhasarLLVM/Pointer/LLVMPointsToSet.cpp:50:22
#31 0x7f81488f8a3a in LLVMPointsToSet_Global_01_Test::TestBody() third_party/phasar/unittests/PhasarLLVM/Pointer/LLVMPointsToSetTest.cpp:43:19
#32 0x7f7ff4907041 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::)(), char const) third_party/googletest/googletest/src/gtest.cc
#33 0x7f7ff48bdaa0 in testing::Test::Run() third_party/googletest/googletest/src/gtest.cc:2682:5
#34 0x7f7ff48bfcc4 in testing::TestInfo::Run() third_party/googletest/googletest/src/gtest.cc:2861:11
#35 0x7f7ff48c1a4f in testing::TestSuite::Run() third_party/googletest/googletest/src/gtest.cc:3015:28
#36 0x7f7ff48f625f in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/googletest/src/gtest.cc:5851:44
#37 0x7f7ff48f548b in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> third_party/googletest/googletest/src/gtest.cc
#38 0x7f7ff48f548b in testing::UnitTest::Run() third_party/googletest/googletest/src/gtest.cc:5434:10
#39 0x7f81488f969f in RUN_ALL_TESTS third_party/googletest/googletest/include/gtest/gtest.h:2495:46
#40 0x7f81488f969f in main third_party/phasar/unittests/PhasarLLVM/Pointer/LLVMPointsToSetTest.cpp:61:10
#41 0x7f813c68cbbc in __libc_start_main (/usr/grte/v4/lib64/libc.so.6+0x38bbc)
#42 0x560b118a4ca8 in _start /usr/grte/v4/debug-src/src/csu/../sysdeps/x86_64/start.S:108
0x6040002c3dc8 is located 8 bytes to the left of 40-byte region [0x6040002c3dd0,0x6040002c3df8)
allocated by thread T0 here:
#0 0x560b11958bdd in operator new(unsigned long) third_party/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
#1 0x7f7fdfcd119f in __libcpp_operator_new third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/new:235:10
#2 0x7f7fdfcd119f in __libcpp_allocate third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/new:261:10
#3 0x7f7fdfcd119f in allocate third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/memory:784:38
#4 0x7f7fdfcd119f in llvm::Function::BuildLazyArguments() const third_party/llvm/llvm-project/llvm/lib/IR/Function.cpp:396:44
#5 0x7f81408ca73a in CheckLazyArguments third_party/llvm/llvm-project/llvm/include/llvm/IR/Function.h:113:7
#6 0x7f81408ca73a in arg_begin third_party/llvm/llvm-project/llvm/include/llvm/IR/Function.h:780:5
#7 0x7f81408ca73a in llvm::LLParser::parseFunctionHeader(llvm::Function*&, bool) third_party/llvm/llvm-project/llvm/lib/AsmParser/LLParser.cpp:5927:38
#8 0x7f81408bcad9 in llvm::LLParser::parseDeclare() third_party/llvm/llvm-project/llvm/lib/AsmParser/LLParser.cpp:553:7
#9 0x7f81408b5bc5 in llvm::LLParser::parseTopLevelEntities() third_party/llvm/llvm-project/llvm/lib/AsmParser/LLParser.cpp:348:11
#10 0x7f81408b57d3 in llvm::LLParser::Run(bool, llvm::function_ref<llvm::Optional<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > (llvm::StringRef)>) third_party/llvm/llvm-project/llvm/lib/AsmParser/LLParser.cpp:80:10
#11 0x7f81409b0797 in parseAssemblyInto(llvm::MemoryBufferRef, llvm::Module*, llvm::ModuleSummaryIndex*, llvm::SMDiagnostic&, llvm::SlotMapping*, bool, llvm::function_ref<llvm::Optional<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > (llvm::StringRef)>) third_party/llvm/llvm-project/llvm/lib/AsmParser/Parser.cpp:36:8
#12 0x7f81409b0b5e in parseAssemblyInto third_party/llvm/llvm-project/llvm/lib/AsmParser/Parser.cpp:43:10
#13 0x7f81409b0b5e in llvm::parseAssembly(llvm::MemoryBufferRef, llvm::SMDiagnostic&, llvm::LLVMContext&, llvm::SlotMapping*, llvm::function_ref<llvm::Optional<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > (llvm::StringRef)>) third_party/llvm/llvm-project/llvm/lib/AsmParser/Parser.cpp:54:7
#14 0x7f8140f1dd97 in llvm::parseIR(llvm::MemoryBufferRef, llvm::SMDiagnostic&, llvm::LLVMContext&, llvm::function_ref<llvm::Optional<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > (llvm::StringRef)>) third_party/llvm/llvm-project/llvm/lib/IRReader/IRReader.cpp:88:10
#15 0x7f8140f1eb73 in llvm::parseIRFile(llvm::StringRef, llvm::SMDiagnostic&, llvm::LLVMContext&, llvm::function_ref<llvm::Optional<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > (llvm::StringRef)>) third_party/llvm/llvm-project/llvm/lib/IRReader/IRReader.cpp:102:10
#16 0x7f8147fb55df in psr::ProjectIRDB::ProjectIRDB(std::__u::vector<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator >, std::__u::allocator<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > > const&, psr::IRDBOptions) third_party/phasar/lib/DB/ProjectIRDB.cpp:69:41
#17 0x7f81488f896d in LLVMPointsToSet_Global_01_Test::TestBody() third_party/phasar/unittests/PhasarLLVM/Pointer/LLVMPointsToSetTest.cpp:42:15
#18 0x7f7ff4907041 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::)(), char const) third_party/googletest/googletest/src/gtest.cc
#19 0x7f7ff48bdaa0 in testing::Test::Run() third_party/googletest/googletest/src/gtest.cc:2682:5
#20 0x7f7ff48bfcc4 in testing::TestInfo::Run() third_party/googletest/googletest/src/gtest.cc:2861:11
#21 0x7f7ff48c1a4f in testing::TestSuite::Run() third_party/googletest/googletest/src/gtest.cc:3015:28
#22 0x7f7ff48f625f in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/googletest/src/gtest.cc:5851:44
#23 0x7f7ff48f548b in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> third_party/googletest/googletest/src/gtest.cc
#24 0x7f7ff48f548b in testing::UnitTest::Run() third_party/googletest/googletest/src/gtest.cc:5434:10
#25 0x7f81488f969f in RUN_ALL_TESTS third_party/googletest/googletest/include/gtest/gtest.h:2495:46
#26 0x7f81488f969f in main third_party/phasar/unittests/PhasarLLVM/Pointer/LLVMPointsToSetTest.cpp:61:10
#27 0x7f813c68cbbc in __libc_start_main (/usr/grte/v4/lib64/libc.so.6+0x38bbc)
#28 0x560b118a4ca8 in _start /usr/grte/v4/debug-src/src/csu/../sysdeps/x86_64/start.S:108
SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/llvm/llvm-project/llvm/include/llvm/IR/Value.h:532:12 in getValueID
Shadow bytes around the buggy address:
0x0c0880050760: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
0x0c0880050770: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 05
0x0c0880050780: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 02 fa
0x0c0880050790: fa fa 00 00 00 00 06 fa fa fa 00 00 00 00 00 fa
0x0c08800507a0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
=>0x0c08800507b0: fa fa 00 00 00 00 00 fa fa[fa]00 00 00 00 00 fa
0x0c08800507c0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c08800507d0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c08800507e0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c08800507f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880050800: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2106==ABORTING
E0416 11:33:31.865778 2106 allocator.cc:201] RAW:
*** Would you like to find many more bugs? ***
*** See http://go/google3-fuzzing ***
-- Forge runner: Test failed with exit code 1 while running on ixc1.prod.google.com
Steps to reproduce
Use latest LLVM
Run tests with ASan
The text was updated successfully, but these errors were encountered: