Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LLVM Buffer Overflow LLVMPointsToSet.Global_01 #318

Closed
blipper opened this issue Apr 16, 2021 · 4 comments
Closed

LLVM Buffer Overflow LLVMPointsToSet.Global_01 #318

blipper opened this issue Apr 16, 2021 · 4 comments
Assignees

Comments

@blipper
Copy link
Contributor

blipper commented Apr 16, 2021

Bug description

Running with ASAN I get failed on Global but intra and inter pass

[ RUN ] LLVMPointsToSet.Global_01

==2106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040002c3dc8 at pc 0x7f7fdfa84a12 bp 0x7ffe1fc04520 sp 0x7ffe1fc04518
READ of size 1 at 0x6040002c3dc8 thread T0
#0 0x7f7fdfa84a11 in getValueID third_party/llvm/llvm-project/llvm/include/llvm/IR/Value.h:532:12
#1 0x7f7fdfa84a11 in getOpcode third_party/llvm/llvm-project/llvm/include/llvm/IR/Instruction.h:160:39
#2 0x7f7fdfa84a11 in isTerminator third_party/llvm/llvm-project/llvm/include/llvm/IR/Instruction.h:163:51
#3 0x7f7fdfa84a11 in llvm::BasicBlock::getTerminator() const third_party/llvm/llvm-project/llvm/lib/IR/BasicBlock.cpp:149:44
#4 0x7f7fdfc67462 in getTerminator third_party/llvm/llvm-project/llvm/include/llvm/IR/BasicBlock.h:125:48
#5 0x7f7fdfc67462 in succ_begin third_party/llvm/llvm-project/llvm/include/llvm/IR/CFG.h:268:28
#6 0x7f7fdfc67462 in child_begin third_party/llvm/llvm-project/llvm/include/llvm/IR/CFG.h:304:60
#7 0x7f7fdfc67462 in children<llvm::BasicBlock > third_party/llvm/llvm-project/llvm/include/llvm/ADT/GraphTraits.h:122:21
#8 0x7f7fdfc67462 in llvm::SmallVector<llvm::BasicBlock
, 8u> llvm::DomTreeBuilder::SemiNCAInfo<llvm::DominatorTreeBase<llvm::BasicBlock, false> >::getChildren(llvm::BasicBlock*) third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:118:14
#9 0x7f7fdfc63fa8 in getChildren third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:111:12
#10 0x7f7fdfc63fa8 in unsigned int llvm::DomTreeBuilder::SemiNCAInfo<llvm::DominatorTreeBase<llvm::BasicBlock, false> >::runDFS<false, bool ()(llvm::BasicBlock, llvm::BasicBlock*)>(llvm::BasicBlock*, unsigned int, bool ()(llvm::BasicBlock, llvm::BasicBlock*), unsigned int, llvm::DenseMap<llvm::BasicBlock*, unsigned int, llvm::DenseMapInfollvm::BasicBlock*, llvm::detail::DenseMapPair<llvm::BasicBlock*, unsigned int> > const*) third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:197:25
#11 0x7f7fdfc60a70 in void llvm::DomTreeBuilder::SemiNCAInfo<llvm::DominatorTreeBase<llvm::BasicBlock, false> >::doFullDFSWalk<bool ()(llvm::BasicBlock, llvm::BasicBlock*)>(llvm::DominatorTreeBase<llvm::BasicBlock, false> const&, bool ()(llvm::BasicBlock, llvm::BasicBlock*)) third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:551:7
#12 0x7f7fdfc42d36 in llvm::DomTreeBuilder::SemiNCAInfo<llvm::DominatorTreeBase<llvm::BasicBlock, false> >::CalculateFromScratch(llvm::DominatorTreeBase<llvm::BasicBlock, false>&, llvm::DomTreeBuilder::SemiNCAInfo<llvm::DominatorTreeBase<llvm::BasicBlock, false> >::BatchUpdateInfo*) third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:579:10
#13 0x7f7fdfc2f378 in Calculate<llvm::DominatorTreeBase<llvm::BasicBlock, false> > third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTreeConstruction.h:1563:3
#14 0x7f7fdfc2f378 in recalculate third_party/llvm/llvm-project/llvm/include/llvm/Support/GenericDomTree.h:780:5
#15 0x7f7fdfc2f378 in llvm::DominatorTreeAnalysis::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/lib/IR/Dominators.cpp:363:6
#16 0x7f8147561118 in llvm::detail::AnalysisPassModel<llvm::Function, llvm::DominatorTreeAnalysis, llvm::PreservedAnalyses, llvm::AnalysisManagerllvm::Function::Invalidator>::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:315:14
#17 0x7f7fdfe651b1 in llvm::AnalysisManagerllvm::Function::getResultImpl(llvm::AnalysisKey*, llvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerImpl.h:75:35
#18 0x7f8031443db4 in getResultllvm::DominatorTreeAnalysis third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManager.h:789:9
#19 0x7f8031443db4 in llvm::BasicAA::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/lib/Analysis/BasicAliasAnalysis.cpp:1758:18
#20 0x7f814756d0d3 in llvm::detail::AnalysisPassModel<llvm::Function, llvm::BasicAA, llvm::PreservedAnalyses, llvm::AnalysisManagerllvm::Function::Invalidator>::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:315:14
#21 0x7f7fdfe651b1 in llvm::AnalysisManagerllvm::Function::getResultImpl(llvm::AnalysisKey*, llvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerImpl.h:75:35
#22 0x7f8148266e66 in getResultllvm::BasicAA third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManager.h:789:9
#23 0x7f8148266e66 in void llvm::AAManager::getFunctionAAResultImplllvm::BasicAA(llvm::Function&, llvm::AnalysisManagerllvm::Function&, llvm::AAResults&) third_party/llvm/llvm-project/llvm/include/llvm/Analysis/AliasAnalysis.h:1248:39
#24 0x7f80313df107 in llvm::AAManager::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/lib/Analysis/AliasAnalysis.cpp:927:5
#25 0x7f814826cf95 in llvm::detail::AnalysisPassModel<llvm::Function, llvm::AAManager, llvm::PreservedAnalyses, llvm::AnalysisManagerllvm::Function::Invalidator>::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerInternal.h:315:14
#26 0x7f7fdfe651b1 in llvm::AnalysisManagerllvm::Function::getResultImpl(llvm::AnalysisKey*, llvm::Function&) third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManagerImpl.h:75:35
#27 0x7f814825d22f in getResultllvm::AAManager third_party/llvm/llvm-project/llvm/include/llvm/IR/PassManager.h:789:9
#28 0x7f814825d22f in psr::LLVMBasedPointsToAnalysis::computePointsToInfo(llvm::Function&) third_party/phasar/lib/PhasarLLVM/Pointer/LLVMBasedPointsToAnalysis.cpp:92:30
#29 0x7f814829bc60 in getAAResults third_party/phasar/include/phasar/PhasarLLVM/Pointer/LLVMBasedPointsToAnalysis.h:55:7
#30 0x7f814829bc60 in psr::LLVMPointsToSet::LLVMPointsToSet(psr::ProjectIRDB&, bool, psr::PointerAnalysisType) third_party/phasar/lib/PhasarLLVM/Pointer/LLVMPointsToSet.cpp:50:22
#31 0x7f81488f8a3a in LLVMPointsToSet_Global_01_Test::TestBody() third_party/phasar/unittests/PhasarLLVM/Pointer/LLVMPointsToSetTest.cpp:43:19
#32 0x7f7ff4907041 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::)(), char const) third_party/googletest/googletest/src/gtest.cc
#33 0x7f7ff48bdaa0 in testing::Test::Run() third_party/googletest/googletest/src/gtest.cc:2682:5
#34 0x7f7ff48bfcc4 in testing::TestInfo::Run() third_party/googletest/googletest/src/gtest.cc:2861:11
#35 0x7f7ff48c1a4f in testing::TestSuite::Run() third_party/googletest/googletest/src/gtest.cc:3015:28
#36 0x7f7ff48f625f in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/googletest/src/gtest.cc:5851:44
#37 0x7f7ff48f548b in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> third_party/googletest/googletest/src/gtest.cc
#38 0x7f7ff48f548b in testing::UnitTest::Run() third_party/googletest/googletest/src/gtest.cc:5434:10
#39 0x7f81488f969f in RUN_ALL_TESTS third_party/googletest/googletest/include/gtest/gtest.h:2495:46
#40 0x7f81488f969f in main third_party/phasar/unittests/PhasarLLVM/Pointer/LLVMPointsToSetTest.cpp:61:10
#41 0x7f813c68cbbc in __libc_start_main (/usr/grte/v4/lib64/libc.so.6+0x38bbc)
#42 0x560b118a4ca8 in _start /usr/grte/v4/debug-src/src/csu/../sysdeps/x86_64/start.S:108

0x6040002c3dc8 is located 8 bytes to the left of 40-byte region [0x6040002c3dd0,0x6040002c3df8)
allocated by thread T0 here:
#0 0x560b11958bdd in operator new(unsigned long) third_party/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
#1 0x7f7fdfcd119f in __libcpp_operator_new third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/new:235:10
#2 0x7f7fdfcd119f in __libcpp_allocate third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/new:261:10
#3 0x7f7fdfcd119f in allocate third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/memory:784:38
#4 0x7f7fdfcd119f in llvm::Function::BuildLazyArguments() const third_party/llvm/llvm-project/llvm/lib/IR/Function.cpp:396:44
#5 0x7f81408ca73a in CheckLazyArguments third_party/llvm/llvm-project/llvm/include/llvm/IR/Function.h:113:7
#6 0x7f81408ca73a in arg_begin third_party/llvm/llvm-project/llvm/include/llvm/IR/Function.h:780:5
#7 0x7f81408ca73a in llvm::LLParser::parseFunctionHeader(llvm::Function*&, bool) third_party/llvm/llvm-project/llvm/lib/AsmParser/LLParser.cpp:5927:38
#8 0x7f81408bcad9 in llvm::LLParser::parseDeclare() third_party/llvm/llvm-project/llvm/lib/AsmParser/LLParser.cpp:553:7
#9 0x7f81408b5bc5 in llvm::LLParser::parseTopLevelEntities() third_party/llvm/llvm-project/llvm/lib/AsmParser/LLParser.cpp:348:11
#10 0x7f81408b57d3 in llvm::LLParser::Run(bool, llvm::function_ref<llvm::Optional<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > (llvm::StringRef)>) third_party/llvm/llvm-project/llvm/lib/AsmParser/LLParser.cpp:80:10
#11 0x7f81409b0797 in parseAssemblyInto(llvm::MemoryBufferRef, llvm::Module*, llvm::ModuleSummaryIndex*, llvm::SMDiagnostic&, llvm::SlotMapping*, bool, llvm::function_ref<llvm::Optional<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > (llvm::StringRef)>) third_party/llvm/llvm-project/llvm/lib/AsmParser/Parser.cpp:36:8
#12 0x7f81409b0b5e in parseAssemblyInto third_party/llvm/llvm-project/llvm/lib/AsmParser/Parser.cpp:43:10
#13 0x7f81409b0b5e in llvm::parseAssembly(llvm::MemoryBufferRef, llvm::SMDiagnostic&, llvm::LLVMContext&, llvm::SlotMapping*, llvm::function_ref<llvm::Optional<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > (llvm::StringRef)>) third_party/llvm/llvm-project/llvm/lib/AsmParser/Parser.cpp:54:7
#14 0x7f8140f1dd97 in llvm::parseIR(llvm::MemoryBufferRef, llvm::SMDiagnostic&, llvm::LLVMContext&, llvm::function_ref<llvm::Optional<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > (llvm::StringRef)>) third_party/llvm/llvm-project/llvm/lib/IRReader/IRReader.cpp:88:10
#15 0x7f8140f1eb73 in llvm::parseIRFile(llvm::StringRef, llvm::SMDiagnostic&, llvm::LLVMContext&, llvm::function_ref<llvm::Optional<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > (llvm::StringRef)>) third_party/llvm/llvm-project/llvm/lib/IRReader/IRReader.cpp:102:10
#16 0x7f8147fb55df in psr::ProjectIRDB::ProjectIRDB(std::__u::vector<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator >, std::__u::allocator<std::__u::basic_string<char, std::__u::char_traits, std::__u::allocator > > > const&, psr::IRDBOptions) third_party/phasar/lib/DB/ProjectIRDB.cpp:69:41
#17 0x7f81488f896d in LLVMPointsToSet_Global_01_Test::TestBody() third_party/phasar/unittests/PhasarLLVM/Pointer/LLVMPointsToSetTest.cpp:42:15
#18 0x7f7ff4907041 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::)(), char const) third_party/googletest/googletest/src/gtest.cc
#19 0x7f7ff48bdaa0 in testing::Test::Run() third_party/googletest/googletest/src/gtest.cc:2682:5
#20 0x7f7ff48bfcc4 in testing::TestInfo::Run() third_party/googletest/googletest/src/gtest.cc:2861:11
#21 0x7f7ff48c1a4f in testing::TestSuite::Run() third_party/googletest/googletest/src/gtest.cc:3015:28
#22 0x7f7ff48f625f in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/googletest/src/gtest.cc:5851:44
#23 0x7f7ff48f548b in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> third_party/googletest/googletest/src/gtest.cc
#24 0x7f7ff48f548b in testing::UnitTest::Run() third_party/googletest/googletest/src/gtest.cc:5434:10
#25 0x7f81488f969f in RUN_ALL_TESTS third_party/googletest/googletest/include/gtest/gtest.h:2495:46
#26 0x7f81488f969f in main third_party/phasar/unittests/PhasarLLVM/Pointer/LLVMPointsToSetTest.cpp:61:10
#27 0x7f813c68cbbc in __libc_start_main (/usr/grte/v4/lib64/libc.so.6+0x38bbc)
#28 0x560b118a4ca8 in _start /usr/grte/v4/debug-src/src/csu/../sysdeps/x86_64/start.S:108

SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/llvm/llvm-project/llvm/include/llvm/IR/Value.h:532:12 in getValueID
Shadow bytes around the buggy address:
0x0c0880050760: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
0x0c0880050770: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 05
0x0c0880050780: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 02 fa
0x0c0880050790: fa fa 00 00 00 00 06 fa fa fa 00 00 00 00 00 fa
0x0c08800507a0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
=>0x0c08800507b0: fa fa 00 00 00 00 00 fa fa[fa]00 00 00 00 00 fa
0x0c08800507c0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c08800507d0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c08800507e0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c08800507f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880050800: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2106==ABORTING
E0416 11:33:31.865778 2106 allocator.cc:201] RAW:


*** Would you like to find many more bugs? ***
*** See http://go/google3-fuzzing ***


-- Forge runner: Test failed with exit code 1 while running on ixc1.prod.google.com

Steps to reproduce

Use latest LLVM
Run tests with ASan

@blipper
Copy link
Contributor Author

blipper commented Apr 16, 2021

Running the opt basic pass works without a crash

rossmartin@thebeast:/google/src/cloud/rossmartin/phasar/google3$ blaze run --config=asan //third_party/llvm/llvm-project/llvm:opt -- -basic-aa /tmp/aes_ctr_boringssl_test.bc -disable-output -stats
INFO: Build options --cc_output_directory_tag, --compiler, --copt, and 8 more have changed, discarding analysis cache.
INFO: Analyzed target //third_party/llvm/llvm-project/llvm:opt (0 packages loaded, 17657 targets configured).
INFO: Found 1 target...
Target //third_party/llvm/llvm-project/llvm:opt up-to-date:
blaze-bin/third_party/llvm/llvm-project/llvm/opt
INFO: Elapsed time: 20.098s, Forge stats: 7/16 actions cached, 27.2s CPU used, 0.0s queue time, 405.9 MB ObjFS output (novel bytes: 365.9 MB), 0.0 MB local output, Critical Path: 18.35s, Remote (95.09% of the time): [queue: 0.00%, setup: 13.89%, process: 72.41%]
INFO: Build completed successfully, 14 total actions
INFO: Build completed successfully, 14 total actions
===-------------------------------------------------------------------------===
... Statistics Collected ...
===-------------------------------------------------------------------------===

2028956 bitcode-reader - Number of Metadata records loaded
296451 bitcode-reader - Number of MDStrings loaded

rossmartin@thebeast:/google/src/cloud/rossmartin/phasar/google3$

@blipper
Copy link
Contributor Author

blipper commented Apr 16, 2021

Disabling BasicAA allows this to continue

@MMory MMory self-assigned this Apr 26, 2021
@MMory
Copy link
Member

MMory commented May 6, 2022

@blipper does the issue still exist?

@MMory
Copy link
Member

MMory commented Dec 1, 2022

Closing as it does not seem to be relevant any more.

@MMory MMory closed this as not planned Won't fix, can't repro, duplicate, stale Dec 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants