Segfault in InstructionFolder

[artemdinaburg]

Looks like a segfault in the InstructionFolder handling of Phi nodes.

ASAN Output:

I0611 09:31:35.531258 387184 Optimize.cpp:77] Optimizing module.
=================================================================
==387184==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc189d6198 at pc 0x000000c715bf bp 0x7ffc189d44b0 sp 0x7ffc189d44a8
READ of size 4 at 0x7ffc189d6198 thread T0
    #0 0xc715be in llvm::Type::getTypeID() const /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/include/llvm/IR/Type.h:135:37
    #1 0xddec28 in llvm::Type::isVoidTy() const /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/include/llvm/IR/Type.h:138:34
    #2 0x21a882d in llvm::PointerType::isValidElementType(llvm::Type*) /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/lib/IR/Type.cpp:686:19
    #3 0x21a84f8 in llvm::PointerType::get(llvm::Type*, unsigned int) /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/lib/IR/Type.cpp:661:3
    #4 0xa537e6 in llvm::GetElementPtrInst::getGEPReturnType(llvm::Type*, llvm::Value*, llvm::ArrayRef<llvm::Value*>) /home/artem/git/cxx-common/llvm-11-asan/installed/x64-linux-asan/include/llvm/IR/Instructions.h:1074:19
    #5 0xa53638 in llvm::GetElementPtrInst::GetElementPtrInst(llvm::Type*, llvm::Value*, llvm::ArrayRef<llvm::Value*>, unsigned int, llvm::Twine const&, llvm::Instruction*) /home/artem/git/cxx-common/llvm-11-asan/installed/x64-linux-asan/include/llvm/IR/Instructions.h:1143:19
    #6 0xa53638 in llvm::GetElementPtrInst::Create(llvm::Type*, llvm::Value*, llvm::ArrayRef<llvm::Value*>, llvm::Twine const&, llvm::Instruction*) /home/artem/git/cxx-common/llvm-11-asan/installed/x64-linux-asan/include/llvm/IR/Instructions.h:942:25
    #7 0xa5328e in llvm::IRBuilderBase::CreateGEP(llvm::Type*, llvm::Value*, llvm::ArrayRef<llvm::Value*>, llvm::Twine const&) /home/artem/git/cxx-common/llvm-11-asan/installed/x64-linux-asan/include/llvm/IR/IRBuilder.h:1773:19
    #8 0xa7a6ac in llvm::IRBuilderBase::CreateGEP(llvm::Value*, llvm::ArrayRef<llvm::Value*>, llvm::Twine const&) /home/artem/git/cxx-common/llvm-11-asan/installed/x64-linux-asan/include/llvm/IR/IRBuilder.h:1759:12
    #9 0xa7a6ac in anvill::InstructionFolderPass::FoldPHINodeWithGEPInst(llvm::Instruction*&, llvm::Instruction*, std::vector<anvill::InstructionFolderPass::IncomingValue, std::allocator<anvill::InstructionFolderPass::IncomingValue> >&, llvm::Instruction*) /home/artem/git/anvill/build-asan/../libraries/anvill_passes/src/InstructionFolderPass.cpp:665:17
    #10 0xa77222 in anvill::InstructionFolderPass::FoldPHINode(std::vector<llvm::Instruction*, std::allocator<llvm::Instruction*> >&, llvm::Instruction*) /home/artem/git/anvill/build-asan/../libraries/anvill_passes/src/InstructionFolderPass.cpp:358:10
    #11 0xa7b96e in anvill::InstructionFolderPass::Run(llvm::Function&) /home/artem/git/anvill/build-asan/../libraries/anvill_passes/src/InstructionFolderPass.cpp:207:13
    #12 0xa7e025 in anvill::BaseFunctionPass<anvill::InstructionFolderPass>::runOnFunction(llvm::Function&) /home/artem/git/anvill/build-asan/../libraries/anvill_passes/src/BaseFunctionPass.h:146:24
    #13 0x20d228b in llvm::FPPassManager::runOnFunction(llvm::Function&) /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/lib/IR/LegacyPassManager.cpp:1516:27
    #14 0x20d1a34 in llvm::legacy::FunctionPassManagerImpl::run(llvm::Function&) /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/lib/IR/LegacyPassManager.cpp:439:44
    #15 0x20da83c in llvm::legacy::FunctionPassManager::run(llvm::Function&) /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/lib/IR/LegacyPassManager.cpp:1435:15
    #16 0x9c3ffb in anvill::OptimizeModule(anvill::EntityLifter const&, remill::Arch const*, anvill::Program const&, llvm::Module&, anvill::LifterOptions const&) /home/artem/git/anvill/build-asan/../anvill/src/Optimize.cpp:182:9
    #17 0x95ab10 in main /home/artem/git/anvill/build-asan/../tools/decompile-json/src/main.cpp:1093:3
    #18 0x7f79c5380d09 in __libc_start_main csu/../csu/libc-start.c:308:16
    #19 0x8ac0c9 in _start (/home/artem/git/anvill/build-asan/tools/decompile-json/anvill-decompile-json-11.0+0x8ac0c9)

Address 0x7ffc189d6198 is located in stack of thread T0 at offset 1848 in frame
    #0 0x95876f in main /home/artem/git/anvill/build-asan/../tools/decompile-json/src/main.cpp:962

  This frame has 51 object(s):
    [32, 33) 'ref.tmp.i.i.i1224'
    [48, 49) 'ref.tmp.i.i.i'
    [64, 65) '__c.addr.i1161'
    [80, 81) '__c.addr.i1142'
    [96, 97) '__c.addr.i936'
    [112, 120) '__dnew.i.i.i.i.i910'
    [144, 145) '__c.addr.i'
    [160, 168) '__dnew.i.i.i.i.i.i.i'
    [192, 224) 'ref.tmp.i'
    [256, 264) '__dnew.i.i.i.i.i736'
    [288, 296) '__dnew.i.i.i.i717'
    [320, 328) '__dnew.i.i.i.i.i'
    [352, 360) '__dnew.i.i.i.i'
    [384, 392) 'err.i'
    [416, 808) 'ss.i' (line 69)
    [880, 912) 'ref.tmp64.i' (line 90)
    [944, 948) 'argc.addr'
    [960, 968) 'argv.addr'
    [992, 1008) 'ref.tmp' (line 971)
    [1024, 1048) 'maybe_buff' (line 980)
    [1088, 1112) 'ref.tmp9' (line 980)
    [1152, 1168) 'ref.tmp14' (line 982)
    [1184, 1216) 'ref.tmp26' (line 982)
    [1248, 1296) 'maybe_json' (line 989)
    [1328, 1344) 'ref.tmp47' (line 991)
    [1360, 1392) 'ref.tmp59' (line 991)
    [1424, 1440) 'ref.tmp77' (line 999)
    [1456, 1480) 'maybe_arch' (line 1006)
    [1520, 1552) 'arch_str' (line 1007)
    [1584, 1616) 'ref.tmp102' (line 1009)
    [1648, 1672) 'maybe_os' (line 1012)
    [1712, 1744) 'os_str' (line 1013)
    [1776, 1808) 'ref.tmp120' (line 1015)
    [1840, 1848) 'context' (line 1018) <== Memory access at offset 1848 overflows this variable
    [1872, 2616) 'module' (line 1019)
    [2752, 2760) 'arch' (line 1024)
    [2784, 2800) 'program' (line 1030)
    [2816, 2832) 'memory' (line 1031)
    [2848, 2864) 'types' (line 1032)
    [2880, 2904) 'ctrl_flow_provider_res' (line 1035)
    [2944, 3000) 'options' (line 1045)
    [3040, 3048) 'agg.tmp173'
    [3072, 3088) 'lifter' (line 1052)
    [3104, 3136) 'agg.tmp187'
    [3168, 3200) 'agg.tmp193'
    [3232, 3264) 'json_outs' (line 1074)
    [3296, 3328) 'ref.tmp216' (line 1086)
    [3360, 3416) 'has_name' (line 1095)
    [3456, 3488) 'agg.tmp264'
    [3520, 3552) 'agg.tmp320'
    [3584, 3616) 'agg.tmp382'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/include/llvm/IR/Type.h:135:37 in llvm::Type::getTypeID() const
Shadow bytes around the buggy address:
  0x100003132be0: f8 f8 f8 f8 f2 f2 f2 f2 00 00 00 00 00 00 f2 f2
  0x100003132bf0: f2 f2 f8 f8 f2 f2 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8
  0x100003132c00: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 f2 f2
  0x100003132c10: f2 f2 f8 f8 f8 f8 f2 f2 f2 f2 00 00 00 f2 f2 f2
  0x100003132c20: f2 f2 00 00 00 00 f2 f2 f2 f2 f8 f8 f8 f8 f2 f2
=>0x100003132c30: f2 f2 00[f2]f2 f2 00 00 00 00 00 00 00 00 00 00
  0x100003132c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100003132c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100003132c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100003132c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100003132c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==387184==ABORTING

Attaching input json.

output_InstructionFolder_segfault.tar.gz

[artemdinaburg]

This sample still causes a problem but at least the error is different :). Its no longer a segfault!

[artemdinaburg]

E0701 13:47:14.959821 1062466 Util.cpp:342] Error verifying module read from file: Instruction does not dominate all uses!
  %2078 = phi i64 [ 2, %2047 ], [ 12, %2056 ]
  %2054 = getelementptr i8, i8* getelementptr (i8, i8* inttoptr (i64 237 to i8*), i64 27), i64 %2078
Instruction does not dominate all uses!
  %2081 = phi i64 [ 2, %2047 ], [ 12, %2056 ]
  %2055 = getelementptr i8, i8* getelementptr (i8, i8* inttoptr (i64 237 to i8*), i64 27), i64 %2081
Instruction does not dominate all uses!
  %2078 = phi i64 [ 2, %2047 ], [ 12, %2056 ]
  %2070 = getelementptr i8, i8* getelementptr (i8, i8* inttoptr (i64 237 to i8*), i64 17), i64 %2078
Instruction does not dominate all uses!
  %2081 = phi i64 [ 2, %2047 ], [ 12, %2056 ]
  %2071 = getelementptr i8, i8* getelementptr (i8, i8* inttoptr (i64 237 to i8*), i64 17), i64 %2081
F0701 13:47:14.959898 1062466 Optimize.cpp:199] Check failed: remill::VerifyModule(&module)
*** Check failure stack trace: ***
    @          0x2dcfcb1  google::LogMessage::Fail()
    @          0x2dcb452  google::LogMessage::SendToLog()
    @          0x2dce005  google::LogMessage::Flush()
    @          0x2dd951c  google::LogMessageFatal::~LogMessageFatal()
    @           0xaaa9d8  anvill::OptimizeModule()
    @           0x9af61a  main
    @     0x7efe64a58d0a  __libc_start_main
    @           0x9007ea  _start
    @              (nil)  (unknown)
Aborted```

[kumarak]

I don't see issue lifting input.json attached with llvm12.

[pgoodman]

This pass is currently disabled due to some issues where it spams in lots of instructions.