[DWARF] llvm-debuginfo-analyzer crashes on dead code?

[Mrmaxmeier]

Hi,
I've encountered a segfault with llvm-debuginfo-analyzer that reproduces with v19.1.7 and the current main branch. I've attached my original reproducer below. (llvm-debuginfo-analyzer out/lzma-lzmadec.wasm --print=instructions)

Crash backtrace

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.	Program arguments: llvm-debuginfo-analyzer out/lzma-lzmadec.wasm --print=instructions
 #0 0x000073f2de41a730 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /usr/src/debug/llvm/llvm-19.1.7.src/lib/Support/Unix/Signals.inc:723:22
 #1 0x000073f2de4176bd llvm::sys::RunSignalHandlers() /usr/src/debug/llvm/llvm-19.1.7.src/lib/Support/Signals.cpp:105:20
 #2 0x000073f2de4176bd SignalHandler /usr/src/debug/llvm/llvm-19.1.7.src/lib/Support/Unix/Signals.inc:403:31
 #3 0x000073f2dd64bcd0 (/usr/lib/libc.so.6+0x3dcd0)
 #4 0x000073f2e29711fd nextByte /usr/src/debug/llvm/llvm-19.1.7.src/lib/Target/WebAssembly/Disassembler/WebAssemblyDisassembler.cpp:81:22
 #5 0x000073f2e29711fd getInstruction /usr/src/debug/llvm/llvm-19.1.7.src/lib/Target/WebAssembly/Disassembler/WebAssemblyDisassembler.cpp:167:21
 #6 0x000073f2e0c90192 llvm::logicalview::LVBinaryReader::createInstructions(llvm::logicalview::LVScope*, unsigned long, std::pair<unsigned long, unsigned long> const&) /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/Readers/LVBinaryReader.cpp:466:5
 #7 0x000073f2e0c90fb8 llvm::Error::getPtr() const /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:282:12
 #8 0x000073f2e0c90fb8 llvm::Error::operator bool() /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:242:22
 #9 0x000073f2e0c90fb8 llvm::logicalview::LVBinaryReader::createInstructions() /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/Readers/LVBinaryReader.cpp:572:73
#10 0x000073f2e0cc9501 llvm::Error::getPtr() const /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:282:12
#11 0x000073f2e0cc9501 llvm::Error::operator bool() /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:242:22
#12 0x000073f2e0cc9501 llvm::logicalview::LVDWARFReader::createScopes() /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/Readers/LVDWARFReader.cpp:960:41
#13 0x000073f2e0c500c3 llvm::logicalview::LVReader::doLoad() /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/Core/LVReader.cpp:236:3
#14 0x000073f2e0c810f8 llvm::logicalview::LVReaderHandler::createReader(llvm::StringRef, std::vector<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>, std::allocator<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>>>&, llvm::PointerUnion<llvm::object::ObjectFile*, llvm::pdb::PDBFile*>&, llvm::StringRef, llvm::StringRef) /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/LVReaderHandler.cpp:72:1
#15 0x000073f2e0c86205 llvm::logicalview::LVReaderHandler::handleObject(std::vector<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>, std::allocator<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>>>&, llvm::StringRef, llvm::object::Binary&) /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/LVReaderHandler.cpp:247:71
#16 0x000073f2e0c831c4 std::unique_ptr<llvm::object::Binary, std::default_delete<llvm::object::Binary>>::~unique_ptr() /usr/include/c++/14.2.1/bits/unique_ptr.h:397:12
#17 0x000073f2e0c831c4 llvm::Expected<std::unique_ptr<llvm::object::Binary, std::default_delete<llvm::object::Binary>>>::~Expected() /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:564:34
#18 0x000073f2e0c831c4 llvm::Expected<std::unique_ptr<llvm::object::Binary, std::default_delete<llvm::object::Binary>>>::~Expected() /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:561:3
#19 0x000073f2e0c831c4 llvm::logicalview::LVReaderHandler::handleBuffer(std::vector<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>, std::allocator<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>>>&, llvm::StringRef, llvm::MemoryBufferRef, llvm::StringRef) /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/LVReaderHandler.cpp:198:1
#20 0x000073f2e0c847b7 std::default_delete<llvm::MemoryBuffer>::operator()(llvm::MemoryBuffer*) const /usr/include/c++/14.2.1/bits/unique_ptr.h:93:2
#21 0x000073f2e0c847b7 std::unique_ptr<llvm::MemoryBuffer, std::default_delete<llvm::MemoryBuffer>>::~unique_ptr() /usr/include/c++/14.2.1/bits/unique_ptr.h:398:17
#22 0x000073f2e0c847b7 llvm::logicalview::LVReaderHandler::handleFile(std::vector<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>, std::allocator<std::unique_ptr<llvm::logicalview::LVReader, std::default_delete<llvm::logicalview::LVReader>>>>&, llvm::StringRef, llvm::StringRef) /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/LVReaderHandler.cpp:214:1
#23 0x000073f2e0c848d9 llvm::Error::getPtr() const /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:282:12
#24 0x000073f2e0c848d9 llvm::Error::operator bool() /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:242:22
#25 0x000073f2e0c848d9 llvm::logicalview::LVReaderHandler::createReaders() /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/LVReaderHandler.cpp:281:50
#26 0x000073f2e0c84c6d llvm::logicalview::LVReaderHandler::process() /usr/src/debug/llvm/llvm-19.1.7.src/lib/DebugInfo/LogicalView/LVReaderHandler.cpp:30:3
#27 0x00005fc85b4ed745 llvm::Error::getPtr() const /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:282:12
#28 0x00005fc85b4ed745 llvm::Error::operator bool() /usr/src/debug/llvm/llvm-19.1.7.src/include/llvm/Support/Error.h:242:22
#29 0x00005fc85b4ed745 main /usr/src/debug/llvm/llvm-19.1.7.src/tools/llvm-debuginfo-analyzer/llvm-debuginfo-analyzer.cpp:137:42
#30 0x000073f2dd635488 __libc_start_call_main /usr/src/debug/glibc/glibc/csu/../sysdeps/nptl/libc_start_call_main.h:74:3
#31 0x000073f2dd63554c call_init /usr/src/debug/glibc/glibc/csu/../csu/libc-start.c:128:20
#32 0x000073f2dd63554c __libc_start_main /usr/src/debug/glibc/glibc/csu/../csu/libc-start.c:347:5
#33 0x00005fc85b4f4af5 (/usr/bin/llvm-debuginfo-analyzer+0xeaf5)
fish: Job 1, 'llvm-debuginfo-analyzer out/lzm…' terminated by signal SIGSEGV (Address boundary error)

Looking into the crash a bit, we're crashing due to an out-of-bounds pointer that is created here:

  ArrayRef<uint8_t> Bytes = arrayRefFromStringRef(*SectionContentsOrErr);
  uint64_t Offset = Address - SectionAddress;
  uint8_t const *Begin = Bytes.data() + Offset;
  uint8_t const *End = Bytes.data() + Offset + Size;

where Offset is larger than Bytes.

The large Offset happens because LVBinaryReader::createInstructions is called with a LVNameInfo of {0x1000004bf, 0x14} in the reproducer. It seems like the name's LVAddress is calculated from a "dead code" record that is encoded as 0xffffffff in the DWARF.

llvm-dwarfdump out/lzma-lzmadec.wasm --all shows it like this:

0x000002b3:   DW_TAG_subprogram
                DW_AT_low_pc	(dead code)
                DW_AT_high_pc	(0x00000362)
                DW_AT_frame_base	(DW_OP_WASM_location 0x0 0x6, DW_OP_stack_value)

I'm not familiar with DWARF and am not sure if the binary I'm using respects the DWARF spec, but it was produced by clang, and it seems like trusting offsets in the DWARF is probably not intended 🙃

crasher.zip

Thanks!