Segfault with llvm library

orbea commented 2 years ago

libtree: https://github.com/haampie/libtree/commit/3eae707716f2c09ca1708d00fd0f6b367a6a8c0c

For some reason this library is problematic with libtree.

$ ./libtree /usr/lib64/libLLVMAMDGPUAsmParser.so
libLLVMAMDGPUAsmParser.so.12 
├── libLLVMMCParser.so.12 [runpath]
│   ├── libLLVMMC.so.12 [runpath]
│   │   ├── libLLVMBinaryFormat.so.12 [runpath]
│   │   │   └── libLLVMSupport.so.12 [runpath]
│   │   │       ├── libLLVMDemangle.so.12 [runpath]
│   │   │       ├── libz.so.1 [runpath]
│   │   │       ├── libtinfo.so.6 [runpath]
│   │   │       └── librt.so.1 [ld.so.conf]
=================================================================
==23667==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000003b4 at pc 0x0000004d547c bp 0x7ffc447a51d0 sp 0x7ffc447a51c8
READ of size 1 at 0x6190000003b4 thread T0
    #0 0x4d547b in check_search_paths /tmp/libtree/libtree.c:387:12
    #1 0x4d151d in recurse /tmp/libtree/libtree.c:1252:9
    #2 0x4d5c51 in check_search_paths /tmp/libtree/libtree.c:426:17
    #3 0x4d151d in recurse /tmp/libtree/libtree.c:1252:9
    #4 0x4d5c51 in check_search_paths /tmp/libtree/libtree.c:426:17
    #5 0x4d151d in recurse /tmp/libtree/libtree.c:1252:9
    #6 0x4d5c51 in check_search_paths /tmp/libtree/libtree.c:426:17
    #7 0x4d151d in recurse /tmp/libtree/libtree.c:1252:9
    #8 0x4cc86c in print_tree /tmp/libtree/libtree.c:1462:22
    #9 0x4cc4b3 in main /tmp/libtree/libtree.c:1628:12
    #10 0x7fc79bfe401c in __libc_start_main (/lib64/libc.so.6+0x2401c)
    #11 0x41f369 in _start /tmp/glibc-2.33/csu/../sysdeps/x86_64/start.S:120

0x6190000003b4 is located 820 bytes inside of 1024-byte region [0x619000000080,0x619000000480)
freed by thread T0 here:
    #0 0x49aa19 in realloc /tmp/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
    #1 0x4d2cf1 in string_table_maybe_grow /tmp/libtree/libtree.c:307:17
    #2 0x4d4397 in string_table_copy_from_file /tmp/libtree/libtree.c:325:9
    #3 0x4cfc25 in recurse /tmp/libtree/libtree.c:1152:9
    #4 0x4d5c51 in check_search_paths /tmp/libtree/libtree.c:426:17
    #5 0x4d151d in recurse /tmp/libtree/libtree.c:1252:9
    #6 0x4d5c51 in check_search_paths /tmp/libtree/libtree.c:426:17
    #7 0x4d151d in recurse /tmp/libtree/libtree.c:1252:9
    #8 0x4d5c51 in check_search_paths /tmp/libtree/libtree.c:426:17
    #9 0x4d151d in recurse /tmp/libtree/libtree.c:1252:9
    #10 0x4d5c51 in check_search_paths /tmp/libtree/libtree.c:426:17
    #11 0x4d151d in recurse /tmp/libtree/libtree.c:1252:9
    #12 0x4cc86c in print_tree /tmp/libtree/libtree.c:1462:22
    #13 0x4cc4b3 in main /tmp/libtree/libtree.c:1628:12
    #14 0x7fc79bfe401c in __libc_start_main (/lib64/libc.so.6+0x2401c)

previously allocated by thread T0 here:
    #0 0x49a6fd in malloc /tmp/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x4cc9bf in libtree_state_init /tmp/libtree/libtree.c:1439:27
    #2 0x4cc6de in print_tree /tmp/libtree/libtree.c:1453:5
    #3 0x4cc4b3 in main /tmp/libtree/libtree.c:1628:12
    #4 0x7fc79bfe401c in __libc_start_main (/lib64/libc.so.6+0x2401c)

SUMMARY: AddressSanitizer: heap-use-after-free /tmp/libtree/libtree.c:387:12 in check_search_paths
Shadow bytes around the buggy address:
  0x0c327fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c327fff8070: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x0c327fff8080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff80c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==23667==ABORTING

For reference with ldd(1).

$ ldd /usr/lib64/libLLVMAMDGPUAsmParser.so
    linux-vdso.so.1 (0x00007ffec0fbc000)
    libLLVMMCParser.so.12 => /usr/lib64/../lib64/libLLVMMCParser.so.12 (0x00007f2b76700000)
    libLLVMAMDGPUDesc.so.12 => /usr/lib64/../lib64/libLLVMAMDGPUDesc.so.12 (0x00007f2b76380000)
    libLLVMAMDGPUInfo.so.12 => /usr/lib64/../lib64/libLLVMAMDGPUInfo.so.12 (0x00007f2b76378000)
    libLLVMAMDGPUUtils.so.12 => /usr/lib64/../lib64/libLLVMAMDGPUUtils.so.12 (0x00007f2b76300000)
    libLLVMMC.so.12 => /usr/lib64/../lib64/libLLVMMC.so.12 (0x00007f2b76220000)
    libLLVMSupport.so.12 => /usr/lib64/../lib64/libLLVMSupport.so.12 (0x00007f2b76038000)
    libstdc++.so.6 => /usr/lib64/../lib64/libstdc++.so.6 (0x00007f2b75e20000)
    libm.so.6 => /lib64/libm.so.6 (0x00007f2b75cb8000)
    libgcc_s.so.1 => /usr/lib64/../lib64/libgcc_s.so.1 (0x00007f2b75c98000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f2b75ab8000)
    libLLVMCore.so.12 => /usr/lib64/../lib64/../lib64/libLLVMCore.so.12 (0x00007f2b75750000)
    libLLVMBinaryFormat.so.12 => /usr/lib64/../lib64/../lib64/libLLVMBinaryFormat.so.12 (0x00007f2b75728000)
    libLLVMDebugInfoCodeView.so.12 => /usr/lib64/../lib64/../lib64/libLLVMDebugInfoCodeView.so.12 (0x00007f2b75678000)
    librt.so.1 => /lib64/librt.so.1 (0x00007f2b75668000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f2b75660000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f2b75638000)
    libz.so.1 => /usr/lib64/../lib64/../lib64/libz.so.1 (0x00007f2b75420000)
    libtinfo.so.6 => /usr/lib64/../lib64/../lib64/libtinfo.so.6 (0x00007f2b753e8000)
    libLLVMDemangle.so.12 => /usr/lib64/../lib64/../lib64/libLLVMDemangle.so.12 (0x00007f2b75398000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f2b76978000)
    libLLVMRemarks.so.12 => /usr/lib64/../lib64/../lib64/../lib64/libLLVMRemarks.so.12 (0x00007f2b75368000)
    libLLVMDebugInfoMSF.so.12 => /usr/lib64/../lib64/../lib64/../lib64/libLLVMDebugInfoMSF.so.12 (0x00007f2b75350000)
    libLLVMBitstreamReader.so.12 => /usr/lib64/../lib64/../lib64/../lib64/../lib64/libLLVMBitstreamReader.so.12 (0x00007f2b75340000)

haampie commented 2 years ago

Pushed a fix, thanks for test-driving the new version!

orbea commented 2 years ago

Works with commit d51185d9fa83dd0525ef135bb3c40391f42cb932, thanks!

$ ./libtree /usr/lib64/libLLVMAMDGPUAsmParser.so
libLLVMAMDGPUAsmParser.so.12 
├── libLLVMMCParser.so.12 [runpath]
│   ├── libLLVMMC.so.12 [runpath]
│   │   ├── libLLVMBinaryFormat.so.12 [runpath]
│   │   │   └── libLLVMSupport.so.12 [runpath]
│   │   │       ├── libLLVMDemangle.so.12 [runpath]
│   │   │       ├── libz.so.1 [runpath]
│   │   │       ├── libtinfo.so.6 [runpath]
│   │   │       └── librt.so.1 [ld.so.conf]
│   │   ├── libLLVMSupport.so.12 [runpath]
│   │   └── libLLVMDebugInfoCodeView.so.12 [runpath]
│   │       ├── libLLVMDebugInfoMSF.so.12 [runpath]
│   │       │   └── libLLVMSupport.so.12 [runpath]
│   │       └── libLLVMSupport.so.12 [runpath]
│   └── libLLVMSupport.so.12 [runpath]
├── libLLVMSupport.so.12 [runpath]
├── libLLVMMC.so.12 [runpath]
├── libLLVMAMDGPUUtils.so.12 [runpath]
│   ├── libLLVMCore.so.12 [runpath]
│   │   ├── libLLVMSupport.so.12 [runpath]
│   │   ├── libLLVMRemarks.so.12 [runpath]
│   │   │   ├── libLLVMBitstreamReader.so.12 [runpath]
│   │   │   │   └── libLLVMSupport.so.12 [runpath]
│   │   │   └── libLLVMSupport.so.12 [runpath]
│   │   └── libLLVMBinaryFormat.so.12 [runpath]
│   ├── libLLVMSupport.so.12 [runpath]
│   ├── libLLVMBinaryFormat.so.12 [runpath]
│   └── libLLVMMC.so.12 [runpath]
├── libLLVMAMDGPUInfo.so.12 [runpath]
│   └── libLLVMSupport.so.12 [runpath]
└── libLLVMAMDGPUDesc.so.12 [runpath]
    ├── libLLVMAMDGPUInfo.so.12 [runpath]
    ├── libLLVMSupport.so.12 [runpath]
    ├── libLLVMBinaryFormat.so.12 [runpath]
    ├── libLLVMMC.so.12 [runpath]
    ├── libLLVMCore.so.12 [runpath]
    └── libLLVMAMDGPUUtils.so.12 [runpath]

haampie / libtree

Segfault with llvm library #55