anvill
anvill copied to clipboard
Published
20 hours ago •
lifting-bits
lifting-bits
Segfault in InstructionFolder
Looks like a segfault in the InstructionFolder handling of Phi nodes.
ASAN Output:
I0611 09:31:35.531258 387184 Optimize.cpp:77] Optimizing module.
=================================================================
==387184==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc189d6198 at pc 0x000000c715bf bp 0x7ffc189d44b0 sp 0x7ffc189d44a8
READ of size 4 at 0x7ffc189d6198 thread T0
#0 0xc715be in llvm::Type::getTypeID() const /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/include/llvm/IR/Type.h:135:37
#1 0xddec28 in llvm::Type::isVoidTy() const /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/include/llvm/IR/Type.h:138:34
#2 0x21a882d in llvm::PointerType::isValidElementType(llvm::Type*) /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/lib/IR/Type.cpp:686:19
#3 0x21a84f8 in llvm::PointerType::get(llvm::Type*, unsigned int) /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/lib/IR/Type.cpp:661:3
#4 0xa537e6 in llvm::GetElementPtrInst::getGEPReturnType(llvm::Type*, llvm::Value*, llvm::ArrayRef<llvm::Value*>) /home/artem/git/cxx-common/llvm-11-asan/installed/x64-linux-asan/include/llvm/IR/Instructions.h:1074:19
#5 0xa53638 in llvm::GetElementPtrInst::GetElementPtrInst(llvm::Type*, llvm::Value*, llvm::ArrayRef<llvm::Value*>, unsigned int, llvm::Twine const&, llvm::Instruction*) /home/artem/git/cxx-common/llvm-11-asan/installed/x64-linux-asan/include/llvm/IR/Instructions.h:1143:19
#6 0xa53638 in llvm::GetElementPtrInst::Create(llvm::Type*, llvm::Value*, llvm::ArrayRef<llvm::Value*>, llvm::Twine const&, llvm::Instruction*) /home/artem/git/cxx-common/llvm-11-asan/installed/x64-linux-asan/include/llvm/IR/Instructions.h:942:25
#7 0xa5328e in llvm::IRBuilderBase::CreateGEP(llvm::Type*, llvm::Value*, llvm::ArrayRef<llvm::Value*>, llvm::Twine const&) /home/artem/git/cxx-common/llvm-11-asan/installed/x64-linux-asan/include/llvm/IR/IRBuilder.h:1773:19
#8 0xa7a6ac in llvm::IRBuilderBase::CreateGEP(llvm::Value*, llvm::ArrayRef<llvm::Value*>, llvm::Twine const&) /home/artem/git/cxx-common/llvm-11-asan/installed/x64-linux-asan/include/llvm/IR/IRBuilder.h:1759:12
#9 0xa7a6ac in anvill::InstructionFolderPass::FoldPHINodeWithGEPInst(llvm::Instruction*&, llvm::Instruction*, std::vector<anvill::InstructionFolderPass::IncomingValue, std::allocator<anvill::InstructionFolderPass::IncomingValue> >&, llvm::Instruction*) /home/artem/git/anvill/build-asan/../libraries/anvill_passes/src/InstructionFolderPass.cpp:665:17
#10 0xa77222 in anvill::InstructionFolderPass::FoldPHINode(std::vector<llvm::Instruction*, std::allocator<llvm::Instruction*> >&, llvm::Instruction*) /home/artem/git/anvill/build-asan/../libraries/anvill_passes/src/InstructionFolderPass.cpp:358:10
#11 0xa7b96e in anvill::InstructionFolderPass::Run(llvm::Function&) /home/artem/git/anvill/build-asan/../libraries/anvill_passes/src/InstructionFolderPass.cpp:207:13
#12 0xa7e025 in anvill::BaseFunctionPass<anvill::InstructionFolderPass>::runOnFunction(llvm::Function&) /home/artem/git/anvill/build-asan/../libraries/anvill_passes/src/BaseFunctionPass.h:146:24
#13 0x20d228b in llvm::FPPassManager::runOnFunction(llvm::Function&) /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/lib/IR/LegacyPassManager.cpp:1516:27
#14 0x20d1a34 in llvm::legacy::FunctionPassManagerImpl::run(llvm::Function&) /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/lib/IR/LegacyPassManager.cpp:439:44
#15 0x20da83c in llvm::legacy::FunctionPassManager::run(llvm::Function&) /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/lib/IR/LegacyPassManager.cpp:1435:15
#16 0x9c3ffb in anvill::OptimizeModule(anvill::EntityLifter const&, remill::Arch const*, anvill::Program const&, llvm::Module&, anvill::LifterOptions const&) /home/artem/git/anvill/build-asan/../anvill/src/Optimize.cpp:182:9
#17 0x95ab10 in main /home/artem/git/anvill/build-asan/../tools/decompile-json/src/main.cpp:1093:3
#18 0x7f79c5380d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#19 0x8ac0c9 in _start (/home/artem/git/anvill/build-asan/tools/decompile-json/anvill-decompile-json-11.0+0x8ac0c9)
Address 0x7ffc189d6198 is located in stack of thread T0 at offset 1848 in frame
#0 0x95876f in main /home/artem/git/anvill/build-asan/../tools/decompile-json/src/main.cpp:962
This frame has 51 object(s):
[32, 33) 'ref.tmp.i.i.i1224'
[48, 49) 'ref.tmp.i.i.i'
[64, 65) '__c.addr.i1161'
[80, 81) '__c.addr.i1142'
[96, 97) '__c.addr.i936'
[112, 120) '__dnew.i.i.i.i.i910'
[144, 145) '__c.addr.i'
[160, 168) '__dnew.i.i.i.i.i.i.i'
[192, 224) 'ref.tmp.i'
[256, 264) '__dnew.i.i.i.i.i736'
[288, 296) '__dnew.i.i.i.i717'
[320, 328) '__dnew.i.i.i.i.i'
[352, 360) '__dnew.i.i.i.i'
[384, 392) 'err.i'
[416, 808) 'ss.i' (line 69)
[880, 912) 'ref.tmp64.i' (line 90)
[944, 948) 'argc.addr'
[960, 968) 'argv.addr'
[992, 1008) 'ref.tmp' (line 971)
[1024, 1048) 'maybe_buff' (line 980)
[1088, 1112) 'ref.tmp9' (line 980)
[1152, 1168) 'ref.tmp14' (line 982)
[1184, 1216) 'ref.tmp26' (line 982)
[1248, 1296) 'maybe_json' (line 989)
[1328, 1344) 'ref.tmp47' (line 991)
[1360, 1392) 'ref.tmp59' (line 991)
[1424, 1440) 'ref.tmp77' (line 999)
[1456, 1480) 'maybe_arch' (line 1006)
[1520, 1552) 'arch_str' (line 1007)
[1584, 1616) 'ref.tmp102' (line 1009)
[1648, 1672) 'maybe_os' (line 1012)
[1712, 1744) 'os_str' (line 1013)
[1776, 1808) 'ref.tmp120' (line 1015)
[1840, 1848) 'context' (line 1018) <== Memory access at offset 1848 overflows this variable
[1872, 2616) 'module' (line 1019)
[2752, 2760) 'arch' (line 1024)
[2784, 2800) 'program' (line 1030)
[2816, 2832) 'memory' (line 1031)
[2848, 2864) 'types' (line 1032)
[2880, 2904) 'ctrl_flow_provider_res' (line 1035)
[2944, 3000) 'options' (line 1045)
[3040, 3048) 'agg.tmp173'
[3072, 3088) 'lifter' (line 1052)
[3104, 3136) 'agg.tmp187'
[3168, 3200) 'agg.tmp193'
[3232, 3264) 'json_outs' (line 1074)
[3296, 3328) 'ref.tmp216' (line 1086)
[3360, 3416) 'has_name' (line 1095)
[3456, 3488) 'agg.tmp264'
[3520, 3552) 'agg.tmp320'
[3584, 3616) 'agg.tmp382'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/artem/git/cxx-common/vcpkg/buildtrees/llvm-11/src/org-11.0.1-a4cf4b25b4.clean/llvm/include/llvm/IR/Type.h:135:37 in llvm::Type::getTypeID() const
Shadow bytes around the buggy address:
0x100003132be0: f8 f8 f8 f8 f2 f2 f2 f2 00 00 00 00 00 00 f2 f2
0x100003132bf0: f2 f2 f8 f8 f2 f2 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8
0x100003132c00: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 f2 f2
0x100003132c10: f2 f2 f8 f8 f8 f8 f2 f2 f2 f2 00 00 00 f2 f2 f2
0x100003132c20: f2 f2 00 00 00 00 f2 f2 f2 f2 f8 f8 f8 f8 f2 f2
=>0x100003132c30: f2 f2 00[f2]f2 f2 00 00 00 00 00 00 00 00 00 00
0x100003132c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003132c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003132c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003132c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003132c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==387184==ABORTING
Attaching input json.
output_InstructionFolder_segfault.tar.gz
This sample still causes a problem but at least the error is different :). Its no longer a segfault!
E0701 13:47:14.959821 1062466 Util.cpp:342] Error verifying module read from file: Instruction does not dominate all uses!
%2078 = phi i64 [ 2, %2047 ], [ 12, %2056 ]
%2054 = getelementptr i8, i8* getelementptr (i8, i8* inttoptr (i64 237 to i8*), i64 27), i64 %2078
Instruction does not dominate all uses!
%2081 = phi i64 [ 2, %2047 ], [ 12, %2056 ]
%2055 = getelementptr i8, i8* getelementptr (i8, i8* inttoptr (i64 237 to i8*), i64 27), i64 %2081
Instruction does not dominate all uses!
%2078 = phi i64 [ 2, %2047 ], [ 12, %2056 ]
%2070 = getelementptr i8, i8* getelementptr (i8, i8* inttoptr (i64 237 to i8*), i64 17), i64 %2078
Instruction does not dominate all uses!
%2081 = phi i64 [ 2, %2047 ], [ 12, %2056 ]
%2071 = getelementptr i8, i8* getelementptr (i8, i8* inttoptr (i64 237 to i8*), i64 17), i64 %2081
F0701 13:47:14.959898 1062466 Optimize.cpp:199] Check failed: remill::VerifyModule(&module)
*** Check failure stack trace: ***
@ 0x2dcfcb1 google::LogMessage::Fail()
@ 0x2dcb452 google::LogMessage::SendToLog()
@ 0x2dce005 google::LogMessage::Flush()
@ 0x2dd951c google::LogMessageFatal::~LogMessageFatal()
@ 0xaaa9d8 anvill::OptimizeModule()
@ 0x9af61a main
@ 0x7efe64a58d0a __libc_start_main
@ 0x9007ea _start
@ (nil) (unknown)
Aborted```
This pass is currently disabled due to some issues where it spams in lots of instructions.
