llvm: Use-of-uninitialized-value in __gxx_personality_v0 #1099

dtardon · 2018-01-21T14:51:21Z

See issues https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4465 , https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4470 and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5525 .

oliverchang · 2018-01-21T23:14:58Z

@eugenis any ideas why this might be happening?

The top frames show:

  | #0 0xe9779e in __gxx_personality_v0 /src/llvm/projects/libcxxabi/src/cxa_personality.cpp:946:22
  | #1 0x7f4c2c9bc262 in _Unwind_RaiseException
  | #2 0xe8e57b in __cxa_throw /src/llvm/projects/libcxxabi/src/cxa_exception.cpp:233:5

oliverchang · 2018-01-21T23:29:06Z

Maybe we should be using LIBCXXABI_USE_LLVM_UNWINDER=ON and LIBCXXABI_ENABLE_STATIC_UNWINDER=ON when building libcxxabi?

https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-clang/checkout_build_install_llvm.sh#L55

eugenis · 2018-01-25T02:18:47Z

The unwinder flags might help... I assume this is MSan? I don't have access to the bugs.

…

On Sun, Jan 21, 2018 at 3:29 PM, Oliver Chang ***@***.***> wrote: Maybe we should be using LIBCXXABI_USE_LLVM_UNWINDER=ON and LIBCXXABI_ENABLE_STATIC_UNWINDER=ON when building libcxxabi? https://github.com/google/oss-fuzz/blob/master/infra/base- images/base-clang/checkout_build_install_llvm.sh#L55 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1099 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAZuSlzJnZGKeggr2-7Ykws-JWWS6bLpks5tM8hDgaJpZM4Rl12f> .

oliverchang · 2018-01-25T02:22:09Z

Yep, just CCed you on those bugs.

eugenis · 2018-01-26T22:01:44Z

Did you try the unwinder flags?

inferno-chromium · 2018-01-28T05:54:31Z

Nope, let us try that first.

Actually breaks msan.

oliverchang · 2018-02-05T05:32:43Z

Ok I take that back, these flags actually break msan:

==12==ERROR: MemorySanitizer: stack-overflow on address 0x7ffdde498a88 (pc 0x000000446940 bp 0x000000000000 sp 0x7ffdde498a70 T12)


...
Thread 1 "bmifuzzer" received signal SIGSEGV, Segmentation fault.
0x0000000000446940 in __sanitizer::StackTrace::StackTrace (size=0, trace=0x7fffff7fee30, this=0x7fffff7fee20)
    at /src/llvm/projects/compiler-rt/lib/msan/../sanitizer_common/sanitizer_stacktrace.h:50
50	/src/llvm/projects/compiler-rt/lib/msan/../sanitizer_common/sanitizer_stacktrace.h: No such file or directory.
(gdb) bt
#0  0x0000000000446940 in __sanitizer::StackTrace::StackTrace (size=0, trace=0x7fffff7fee30, this=0x7fffff7fee20)
    at /src/llvm/projects/compiler-rt/lib/msan/../sanitizer_common/sanitizer_stacktrace.h:50
#1  __sanitizer::BufferedStackTrace::BufferedStackTrace (this=0x7fffff7fee20)
    at /src/llvm/projects/compiler-rt/lib/msan/../sanitizer_common/sanitizer_stacktrace.h:94
#2  __msan::PrintWarningWithOrigin (pc=10908539, bp=bp@entry=140737479964256, origin=0)
    at /src/llvm/projects/compiler-rt/lib/msan/msan.cc:246
#3  0x000000000044776c in __msan::PrintWarningWithOrigin (origin=<optimized out>, bp=140737479964256, pc=<optimized out>)
    at /src/llvm/projects/compiler-rt/lib/msan/msan.cc:369
#4  __msan::PrintWarning (bp=140737479964256, pc=<optimized out>) at /src/llvm/projects/compiler-rt/lib/msan/msan.cc:233
#5  __msan_warning_noreturn () at /src/llvm/projects/compiler-rt/lib/msan/msan.cc:365
#6  0x0000000000a6737b in libunwind::LocalAddressSpace::findUnwindSections(unsigned long, libunwind::UnwindInfoSections&)::{lambda(dl_phdr_info*, unsigned long, void*)#1}::operator()(dl_phdr_info*, unsigned long, void*) const ()
    at /src/llvm/projects/libunwind/src/AddressSpace.hpp:465
#7  0x00007ffff70080e4 in __GI___dl_iterate_phdr (
    callback=0x4661d0 <msan_dl_iterate_phdr_cb(__sanitizer::__sanitizer_dl_phdr_info*, SIZE_T, void*)>, data=0x7fffff7ff7f0)
    at dl-iteratephdr.c:76
#8  0x0000000000456fdc in __interceptor_dl_iterate_phdr (
    callback=0xa66e10 <libunwind::LocalAddressSpace::findUnwindSections(unsigned long, libunwind::UnwindInfoSections&)::{lambda(dl_phdr_info*, unsigned long, void*)#1}::__invoke(dl_phdr_info*, unsigned long, void*)>, data=0x7fffff7ffae8)
    at /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:1460
#9  0x0000000000a5c346 in findUnwindSections () at /src/llvm/projects/libunwind/src/AddressSpace.hpp:456
#10 setInfoBasedOnIPRegister () at /src/llvm/projects/libunwind/src/UnwindCursor.hpp:1264
#11 0x0000000000a587c7 in unw_init_local () at /src/llvm/projects/libunwind/src/libunwind.cpp:76
#12 0x0000000000a4d3bf in _Unwind_Backtrace () at /src/llvm/projects/libunwind/src/UnwindLevel1-gcc-ext.c:109
#13 0x0000000000440123 in __sanitizer::BufferedStackTrace::SlowUnwindStack (this=0x7fffff800060, pc=pc@entry=10908539, 
    max_depth=max_depth@entry=256) at /src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_unwind_linux_libcdep.cc:127
#14 0x000000000043c45a in __sanitizer::BufferedStackTrace::Unwind (this=this@entry=0x7fffff800060, max_depth=max_depth@entry=256, 
    pc=pc@entry=10908539, bp=bp@entry=140737479968928, context=context@entry=0x0, stack_top=stack_top@entry=0, stack_bottom=0, 
    request_fast_unwind=false) at /src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace_libcdep.cc:77
#15 0x0000000000446a56 in __msan::GetStackTrace (request_fast_unwind=false, context=0x0, bp=140737479968928, pc=10908539, max_s=256, 
    stack=0x7fffff800060) at /src/llvm/projects/compiler-rt/lib/msan/msan.cc:226
#16 __msan::PrintWarningWithOrigin (pc=10908539, bp=bp@entry=140737479968928, origin=0)
    at /src/llvm/projects/compiler-rt/lib/msan/msan.cc:246
#17 0x000000000044776c in __msan::PrintWarningWithOrigin (origin=<optimized out>, bp=140737479968928, pc=<optimized out>)
    at /src/llvm/projects/compiler-rt/lib/msan/msan.cc:369
#18 __msan::PrintWarning (bp=140737479968928, pc=<optimized out>) at /src/llvm/projects/compiler-rt/lib/msan/msan.cc:233
#19 __msan_warning_noreturn () at /src/llvm/projects/compiler-rt/lib/msan/msan.cc:365
#20 0x0000000000a6737b in libunwind::LocalAddressSpace::findUnwindSections(unsigned long, libunwind::UnwindInfoSections&)::{lambda(dl_phdr_info*, unsigned long, void*)#1}::operator()(dl_phdr_info*, unsigned long, void*) const ()
    at /src/llvm/projects/libunwind/src/AddressSpace.hpp:465
#21 0x00007ffff70080e4 in __GI___dl_iterate_phdr (
    callback=0x4661d0 <msan_dl_iterate_phdr_cb(__sanitizer::__sanitizer_dl_phdr_info*, SIZE_T, void*)>, data=0x7fffff800a30)
    at dl-iteratephdr.c:76
#22 0x0000000000456fdc in __interceptor_dl_iterate_phdr (
    callback=0xa66e10 <libunwind::LocalAddressSpace::findUnwindSections(unsigned long, libunwind::UnwindInfoSections&)::{lambda(dl_phdr_info*, unsigned long, void*)#1}::__invoke(dl_phdr_info*, unsigned long, void*)>, data=0x7fffff800d28)
    at /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:1460
#23 0x0000000000a5c346 in findUnwindSections () at /src/llvm/projects/libunwind/src/AddressSpace.hpp:456
#24 setInfoBasedOnIPRegister () at /src/llvm/projects/libunwind/src/UnwindCursor.hpp:1264
#25 0x0000000000a587c7 in unw_init_local () at /src/llvm/projects/libunwind/src/libunwind.cpp:76
#26 0x0000000000a4d3bf in _Unwind_Backtrace () at /src/llvm/projects/libunwind/src/UnwindLevel1-gcc-ext.c:109
#27 0x0000000000440123 in __sanitizer::BufferedStackTrace::SlowUnwindStack (this=0x7fffff8012a0, pc=pc@entry=10908539, 
...

oliverchang · 2018-02-05T05:58:56Z

@eugenis could this be related to https://bugs.llvm.org/show_bug.cgi?id=31877 ?

eugenis · 2018-02-06T00:28:32Z

Yes, I think you are right. It's exactly PR31877. Apparently, MSan is not used with C++ exceptions that often. Here is an example that triggers the bug for me: #include <sanitizer/msan_interface.h> volatile long z;

…

__attribute__((noinline)) void f(long a, long b, long c, long d) { z = a+b+c+d; }

__attribute__((noinline)) void throw_stuff() { throw 5; } int main() { long x; __msan_poison(&x, sizeof(x)); f(0, 0, 0, x); try { throw_stuff(); } catch (const int &e) { } } I don't know what to do with it. We can not intercept __gxx_personality0 because libcxxabi is linked statically; even if it was not, an interceptor could not be added because it would break exceptions in the static link. We could put a nosanitize("memory") attribute on __gxx_personality0. Or just blacklist it! Could you try that? Remember that you need to rebuild libc++abi for the blacklist to work.

On Sun, Feb 4, 2018 at 9:58 PM, Oliver Chang ***@***.***> wrote: @eugenis <https://github.com/eugenis> could this be related to https://bugs.llvm.org/show_bug.cgi?id=31877 ? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1099 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAZuSg2LQvj4tQQublO0NuBgf8b-rE39ks5tRpihgaJpZM4Rl12f> .

oliverchang · 2018-02-07T22:22:34Z

Looks like blacklisting _gxx_personality* did the trick. Thanks!

Actually breaks msan.

__gxx_personality_v0 seems to be tricky and makes some unknown problems. It's also skipped in address sanitizer as a default blacklist function[1]. This patch skips __gxx_personality_v0 in plthook list to avoid test failures in i386. Before: 185 exception2 : NG NG NG NG NG NG NG NG NG NG 186 exception3 : NG NG NG NG NG NG NG NG NG NG After: 185 exception2 : OK OK OK OK OK OK OK OK OK OK 186 exception3 : OK OK OK OK OK OK OK OK OK OK [1] google/oss-fuzz#1099 Signed-off-by: Honggyu Kim <honggyu.kp@gmail.com>

__gxx_personality_v0 seems to be tricky and makes some unknown problems as described in [1]. It's also skipped in memory sanitizer as a default blacklist function[2]. This patch skips __gxx_personality_v0 in plthook list to avoid test failures in i386. Before: 185 exception2 : NG NG NG NG NG NG NG NG NG NG 186 exception3 : NG NG NG NG NG NG NG NG NG NG After: 185 exception2 : OK OK OK OK OK OK OK OK OK OK 186 exception3 : OK OK OK OK OK OK OK OK OK OK [1] google/oss-fuzz#1099 [2] https://reviews.llvm.org/D69587 Signed-off-by: Honggyu Kim <honggyu.kp@gmail.com>

inferno-chromium assigned eugenis Jan 26, 2018

inferno-chromium unassigned eugenis Jan 28, 2018

oliverchang self-assigned this Feb 5, 2018

oliverchang added a commit that referenced this issue Feb 5, 2018

Use llvm unwinder (#1099).

7ff3be2

oliverchang added a commit that referenced this issue Feb 5, 2018

Revert unwinder changes (#1099).

2809452

Actually breaks msan.

oliverchang closed this as completed Feb 7, 2018

tmatth pushed a commit to tmatth/oss-fuzz that referenced this issue Oct 22, 2018

Use llvm unwinder (google#1099).

fdd9ff0

tmatth pushed a commit to tmatth/oss-fuzz that referenced this issue Oct 22, 2018

Revert unwinder changes (google#1099).

cfc7142

Actually breaks msan.

tmatth pushed a commit to tmatth/oss-fuzz that referenced this issue Oct 22, 2018

Blacklist __gxx_personality_* libcxxabi functions (google#1099).

452bc2b

eugenis mentioned this issue Oct 24, 2019

use-of-uninitialized-value in libcxxabi when throwing an exception - Please improve bootstrapping documentation google/sanitizers#1155

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

llvm: Use-of-uninitialized-value in __gxx_personality_v0 #1099

llvm: Use-of-uninitialized-value in __gxx_personality_v0 #1099

dtardon commented Jan 21, 2018

oliverchang commented Jan 21, 2018

oliverchang commented Jan 21, 2018

eugenis commented Jan 25, 2018 via email

oliverchang commented Jan 25, 2018

eugenis commented Jan 26, 2018

inferno-chromium commented Jan 28, 2018

oliverchang commented Feb 5, 2018

oliverchang commented Feb 5, 2018

eugenis commented Feb 6, 2018 via email

oliverchang commented Feb 7, 2018

llvm: Use-of-uninitialized-value in __gxx_personality_v0 #1099

llvm: Use-of-uninitialized-value in __gxx_personality_v0 #1099

Comments

dtardon commented Jan 21, 2018

oliverchang commented Jan 21, 2018

oliverchang commented Jan 21, 2018

eugenis commented Jan 25, 2018 via email

oliverchang commented Jan 25, 2018

eugenis commented Jan 26, 2018

inferno-chromium commented Jan 28, 2018

oliverchang commented Feb 5, 2018

oliverchang commented Feb 5, 2018

eugenis commented Feb 6, 2018 via email

oliverchang commented Feb 7, 2018