Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assertion `Uses->count(DRE) && "DRE not found or claimed by multiple matchers!"' failed. #122066

Open
marckwei opened this issue Jan 8, 2025 · 1 comment
Open

Assertion `Uses->count(DRE) && "DRE not found or claimed by multiple matchers!"' failed. #122066

marckwei opened this issue Jan 8, 2025 · 1 comment
Labels
clang:analysis crash Prefer [crash-on-valid] or [crash-on-invalid]

Comments

@marckwei
Copy link

marckwei commented Jan 8, 2025
edited by frederick-vs-ja
Loading

reproduce.zip

[1463/2448] Building CXX object Source/JavaScriptCore/CMak...ivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o
FAILED: Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/JavaScriptCore/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o 
/data/workspace/WasmAFL/afl-clang-fast++ -DBUILDING_JSCONLY__ -DBUILDING_JavaScriptCore -DBUILDING_WEBKIT=1 -DBUILDING_WITH_CMAKE=1 -DHAVE_CONFIG_H=1 -DPAS_BMALLOC=1 -DSTATICALLY_LINKED_WITH_WTF -DSTATICALLY_LINKED_WITH_bmalloc -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/JavaScriptCore/Headers -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug -I/data/workspace/WebKit/Source/JavaScriptCore -I/data/workspace/WebKit/Source/JavaScriptCore/API -I/data/workspace/WebKit/Source/JavaScriptCore/assembler -I/data/workspace/WebKit/Source/JavaScriptCore/b3 -I/data/workspace/WebKit/Source/JavaScriptCore/b3/air -I/data/workspace/WebKit/Source/JavaScriptCore/bindings -I/data/workspace/WebKit/Source/JavaScriptCore/builtins -I/data/workspace/WebKit/Source/JavaScriptCore/bytecode -I/data/workspace/WebKit/Source/JavaScriptCore/bytecompiler -I/data/workspace/WebKit/Source/JavaScriptCore/dfg -I/data/workspace/WebKit/Source/JavaScriptCore/disassembler -I/data/workspace/WebKit/Source/JavaScriptCore/disassembler/ARM64 -I/data/workspace/WebKit/Source/JavaScriptCore/disassembler/zydis/Zydis -I/data/workspace/WebKit/Source/JavaScriptCore/domjit -I/data/workspace/WebKit/Source/JavaScriptCore/ftl -I/data/workspace/WebKit/Source/JavaScriptCore/fuzzilli -I/data/workspace/WebKit/Source/JavaScriptCore/heap -I/data/workspace/WebKit/Source/JavaScriptCore/debugger -I/data/workspace/WebKit/Source/JavaScriptCore/inspector -I/data/workspace/WebKit/Source/JavaScriptCore/inspector/agents -I/data/workspace/WebKit/Source/JavaScriptCore/inspector/augmentable -I/data/workspace/WebKit/Source/JavaScriptCore/inspector/remote -I/data/workspace/WebKit/Source/JavaScriptCore/interpreter -I/data/workspace/WebKit/Source/JavaScriptCore/jit -I/data/workspace/WebKit/Source/JavaScriptCore/llint -I/data/workspace/WebKit/Source/JavaScriptCore/parser -I/data/workspace/WebKit/Source/JavaScriptCore/profiler -I/data/workspace/WebKit/Source/JavaScriptCore/runtime -I/data/workspace/WebKit/Source/JavaScriptCore/tools -I/data/workspace/WebKit/Source/JavaScriptCore/wasm -I/data/workspace/WebKit/Source/JavaScriptCore/wasm/js -I/data/workspace/WebKit/Source/JavaScriptCore/yarr -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/JavaScriptCore/DerivedSources -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/JavaScriptCore/DerivedSources/inspector -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/JavaScriptCore/DerivedSources/runtime -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/JavaScriptCore/DerivedSources/yarr -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/WTF/Headers -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/bmalloc/Headers -fdiagnostics-color=always -fcolor-diagnostics -Wextra -Wall -Werror=undefined-internal -Werror=undefined-inline -pipe -Wno-noexcept-type -Wno-psabi -Wno-misleading-indentation -Wno-parentheses-equality -Qunused-arguments -Wundef -Wpointer-arith -Wmissing-format-attribute -Wformat-security -Wcast-align -Wno-tautological-compare -fasynchronous-unwind-tables -fdebug-types-section -fno-strict-aliasing -fno-exceptions -fno-rtti -fcoroutines -ffunction-sections -fdata-sections -O0 -g3 -fno-inline -fno-omit-frame-pointer -fsanitize=address -fPIC -fvisibility=hidden -fvisibility-inlines-hidden -Wunsafe-buffer-usage -fsafe-buffer-usage-suggestions -ffp-contract=off -fno-slp-vectorize -std=c++2b -MD -MT Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/JavaScriptCore/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o -MF Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/JavaScriptCore/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o.d -o Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/JavaScriptCore/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o -c /data/workspace/WebKit/wasmasan/JSCOnly/Debug/JavaScriptCore/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp
clang++.original: /data/workspace/llvm-project/clang/lib/Analysis/UnsafeBufferUsage.cpp:835: void {anonymous}::DeclUseTracker::claimUse(const clang::DeclRefExpr*): Assertion `Uses->count(DRE) && "DRE not found or claimed by multiple matchers!"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.      Program arguments: /usr/local/llvm-17/bin/clang++.original -Wno-unused-command-line-argument -fpass-plugin=/data/workspace/WasmAFL/SanitizerCoveragePCGUARD.so -DBUILDING_JSCONLY__ -DBUILDING_JavaScriptCore -DBUILDING_WEBKIT=1 -DBUILDING_WITH_CMAKE=1 -DHAVE_CONFIG_H=1 -DPAS_BMALLOC=1 -DSTATICALLY_LINKED_WITH_WTF -DSTATICALLY_LINKED_WITH_bmalloc -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/JavaScriptCore/Headers -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug -I/data/workspace/WebKit/Source/JavaScriptCore -I/data/workspace/WebKit/Source/JavaScriptCore/API -I/data/workspace/WebKit/Source/JavaScriptCore/assembler -I/data/workspace/WebKit/Source/JavaScriptCore/b3 -I/data/workspace/WebKit/Source/JavaScriptCore/b3/air -I/data/workspace/WebKit/Source/JavaScriptCore/bindings -I/data/workspace/WebKit/Source/JavaScriptCore/builtins -I/data/workspace/WebKit/Source/JavaScriptCore/bytecode -I/data/workspace/WebKit/Source/JavaScriptCore/bytecompiler -I/data/workspace/WebKit/Source/JavaScriptCore/dfg -I/data/workspace/WebKit/Source/JavaScriptCore/disassembler -I/data/workspace/WebKit/Source/JavaScriptCore/disassembler/ARM64 -I/data/workspace/WebKit/Source/JavaScriptCore/disassembler/zydis/Zydis -I/data/workspace/WebKit/Source/JavaScriptCore/domjit -I/data/workspace/WebKit/Source/JavaScriptCore/ftl -I/data/workspace/WebKit/Source/JavaScriptCore/fuzzilli -I/data/workspace/WebKit/Source/JavaScriptCore/heap -I/data/workspace/WebKit/Source/JavaScriptCore/debugger -I/data/workspace/WebKit/Source/JavaScriptCore/inspector -I/data/workspace/WebKit/Source/JavaScriptCore/inspector/agents -I/data/workspace/WebKit/Source/JavaScriptCore/inspector/augmentable -I/data/workspace/WebKit/Source/JavaScriptCore/inspector/remote -I/data/workspace/WebKit/Source/JavaScriptCore/interpreter -I/data/workspace/WebKit/Source/JavaScriptCore/jit -I/data/workspace/WebKit/Source/JavaScriptCore/llint -I/data/workspace/WebKit/Source/JavaScriptCore/parser -I/data/workspace/WebKit/Source/JavaScriptCore/profiler -I/data/workspace/WebKit/Source/JavaScriptCore/runtime -I/data/workspace/WebKit/Source/JavaScriptCore/tools -I/data/workspace/WebKit/Source/JavaScriptCore/wasm -I/data/workspace/WebKit/Source/JavaScriptCore/wasm/js -I/data/workspace/WebKit/Source/JavaScriptCore/yarr -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/JavaScriptCore/DerivedSources -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/JavaScriptCore/DerivedSources/inspector -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/JavaScriptCore/DerivedSources/runtime -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/JavaScriptCore/DerivedSources/yarr -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/WTF/Headers -I/data/workspace/WebKit/wasmasan/JSCOnly/Debug/bmalloc/Headers -fdiagnostics-color=always -fcolor-diagnostics -Wextra -Wall -Werror=undefined-internal -Werror=undefined-inline -pipe -Wno-noexcept-type -Wno-psabi -Wno-misleading-indentation -Wno-parentheses-equality -Qunused-arguments -Wundef -Wpointer-arith -Wmissing-format-attribute -Wformat-security -Wcast-align -Wno-tautological-compare -fasynchronous-unwind-tables -fdebug-types-section -fno-strict-aliasing -fno-exceptions -fno-rtti -fcoroutines -ffunction-sections -fdata-sections -O0 -g3 -fno-inline -fno-omit-frame-pointer -fsanitize=address -fPIC -fvisibility=hidden -fvisibility-inlines-hidden -Wunsafe-buffer-usage -fsafe-buffer-usage-suggestions -ffp-contract=off -fno-slp-vectorize -std=c++2b -MD -MT Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/JavaScriptCore/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o -MF Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/JavaScriptCore/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o.d -o Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/JavaScriptCore/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp.o -c /data/workspace/WebKit/wasmasan/JSCOnly/Debug/JavaScriptCore/DerivedSources/unified-sources/UnifiedSource-3a52ce78-1.cpp -U_FORTIFY_SOURCE -g -funroll-loops -D__AFL_COMPILER=1 -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 "-D__AFL_COVERAGE()=int __afl_selective_coverage = 1;extern \"C\" void __afl_coverage_discard();extern \"C\" void __afl_coverage_skip();extern \"C\" void __afl_coverage_on();extern \"C\" void __afl_coverage_off();" "-D__AFL_COVERAGE_START_OFF()=int __afl_selective_coverage_start_off = 1;" -D__AFL_COVERAGE_ON()=__afl_coverage_on() -D__AFL_COVERAGE_OFF()=__afl_coverage_off() -D__AFL_COVERAGE_DISCARD()=__afl_coverage_discard() -D__AFL_COVERAGE_SKIP()=__afl_coverage_skip() -D__AFL_HAVE_MANUAL_CONTROL=1 "-D__AFL_FUZZ_INIT()=int __afl_sharedmem_fuzzing = 1;extern __attribute__((visibility(\"default\"))) unsigned int *__afl_fuzz_len;extern __attribute__((visibility(\"default\"))) unsigned char *__afl_fuzz_ptr;unsigned char __afl_fuzz_alt[1048576];unsigned char *__afl_fuzz_alt_ptr = __afl_fuzz_alt;" "-D__AFL_FUZZ_TESTCASE_BUF=(__afl_fuzz_ptr ? __afl_fuzz_ptr : __afl_fuzz_alt_ptr)" "-D__AFL_FUZZ_TESTCASE_LEN=(__afl_fuzz_ptr ? *__afl_fuzz_len : (*__afl_fuzz_len = read(0, __afl_fuzz_alt_ptr, 1048576)) == 0xffffffff ? 0 : *__afl_fuzz_len)" "-D__AFL_LOOP(_A)=({ static volatile const char *_B __attribute__((used,unused));  _B = (const char*)\"##SIG_AFL_PERSISTENT##\"; extern __attribute__((visibility(\"default\"))) int __afl_connected;__attribute__((visibility(\"default\"))) int _L(unsigned int) __asm__(\"__afl_persistent_loop\"); _L(__afl_connected ? _A : 1); })" "-D__AFL_INIT()=do { static volatile const char *_A __attribute__((used,unused));  _A = (const char*)\"##SIG_AFL_DEFER_FORKSRV##\"; __attribute__((visibility(\"default\"))) void _I(void) __asm__(\"__afl_manual_init\"); _I(); } while (0)"
1.      <eof> parser at end of file
 #0 0x000055a136cb05b0 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/local/llvm-17/bin/clang++.original+0x3c9f5b0)
 #1 0x000055a136cadecf llvm::sys::RunSignalHandlers() (/usr/local/llvm-17/bin/clang++.original+0x3c9cecf)
 #2 0x000055a136bfab08 CrashRecoverySignalHandler(int) CrashRecoveryContext.cpp:0:0
 #3 0x00007f5a39dd8520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #4 0x00007f5a39e2c9fc __pthread_kill_implementation ./nptl/pthread_kill.c:44:76
 #5 0x00007f5a39e2c9fc __pthread_kill_internal ./nptl/pthread_kill.c:78:10
 #6 0x00007f5a39e2c9fc pthread_kill ./nptl/pthread_kill.c:89:10
 #7 0x00007f5a39dd8476 gsignal ./signal/../sysdeps/posix/raise.c:27:6
 #8 0x00007f5a39dbe7f3 abort ./stdlib/abort.c:81:7
 #9 0x00007f5a39dbe71b _nl_load_domain ./intl/loadmsgcat.c:1177:9
#10 0x00007f5a39dcfe96 (/lib/x86_64-linux-gnu/libc.so.6+0x39e96)
#11 0x000055a139f8d3ed findGadgets(clang::Decl const*, clang::UnsafeBufferUsageHandler const&, bool) UnsafeBufferUsage.cpp:0:0
#12 0x000055a139f949bd clang::checkUnsafeBufferUsage(clang::Decl const*, clang::UnsafeBufferUsageHandler&, bool) (/usr/local/llvm-17/bin/clang++.original+0x6f839bd)
#13 0x000055a139e43310 clang::RecursiveASTVisitor<CallableVisitor>::TraverseFunctionDecl(clang::FunctionDecl*) (/usr/local/llvm-17/bin/clang++.original+0x6e32310)
#14 0x000055a139e2d77a clang::RecursiveASTVisitor<CallableVisitor>::TraverseDeclContextHelper(clang::DeclContext*) (.part.0) AnalysisBasedWarnings.cpp:0:0
#15 0x000055a139e2c995 clang::RecursiveASTVisitor<CallableVisitor>::TraverseDecl(clang::Decl*) (/usr/local/llvm-17/bin/clang++.original+0x6e1b995)
#16 0x000055a139e2d77a clang::RecursiveASTVisitor<CallableVisitor>::TraverseDeclContextHelper(clang::DeclContext*) (.part.0) AnalysisBasedWarnings.cpp:0:0
#17 0x000055a139e4375f clang::RecursiveASTVisitor<CallableVisitor>::TraverseTranslationUnitDecl(clang::TranslationUnitDecl*) (/usr/local/llvm-17/bin/clang++.original+0x6e3275f)
#18 0x000055a139e43915 clang::sema::AnalysisBasedWarnings::IssueWarnings(clang::TranslationUnitDecl*) (/usr/local/llvm-17/bin/clang++.original+0x6e32915)
#19 0x000055a1393be283 clang::Sema::ActOnEndOfTranslationUnit() (/usr/local/llvm-17/bin/clang++.original+0x63ad283)
#20 0x000055a13925cf35 clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&, clang::Sema::ModuleImportState&) (/usr/local/llvm-17/bin/clang++.original+0x624bf35)
#21 0x000055a13924d15a clang::ParseAST(clang::Sema&, bool, bool) (/usr/local/llvm-17/bin/clang++.original+0x623c15a)
#22 0x000055a137761559 clang::FrontendAction::Execute() (/usr/local/llvm-17/bin/clang++.original+0x4750559)
#23 0x000055a1376e453e clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/usr/local/llvm-17/bin/clang++.original+0x46d353e)
#24 0x000055a13783056f clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/usr/local/llvm-17/bin/clang++.original+0x481f56f)
#25 0x000055a13408e633 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/usr/local/llvm-17/bin/clang++.original+0x107d633)
#26 0x000055a134087623 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&) driver.cpp:0:0
#27 0x000055a13752ac2d void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const::'lambda'()>(long) Job.cpp:0:0
#28 0x000055a136bfafd0 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (/usr/local/llvm-17/bin/clang++.original+0x3be9fd0)
#29 0x000055a13752b4ae clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const (.part.0) Job.cpp:0:0
#30 0x000055a1374f126a clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (/usr/local/llvm-17/bin/clang++.original+0x44e026a)
#31 0x000055a1374f1d3d clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&, bool) const (/usr/local/llvm-17/bin/clang++.original+0x44e0d3d)
#32 0x000055a1374fd27c clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&) (/usr/local/llvm-17/bin/clang++.original+0x44ec27c)
#33 0x000055a13408cb0e clang_main(int, char**, llvm::ToolContext const&) (/usr/local/llvm-17/bin/clang++.original+0x107bb0e)
#34 0x000055a133f931c3 main (/usr/local/llvm-17/bin/clang++.original+0xf821c3)
#35 0x00007f5a39dbfd90 __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#36 0x00007f5a39dbfe40 call_init ./csu/../csu/libc-start.c:128:20
#37 0x00007f5a39dbfe40 __libc_start_main ./csu/../csu/libc-start.c:379:5
#38 0x000055a134086265 _start (/usr/local/llvm-17/bin/clang++.original+0x1075265)
clang++: error: clang frontend command failed with exit code 134 (use -v to see invocation)
clang version 17.0.6 (https://github.com/llvm/llvm-project.git 6009708b4367171ccdbf4b5905cb6a803753fe18)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/llvm-17/bin
clang++: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang++: note: diagnostic msg: /tmp/UnifiedSource-3a52ce78-1-c5efaa.cpp
clang++: note: diagnostic msg: /tmp/UnifiedSource-3a52ce78-1-c5efaa.sh
clang++: note: diagnostic msg: 

********************
@frederick-vs-ja frederick-vs-ja added crash Prefer [crash-on-valid] or [crash-on-invalid] clang:analysis and removed new issue labels Jan 8, 2025
@marckwei
Copy link
Author

marckwei commented Jan 8, 2025

Env: Ubuntu22.04LTS

apt install clang
unzip reproduce.zip
bash ./UnifiedSource-3a52ce78-1-c5efaa.sh

Here is the reproduction file after adjusting the paths.
reproduce.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
clang:analysis crash Prefer [crash-on-valid] or [crash-on-invalid]
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@frederick-vs-ja @marckwei @llvmbot