Closed
Description
There seems to be a possible NULL pointer dereference in parseOneMetadata(). The problem occurs here:
unsigned TyID = Record[0];
Type *Ty = Callbacks.GetTypeByID(TyID); // <--- GetTypeByID() may return NULL
if (Ty->isMetadataTy() || Ty->isVoidTy()) // <--- No NULL check = SEGV
return error("Invalid record");
According to GDB, the GetTypeByID() callback routes to BitcodeReader::getTypeByID() (here) . This method will return nullptr on unexpected input, leading to a crash.
To reproduce, decompress bug.o.gz then run:
$ llvm-lto bug.o
Tested with latest LLVM head and LLVM-15. Other LLVM tools also seem to crash on this file.
Crash report:
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0. Program arguments: debug/llvm-project/llvm/build/bin/llvm-lto bug.o
#0 0x0000558dac706f32 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) ./debug/llvm-project/llvm/lib/Support/Unix/Signals.inc:723:22
#1 0x0000558dac70734e PrintStackTraceSignalHandler(void*) ./debug/llvm-project/llvm/lib/Support/Unix/Signals.inc:798:1
#2 0x0000558dac70471b llvm::sys::RunSignalHandlers() ./debug/llvm-project/llvm/lib/Support/Signals.cpp:105:20
#3 0x0000558dac7067d6 SignalHandler(int) ./debug/llvm-project/llvm/lib/Support/Unix/Signals.inc:413:1
#4 0x00007f6eece3c4b0 (/lib/x86_64-linux-gnu/libc.so.6+0x3c4b0)
#5 0x0000558da93a248e llvm::Type::getTypeID() const ./debug/llvm-project/llvm/include/llvm/IR/Type.h:137:37
#6 0x0000558dab3cbb56 llvm::Type::isMetadataTy() const ./debug/llvm-project/llvm/include/llvm/IR/Type.h:222:53
#7 0x0000558dab427c56 llvm::MetadataLoader::MetadataLoaderImpl::parseOneMetadata(llvm::SmallVectorImpl<unsigned long>&, unsigned int, (anonymous namespace)::(anonymous namespace)::PlaceholderQueue&, llvm::StringRef, unsigned int&) ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:1369:28
#8 0x0000558dab426580 llvm::MetadataLoader::MetadataLoaderImpl::parseMetadata(bool) ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:1133:60
#9 0x0000558dab431624 llvm::MetadataLoader::parseMetadata(bool) ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:2464:1
#10 0x0000558dab3cbf2f llvm::MetadataLoader::parseModuleMetadata() ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.h:61:61
#11 0x0000558dab3add37 (anonymous namespace)::BitcodeReader::parseModule(unsigned long, bool, llvm::ParserCallbacks) ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:4300:56
#12 0x0000558dab3af098 (anonymous namespace)::BitcodeReader::parseBitcodeInto(llvm::Module*, bool, bool, llvm::ParserCallbacks) ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:4500:58
#13 0x0000558dab3c5b62 llvm::BitcodeModule::getModuleImpl(llvm::LLVMContext&, bool, bool, bool, llvm::ParserCallbacks) ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:7941:61
#14 0x0000558dab3c73eb llvm::BitcodeModule::parseModule(llvm::LLVMContext&, llvm::ParserCallbacks) ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:8141:62
#15 0x0000558dab3c7529 llvm::parseBitcodeFile(llvm::MemoryBufferRef, llvm::LLVMContext&, llvm::ParserCallbacks) ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:8153:44
#16 0x0000558dac265bbf parseBitcodeFileImpl(llvm::MemoryBufferRef, llvm::LLVMContext&, bool) ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:185:59
#17 0x0000558dac265d7c llvm::LTOModule::makeLTOModule(llvm::MemoryBufferRef, llvm::TargetOptions const&, llvm::LLVMContext&, bool) ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:198:57
#18 0x0000558dac2654d5 llvm::LTOModule::createFromFile(llvm::LLVMContext&, llvm::StringRef, llvm::TargetOptions const&) ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:121:47
#19 0x0000558da9017a75 main ./debug/llvm-project/llvm/tools/llvm-lto/llvm-lto.cpp:1031:43
#20 0x00007f6eece23a90 __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:74:3
#21 0x00007f6eece23b49 call_init ./csu/../csu/libc-start.c:128:20
#22 0x00007f6eece23b49 __libc_start_main ./csu/../csu/libc-start.c:347:5
#23 0x0000558da9014125 _start (debug/llvm-project/llvm/build/bin/llvm-lto+0x5d6125)
Stack trace (GDB):
#0 0x0000555555eb848e in llvm::Type::getTypeID (this=0x0) at ./debug/llvm-project/llvm/include/llvm/IR/Type.h:137
#1 0x0000555557ee1b56 in llvm::Type::isMetadataTy (this=0x0) at ./debug/llvm-project/llvm/include/llvm/IR/Type.h:222
#2 0x0000555557f3dc56 in llvm::MetadataLoader::MetadataLoaderImpl::parseOneMetadata (this=0x555561cea620, Record=..., Code=2, Placeholders=..., Blob=..., NextMetadataNo=@0x7fffffffc2d4: 7)
at ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:1369
#3 0x0000555557f3c580 in llvm::MetadataLoader::MetadataLoaderImpl::parseMetadata (this=0x555561cea620, ModuleLevel=true) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:1133
#4 0x0000555557f47624 in llvm::MetadataLoader::parseMetadata (this=0x555561cea0f8, ModuleLevel=true) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:2463
#5 0x0000555557ee1f2f in llvm::MetadataLoader::parseModuleMetadata (this=0x555561cea0f8) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.h:61
#6 0x0000555557ec3d37 in (anonymous namespace)::BitcodeReader::parseModule (this=0x555561ce9dd0, ResumeBit=0, ShouldLazyLoadMetadata=false, Callbacks=...) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:4300
#7 0x0000555557ec5098 in (anonymous namespace)::BitcodeReader::parseBitcodeInto (this=0x555561ce9dd0, M=0x555561c7d270, ShouldLazyLoadMetadata=false, IsImporting=false, Callbacks=...)
at ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:4500
#8 0x0000555557edbb62 in llvm::BitcodeModule::getModuleImpl (this=0x7fffffffcfa0, Context=..., MaterializeAll=true, ShouldLazyLoadMetadata=false, IsImporting=false, Callbacks=...)
at ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:7941
#9 0x0000555557edd3eb in llvm::BitcodeModule::parseModule (this=0x7fffffffcfa0, Context=..., Callbacks=...) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:8141
#10 0x0000555557edd529 in llvm::parseBitcodeFile (Buffer=..., Context=..., Callbacks=...) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:8153
#11 0x0000555558d7bbbf in parseBitcodeFileImpl (Buffer=..., Context=..., ShouldBeLazy=false) at ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:185
#12 0x0000555558d7bd7c in llvm::LTOModule::makeLTOModule (Buffer=..., options=..., Context=..., ShouldBeLazy=false) at ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:198
#13 0x0000555558d7b4d5 in llvm::LTOModule::createFromFile (Context=..., path=..., options=...) at ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:121
#14 0x0000555555b2da75 in main (argc=2, argv=0x7fffffffdff8) at ./debug/llvm-project/llvm/tools/llvm-lto/llvm-lto.cpp:1030