libclang crashes with segmentation fault with python bindings

[llvmbot]

Bugzilla Link	34484
Version	unspecified
OS	Linux
Reporter	LLVM Bugzilla Contributor
CC	@zygoloid

Extended Description

The full description can be found here : https://stackoverflow.com/questions/45901636/python-clang-crashes-with-segmentation-fault

While trying to traverse clang AST using python-clang bindings on bitcoin opensource project. libclang crashes with segmentation fault. At start I used libclang version 3.8 but it happens with versions 3.9, 4.0, 5.0 and 6.0 (6.0~svn312460-1~exp1)

backtrace :

​0 clang::TagType::getDecl (this=0x0) at /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/tools/clang/lib/AST/Type.cpp:2962

​1 0x00007f9ecbe65caf in clang::RecordType::getDecl (this=) at /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/tools/clang/include/clang/AST/Type.h:3554

​2 (anonymous namespace)::CXXNameMangler::mangleUnqualifiedName (this=this@entry=0x7ffe35f45470, ND=ND@entry=0x7f9ec0092cc8, Name=...,

AdditionalAbiTags=AdditionalAbiTags@entry=0x7ffe35f453c0, KnownArity=4294967295)
at /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/tools/clang/lib/AST/ItaniumMangle.cpp:1184

​3 0x00007f9ecbe60250 in (anonymous namespace)::CXXNameMangler::mangleUnqualifiedName (AdditionalAbiTags=0x7ffe35f453c0, ND=, this=0x7ffe35f45470)

at /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/tools/clang/lib/AST/ItaniumMangle.cpp:481

​4 (anonymous namespace)::CXXNameMangler::mangleLocalName (this=this@entry=0x7ffe35f45470, D=D@entry=0x7f9ec0092cc8, AdditionalAbiTags=AdditionalAbiTags@entry=0x7ffe35f453c0,

ExcludeUnqualifiedName=ExcludeUnqualifiedName@entry=false) at /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/tools/clang/lib/AST/ItaniumMangle.cpp:1471

​5 0x00007f9ecbe607b7 in (anonymous namespace)::CXXNameMangler::mangleNameWithAbiTags (this=this@entry=0x7ffe35f45470, ND=ND@entry=0x7f9ec0092cc8,

AdditionalAbiTags=AdditionalAbiTags@entry=0x7ffe35f453c0, ExcludeUnqualifiedName=ExcludeUnqualifiedName@entry=false)
at /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/tools/clang/lib/AST/ItaniumMangle.cpp:801

​6 0x00007f9ecbe61621 in (anonymous namespace)::CXXNameMangler::mangleName (this=0x7ffe35f45470, ND=0x7f9ec0092cc8, ExcludeUnqualifiedName=)

at /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/tools/clang/lib/AST/ItaniumMangle.cpp:776

​7 0x00007f9ecbe62822 in (anonymous namespace)::ItaniumMangleContextImpl::mangleCXXName (this=, D=0x7f9ec0092cc8, Out=...)

at /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/tools/clang/lib/AST/ItaniumMangle.cpp:4422

​8 0x00007f9ecbd4df6b in clang_Cursor_getMangling (C=...) at /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/tools/clang/tools/libclang/CIndex.cpp:3996

​9 0x00007f9eccbd2e40 in ffi_call_unix64 () from /usr/lib/x86_64-linux-gnu/libffi.so.6

​10 0x00007f9eccbd28ab in ffi_call () from /usr/lib/x86_64-linux-gnu/libffi.so.6

[llvmbot]

I've submitted another review request to Phabricator : https://reviews.llvm.org/D39639

[llvmbot]

@​Sagi Ben Thanks for your comment.

I'm afraid the patch is intended to be a starting point for investigation, nothing more. I doubt that it would be an adequate fix without further work by someone more familiar with the Itanium ABI code.

[llvmbot]

I applied the patch on the latest clang source code.

I get assertion failed error :

/home/sagi/trees/community/clang/lib/AST/ItaniumMangle.cpp:1337: void (anonymous namespace)::CXXNameMangler::mangleUnqualifiedName(const clang::NamedDecl , clang::DeclarationName, unsigned int, const (anonymous namespace)::CXXNameMangler::AbiTagList ): Assertion `RD->isAnonymousStructOrUnion() && "Expected anonymous struct or union!"' failed.

[llvmbot]

The issue seems to be in ItaniumMangle.cpp and can be triggered on macOS by asking for mangled names from a C++ (not C) TU containing a struct with a void()(void) function pointer member.

I'm not familiar with this part of clang but have a very simple patch that might provide a useful starting point for further investigation.

Simple test (and crude fix) submitted to Phabricator as: https://reviews.llvm.org/D37639

[llvmbot]

Hi, Thanks !!

I verified that removing it from the print statement hide the crash, but should it crash with seg fault of should it throw an exception.

Sagi.

[llvmbot]

The call to node.mangled_name is causing a crash, not sure if that might give you an interim fix.

I'll dig into why this goes wrong.

[llvmbot]

backtrace for latest libclang :

​0 clang::TagType::getDecl() const () at /build/llvm-toolchain-snapshot-6.0~svn312504/tools/clang/lib/AST/Type.cpp:2988

​1 0x00007ffff518f23d in (anonymous namespace)::CXXNameMangler::mangleUnqualifiedName(clang::NamedDecl const, clang::DeclarationName, unsigned int, llvm::SmallVector<llvm::StringRef, 4u> const) [clone .constprop.749] () at /build/llvm-toolchain-snapshot-6.0~svn312504/tools/clang/include/clang/AST/Type.h:3791

​2 0x00007ffff5190685 in (anonymous namespace)::CXXNameMangler::mangleLocalName(clang::Decl const, llvm::SmallVector<llvm::StringRef, 4u> const) ()

at /build/llvm-toolchain-snapshot-6.0~svn312504/tools/clang/lib/AST/ItaniumMangle.cpp:487

​3 0x00007ffff5190c1f in (anonymous namespace)::CXXNameMangler::mangleNameWithAbiTags(clang::NamedDecl const, llvm::SmallVector<llvm::StringRef, 4u> const) ()

at /build/llvm-toolchain-snapshot-6.0~svn312504/tools/clang/lib/AST/ItaniumMangle.cpp:866

​4 0x00007ffff518c7ef in (anonymous namespace)::CXXNameMangler::mangleName(clang::NamedDecl const*) ()

at /build/llvm-toolchain-snapshot-6.0~svn312504/tools/clang/lib/AST/ItaniumMangle.cpp:822

​5 0x00007ffff5187ac1 in (anonymous namespace)::ItaniumMangleContextImpl::mangleCXXName(clang::NamedDecl const*, llvm::raw_ostream&) ()

at /build/llvm-toolchain-snapshot-6.0~svn312504/tools/clang/lib/AST/ItaniumMangle.cpp:4686

warning: Could not find DWO CU CMakeFiles/clangIndex.dir/CodegenNameGenerator.cpp.dwo(0xf5a023084daf1c61) referenced by CU at offset 0x1884 [in module /usr/lib/debug/.build-id/71/6b13ccc5fd8b1fed075592557487fff0f3bd99.debug] warning: (Internal error: pc 0x7ffff5331008 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x7ffff5330d70 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x7ffff5331008 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x7ffff5331008 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x7ffff5331008 in read in psymtab, but not in symtab.)

​6 0x00007ffff5331009 in clang::index::CodegenNameGenerator::getName[abi:cxx11](clang::Decl const*) ()

at /build/llvm-toolchain-snapshot-6.0~svn312504/tools/clang/lib/Index/CodegenNameGenerator.cpp:126

warning: (Internal error: pc 0x7ffff5331008 in read in psymtab, but not in symtab.)

warning: Could not find DWO CU CMakeFiles/libclang.dir/CIndex.cpp.dwo(0xa704430e2abfdcd4) referenced by CU at offset 0x68 [in module /usr/lib/debug/.build-id/71/6b13ccc5fd8b1fed075592557487fff0f3bd99.debug]

​7 0x00007ffff506cfaa in clang_Cursor_getMangling () at /build/llvm-toolchain-snapshot-6.0~svn312504/tools/clang/tools/libclang/CIndex.cpp:4625

​8 0x00007ffff66f8e20 in ffi_call_unix64 () from /usr/lib/python3.5/lib-dynload/_ctypes.cpython-35m-x86_64-linux-gnu.so

​9 0x00007ffff66f888b in ffi_call () from /usr/lib/python3.5/lib-dynload/_ctypes.cpython-35m-x86_64-linux-gnu.so

​10 0x00007ffff66f301a in _call_function_pointer (argcount=1, resmem=0x7fffffffca10, restype=, atypes=, avalues=0x7fffffffc9f0,

pProc=0x7ffff506cee0 <clang_Cursor_getMangling>, flags=4353) at /build/python3.5-9imW1d/python3.5-3.5.2/Modules/_ctypes/callproc.c:811

​11 _ctypes_callproc (pProc=0x7ffff506cee0 , argtuple=, flags=4353,

argtypes=(<built-in method from_param of _ctypes.PyCStructType object at remote 0xb97388>,), restype=<_ctypes.PyCStructType at remote 0xb874c8>, checker=0x0)
at /build/python3.5-9imW1d/python3.5-3.5.2/Modules/_ctypes/callproc.c:1149

​12 0x00007ffff66e6fcb in PyCFuncPtr_call.lto_priv.89 (self=self@entry=0x7ffff66b0cc8, inargs=, kwds=)

at /build/python3.5-9imW1d/python3.5-3.5.2/Modules/_ctypes/_ctypes.c:3856

​13 0x00000000005b7167 in PyObject_Call () at ../Objects/abstract.c:2165

​14 0x0000000000528d06 in do_call (nk=, na=, pp_stack=0x7fffffffccf0, func=) at ../Python/ceval.c:4936

​15 call_function (oparg=, pp_stack=0x7fffffffccf0) at ../Python/ceval.c:4732

​16 PyEval_EvalFrameEx () at ../Python/ceval.c:3236

​17 0x000000000052e12b in _PyEval_EvalCodeWithName (qualname=0x0, name=0x0, closure=0x0, kwdefs=0x0, defcount=0, defs=0x0, kwcount=0, kws=,

argcount=<optimized out>, args=<optimized out>, locals=<optimized out>, globals=<optimized out>, _co=<code at remote 0x7ffff6968270>) at ../Python/ceval.c:4018

​18 PyEval_EvalCodeEx () at ../Python/ceval.c:4039

​19 0x00000000004ebcc3 in function_call.lto_priv () at ../Objects/funcobject.c:627

​20 0x00000000005b7167 in PyObject_Call () at ../Objects/abstract.c:2165

​21 0x00000000004ee1c0 in property_descr_get.lto_priv () at ../Objects/descrobject.c:1398

​22 0x00000000005763bd in _PyObject_GenericGetAttrWithDict () at ../Objects/object.c:1059

​23 0x000000000052424b in PyEval_EvalFrameEx () at ../Python/ceval.c:2743

​24 0x0000000000528814 in fast_function (nk=, na=, n=, pp_stack=0x7fffffffd160, func=) at ../Python/ceval.c:4803

​25 call_function (oparg=, pp_stack=0x7fffffffd160) at ../Python/ceval.c:4730

---Type to continue, or q to quit---

​26 PyEval_EvalFrameEx () at ../Python/ceval.c:3236

​27 0x0000000000528814 in fast_function (nk=, na=, n=, pp_stack=0x7fffffffd290, func=) at ../Python/ceval.c:4803

​28 call_function (oparg=, pp_stack=0x7fffffffd290) at ../Python/ceval.c:4730

​29 PyEval_EvalFrameEx () at ../Python/ceval.c:3236

​30 0x0000000000528814 in fast_function (nk=, na=, n=, pp_stack=0x7fffffffd3c0, func=) at ../Python/ceval.c:4803

​31 call_function (oparg=, pp_stack=0x7fffffffd3c0) at ../Python/ceval.c:4730

​32 PyEval_EvalFrameEx () at ../Python/ceval.c:3236

​33 0x0000000000528814 in fast_function (nk=, na=, n=, pp_stack=0x7fffffffd4f0, func=) at ../Python/ceval.c:4803

​34 call_function (oparg=, pp_stack=0x7fffffffd4f0) at ../Python/ceval.c:4730

​35 PyEval_EvalFrameEx () at ../Python/ceval.c:3236

​36 0x0000000000528814 in fast_function (nk=, na=, n=, pp_stack=0x7fffffffd620, func=) at ../Python/ceval.c:4803

​37 call_function (oparg=, pp_stack=0x7fffffffd620) at ../Python/ceval.c:4730

​38 PyEval_EvalFrameEx () at ../Python/ceval.c:3236

​39 0x0000000000528814 in fast_function (nk=, na=, n=, pp_stack=0x7fffffffd750, func=) at ../Python/ceval.c:4803

​40 call_function (oparg=, pp_stack=0x7fffffffd750) at ../Python/ceval.c:4730

​41 PyEval_EvalFrameEx () at ../Python/ceval.c:3236

​42 0x000000000052d2e3 in _PyEval_EvalCodeWithName () at ../Python/ceval.c:4018

​43 0x000000000052dfdf in PyEval_EvalCodeEx () at ../Python/ceval.c:4039

​44 PyEval_EvalCode (co=, globals=, locals=) at ../Python/ceval.c:777

​45 0x00000000005fd2c2 in run_mod () at ../Python/pythonrun.c:976

​46 0x00000000005ff76a in PyRun_FileExFlags () at ../Python/pythonrun.c:929

​47 0x00000000005ff95c in PyRun_SimpleFileExFlags () at ../Python/pythonrun.c:396

​48 0x000000000063e7d6 in run_file (p_cf=0x7fffffffd9c0, filename=0xa732a0 L"./traverse.py", fp=0xb6bc30) at ../Modules/main.c:318

​49 Py_Main () at ../Modules/main.c:768

​50 0x00000000004cfe41 in main () at ../Programs/python.c:65

​51 0x00007ffff7810830 in __libc_start_main (main=0x4cfd60

, argc=3, argv=0x7fffffffdbd8, init=, fini=, rtld_fini=,

stack_end=0x7fffffffdbc8) at ../csu/libc-start.c:291

​52 0x00000000005d5f29 in _start ()