when use lto mode, ld.lld Assertion failed. #1688
Description
IMPORTANT
4.05c and dev branch can reproduce
ubuntu 22.04
llvm 14 and clang 14
To Reproduce
target: php-8.2.4 tag
build-command:
apt install re2c libsqlite3-dev
./buildconf --force
CC=afl-clang-lto CXX=afl-clang-lto++ RANLIB=llvm-ranlib-14 AR=llvm-ar-14 ld=afl-ld-lto ./configure
make -j6
Expected behavior
when ld.lld link the target object, SanitizerCoverageLTO.so plugin crashed. No error should occur under normal circumstances
Screen output/Screenshots
clang: error: unable to execute command: Aborted (core dumped)
clang: error: linker command failed due to signal (use -v to see invocation)
make: *** [Makefile:300:sapi/phpdbg/phpdbg] 错误 254
afl-llvm-lto++4.06a by Marc "vanHauser" Heuse <[email protected]>
ld.lld: /usr/lib/llvm-14/include/llvm/IR/User.h:170: llvm::Value *llvm::User::getOperand(unsigned int) const: Assertion `i < NumUserOperands && "getOperand() out of range!"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0. Program arguments: /usr/lib/llvm-14/bin/ld.lld -pie -z relro --hash-style=gnu --build-id --eh-frame-hdr -m elf_x86_64 -dynamic-linker /lib64/ld-linux-x86-64.so.2 -o sapi/cli/php /lib/x86_64-linux-gnu/Scrt1.o /lib/x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/11/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/11 -L/usr/lib/gcc/x86_64-linux-gnu/11/../../../../lib64 -L/lib/x86_64-linux-gnu -L/lib/../lib64 -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib64 -L/usr/lib/llvm-14/bin/../lib -L/lib -L/usr/lib -plugin-opt=mcpu=x86-64 -plugin-opt=O2 --lto-legacy-pass-manager -mllvm=-load=/usr/local/bin/../lib/afl//SanitizerCoverageLTO.so --allow-multiple-definition -zmax-page-size=2097152 ext/date/php_date.o ext/date/lib/astro.o ext/date/lib/dow.o ext/date/lib/parse_date.o ext/date/lib/parse_tz.o ext/date/lib/parse_posix.o ext/date/lib/timelib.o ext/date/lib/tm2unixtime.o ext/date/lib/unixtime2tm.o ext/date/lib/parse_iso_intervals.o ext/date/lib/interval.o ext/libxml/libxml.o ext/pcre/pcre2lib/pcre2_auto_possess.o ext/pcre/pcre2lib/pcre2_chartables.o ext/pcre/pcre2lib/pcre2_compile.o ext/pcre/pcre2lib/pcre2_config.o ext/pcre/pcre2lib/pcre2_context.o ext/pcre/pcre2lib/pcre2_dfa_match.o ext/pcre/pcre2lib/pcre2_error.o ext/pcre/pcre2lib/pcre2_jit_compile.o ext/pcre/pcre2lib/pcre2_maketables.o ext/pcre/pcre2lib/pcre2_match.o ext/pcre/pcre2lib/pcre2_match_data.o ext/pcre/pcre2lib/pcre2_newline.o ext/pcre/pcre2lib/pcre2_ord2utf.o ext/pcre/pcre2lib/pcre2_pattern_info.o ext/pcre/pcre2lib/pcre2_serialize.o ext/pcre/pcre2lib/pcre2_string_utils.o ext/pcre/pcre2lib/pcre2_study.o ext/pcre/pcre2lib/pcre2_substitute.o ext/pcre/pcre2lib/pcre2_substring.o ext/pcre/pcre2lib/pcre2_tables.o ext/pcre/pcre2lib/pcre2_ucd.o ext/pcre/pcre2lib/pcre2_valid_utf.o ext/pcre/pcre2lib/pcre2_xclass.o ext/pcre/pcre2lib/pcre2_find_bracket.o ext/pcre/pcre2lib/pcre2_convert.o ext/pcre/pcre2lib/pcre2_extuni.o ext/pcre/pcre2lib/pcre2_script_run.o ext/pcre/php_pcre.o ext/sqlite3/sqlite3.o ext/ctype/ctype.o ext/dom/php_dom.o ext/dom/attr.o ext/dom/document.o ext/dom/domexception.o ext/dom/parentnode.o ext/dom/processinginstruction.o ext/dom/cdatasection.o ext/dom/documentfragment.o ext/dom/domimplementation.o ext/dom/element.o ext/dom/node.o ext/dom/characterdata.o ext/dom/documenttype.o ext/dom/entity.o ext/dom/nodelist.o ext/dom/text.o ext/dom/comment.o ext/dom/entityreference.o ext/dom/notation.o ext/dom/xpath.o ext/dom/dom_iterators.o ext/dom/namednodemap.o ext/fileinfo/fileinfo.o ext/fileinfo/libmagic/apprentice.o ext/fileinfo/libmagic/apptype.o ext/fileinfo/libmagic/ascmagic.o ext/fileinfo/libmagic/cdf.o ext/fileinfo/libmagic/cdf_time.o ext/fileinfo/libmagic/compress.o ext/fileinfo/libmagic/encoding.o ext/fileinfo/libmagic/fsmagic.o ext/fileinfo/libmagic/funcs.o ext/fileinfo/libmagic/is_json.o ext/fileinfo/libmagic/is_tar.o ext/fileinfo/libmagic/magic.o ext/fileinfo/libmagic/print.o ext/fileinfo/libmagic/readcdf.o ext/fileinfo/libmagic/softmagic.o ext/fileinfo/libmagic/der.o ext/fileinfo/libmagic/buffer.o ext/fileinfo/libmagic/is_csv.o ext/filter/filter.o ext/filter/sanitizing_filters.o ext/filter/logical_filters.o ext/filter/callback_filter.o ext/hash/hash.o ext/hash/hash_md.o ext/hash/hash_sha.o ext/hash/hash_ripemd.o ext/hash/hash_haval.o ext/hash/hash_tiger.o ext/hash/hash_gost.o ext/hash/hash_snefru.o ext/hash/hash_whirlpool.o ext/hash/hash_adler32.o ext/hash/hash_crc32.o ext/hash/hash_fnv.o ext/hash/hash_joaat.o ext/hash/sha3/generic64lc/KeccakP-1600-opt64.o ext/hash/sha3/generic64lc/KeccakHash.o ext/hash/sha3/generic64lc/KeccakSponge.o ext/hash/hash_sha3.o ext/hash/murmur/PMurHash.o ext/hash/murmur/PMurHash128.o ext/hash/hash_murmur.o ext/hash/hash_xxhash.o ext/iconv/iconv.o ext/json/json.o ext/json/json_encoder.o ext/json/json_parser.o ext/json/json_scanner.o ext/pdo/pdo.o ext/pdo/pdo_dbh.o ext/pdo/pdo_stmt.o ext/pdo/pdo_sql_parser.o ext/pdo/pdo_sqlstate.o ext/pdo_sqlite/pdo_sqlite.o ext/pdo_sqlite/sqlite_driver.o ext/pdo_sqlite/sqlite_statement.o ext/phar/util.o ext/phar/tar.o ext/phar/zip.o ext/phar/stream.o ext/phar/func_interceptors.o ext/phar/dirstream.o ext/phar/phar.o ext/phar/phar_object.o ext/phar/phar_path_check.o ext/posix/posix.o ext/random/random.o ext/random/engine_combinedlcg.o ext/random/engine_mt19937.o ext/random/engine_pcgoneseq128xslrr64.o ext/random/engine_xoshiro256starstar.o ext/random/engine_secure.o ext/random/engine_user.o ext/random/randomizer.o ext/reflection/php_reflection.o ext/session/mod_user_class.o ext/session/session.o ext/session/mod_files.o ext/session/mod_mm.o ext/session/mod_user.o ext/simplexml/simplexml.o ext/spl/php_spl.o ext/spl/spl_functions.o ext/spl/spl_iterators.o ext/spl/spl_array.o ext/spl/spl_directory.o ext/spl/spl_exceptions.o ext/spl/spl_observer.o ext/spl/spl_dllist.o ext/spl/spl_heap.o ext/spl/spl_fixedarray.o ext/standard/crypt_freesec.o ext/standard/crypt_blowfish.o ext/standard/crypt_sha512.o ext/standard/crypt_sha256.o ext/standard/php_crypt_r.o ext/standard/array.o ext/standard/base64.o ext/standard/basic_functions.o ext/standard/browscap.o ext/standard/crc32.o ext/standard/crypt.o ext/standard/datetime.o ext/standard/dir.o ext/standard/dl.o ext/standard/dns.o ext/standard/exec.o ext/standard/file.o ext/standard/filestat.o ext/standard/flock_compat.o ext/standard/formatted_print.o ext/standard/fsock.o ext/standard/head.o ext/standard/html.o ext/standard/image.o ext/standard/info.o ext/standard/iptc.o ext/standard/link.o ext/standard/mail.o ext/standard/math.o ext/standard/md5.o ext/standard/metaphone.o ext/standard/microtime.o ext/standard/pack.o ext/standard/pageinfo.o ext/standard/quot_print.o ext/standard/soundex.o ext/standard/string.o ext/standard/scanf.o ext/standard/syslog.o ext/standard/type.o ext/standard/uniqid.o ext/standard/url.o ext/standard/var.o ext/standard/versioning.o ext/standard/assert.o ext/standard/strnatcmp.o ext/standard/levenshtein.o ext/standard/incomplete_class.o ext/standard/url_scanner_ex.o ext/standard/ftp_fopen_wrapper.o ext/standard/http_fopen_wrapper.o ext/standard/php_fopen_wrapper.o ext/standard/credits.o ext/standard/css.o ext/standard/var_unserializer.o ext/standard/ftok.o ext/standard/sha1.o ext/standard/user_filters.o ext/standard/uuencode.o ext/standard/filters.o ext/standard/proc_open.o ext/standard/streamsfuncs.o ext/standard/http.o ext/standard/password.o ext/standard/net.o ext/standard/hrtime.o ext/standard/crc32_x86.o ext/standard/libavifinfo/avifinfo.o ext/tokenizer/tokenizer.o ext/tokenizer/tokenizer_data.o ext/xml/xml.o ext/xml/compat.o ext/xmlreader/php_xmlreader.o ext/xmlwriter/php_xmlwriter.o Zend/asm/make_x86_64_sysv_elf_gas.o Zend/asm/jump_x86_64_sysv_elf_gas.o TSRM/TSRM.o main/main.o main/snprintf.o main/spprintf.o main/fopen_wrappers.o main/php_scandir.o main/php_ini_builder.o main/php_ini.o main/SAPI.o main/rfc1867.o main/php_content_types.o main/strlcpy.o main/strlcat.o main/explicit_bzero.o main/reentrancy.o main/php_variables.o main/php_ticks.o main/network.o main/php_open_temporary_file.o main/php_odbc_utils.o main/safe_bcmp.o main/output.o main/getopt.o main/php_syslog.o main/streams/streams.o main/streams/cast.o main/streams/memory.o main/streams/filter.o main/streams/plain_wrapper.o main/streams/userspace.o main/streams/transports.o main/streams/xp_socket.o main/streams/mmap.o main/streams/glob_wrapper.o Zend/zend_language_parser.o Zend/zend_language_scanner.o Zend/zend_ini_parser.o Zend/zend_ini_scanner.o Zend/zend_alloc.o Zend/zend_compile.o Zend/zend_constants.o Zend/zend_dtrace.o Zend/zend_execute_API.o Zend/zend_highlight.o Zend/zend_llist.o Zend/zend_vm_opcodes.o Zend/zend_opcode.o Zend/zend_operators.o Zend/zend_ptr_stack.o Zend/zend_stack.o Zend/zend_variables.o Zend/zend.o Zend/zend_API.o Zend/zend_extensions.o Zend/zend_hash.o Zend/zend_list.o Zend/zend_builtin_functions.o Zend/zend_attributes.o Zend/zend_execute.o Zend/zend_ini.o Zend/zend_sort.o Zend/zend_multibyte.o Zend/zend_stream.o Zend/zend_iterators.o Zend/zend_interfaces.o Zend/zend_exceptions.o Zend/zend_strtod.o Zend/zend_gc.o Zend/zend_closures.o Zend/zend_weakrefs.o Zend/zend_float.o Zend/zend_string.o Zend/zend_signal.o Zend/zend_generators.o Zend/zend_virtual_cwd.o Zend/zend_ast.o Zend/zend_objects.o Zend/zend_object_handlers.o Zend/zend_objects_API.o Zend/zend_default_classes.o Zend/zend_inheritance.o Zend/zend_smart_str.o Zend/zend_cpuinfo.o Zend/zend_gdb.o Zend/zend_observer.o Zend/zend_system_id.o Zend/zend_enum.o Zend/zend_fibers.o Zend/zend_atomic.o Zend/Optimizer/zend_optimizer.o Zend/Optimizer/pass1.o Zend/Optimizer/pass3.o Zend/Optimizer/optimize_func_calls.o Zend/Optimizer/block_pass.o Zend/Optimizer/optimize_temp_vars_5.o Zend/Optimizer/nop_removal.o Zend/Optimizer/compact_literals.o Zend/Optimizer/zend_cfg.o Zend/Optimizer/zend_dfg.o Zend/Optimizer/dfa_pass.o Zend/Optimizer/zend_ssa.o Zend/Optimizer/zend_inference.o Zend/Optimizer/zend_func_info.o Zend/Optimizer/zend_call_graph.o Zend/Optimizer/sccp.o Zend/Optimizer/scdf.o Zend/Optimizer/dce.o Zend/Optimizer/escape_analysis.o Zend/Optimizer/compact_vars.o Zend/Optimizer/zend_dump.o main/internal_functions_cli.o sapi/cli/php_cli.o sapi/cli/php_http_parser.o sapi/cli/php_cli_server.o sapi/cli/ps_title.o sapi/cli/php_cli_process_title.o --export-dynamic -lrt -lrt -lm -lxml2 -lsqlite3 -lxml2 -lsqlite3 -lxml2 -lxml2 -lxml2 -lxml2 /usr/local/bin/../lib/afl//afl-compiler-rt.o /usr/local/bin/../lib/afl//afl-llvm-rt-lto.o --dynamic-list=/usr/local/bin/../lib/afl//dynamic_list.txt -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/x86_64-linux-gnu/11/crtendS.o /lib/x86_64-linux-gnu/crtn.o
1. Running pass 'sancov-lto' on module 'ld-temp.o'.
#0 0x00007fdbdda3fd01 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/lib/x86_64-linux-gnu/libLLVM-14.so.1+0xe3fd01)
#1 0x00007fdbdda3da3e llvm::sys::RunSignalHandlers() (/lib/x86_64-linux-gnu/libLLVM-14.so.1+0xe3da3e)
#2 0x00007fdbdda40236 (/lib/x86_64-linux-gnu/libLLVM-14.so.1+0xe40236)
#3 0x00007fdbdc442520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
#4 0x00007fdbdc496a7c __pthread_kill_implementation ./nptl/./nptl/pthread_kill.c:44:76
#5 0x00007fdbdc496a7c __pthread_kill_internal ./nptl/./nptl/pthread_kill.c:78:10
#6 0x00007fdbdc496a7c pthread_kill ./nptl/./nptl/pthread_kill.c:89:10
#7 0x00007fdbdc442476 gsignal ./signal/../sysdeps/posix/raise.c:27:6
#8 0x00007fdbdc4287f3 abort ./stdlib/./stdlib/abort.c:81:7
#9 0x00007fdbdc42871b _nl_load_domain ./intl/./intl/loadmsgcat.c:1177:9
#10 0x00007fdbdc439e96 (/lib/x86_64-linux-gnu/libc.so.6+0x39e96)
#11 0x00007fdbdca96f82 llvm::isa_impl_cl<llvm::Function, llvm::Value const*>::doit(llvm::Value const*) /usr/lib/llvm-14/include/llvm/Support/Casting.h:104:5
#12 0x00007fdbdca96f82 llvm::isa_impl_wrap<llvm::Function, llvm::Value const*, llvm::Value const*>::doit(llvm::Value const* const&) /usr/lib/llvm-14/include/llvm/Support/Casting.h:131:12
#13 0x00007fdbdca96f82 llvm::isa_impl_wrap<llvm::Function, llvm::Value* const, llvm::Value const*>::doit(llvm::Value* const&) /usr/lib/llvm-14/include/llvm/Support/Casting.h:121:12
#14 0x00007fdbdca96f82 bool llvm::isa<llvm::Function, llvm::Value*>(llvm::Value* const&) /usr/lib/llvm-14/include/llvm/Support/Casting.h:142:10
#15 0x00007fdbdca96f82 llvm::cast_retty<llvm::Function, llvm::Value*>::ret_type llvm::cast<llvm::Function, llvm::Value>(llvm::Value*) /usr/lib/llvm-14/include/llvm/Support/Casting.h:269:3
#16 0x00007fdbdca96f82 scanForDangerousFunctions(llvm::Module*) llvm_mode/llvm_mode/instrumentation/afl-llvm-common.cc:292:24
#17 0x00007fdbdca89163 (anonymous namespace)::ModuleSanitizerCoverageLTO::instrumentModule(llvm::Module&, llvm::function_ref<llvm::DominatorTree const* (llvm::Function&)>, llvm::function_ref<llvm::PostDominatorTree const* (llvm::Function&)>) /home/wu/Desktop/AFLplusplus/instrumentation/SanitizerCoverageLTO.so.cc:500:6
#18 0x00007fdbdca90300 (anonymous namespace)::ModuleSanitizerCoverageLTOLegacyPass::runOnModule(llvm::Module&) /home/wu/Desktop/AFLplusplus/instrumentation/SanitizerCoverageLTO.so.cc:307:25
#19 0x00007fdbddb7af66 llvm::legacy::PassManagerImpl::run(llvm::Module&) (/lib/x86_64-linux-gnu/libLLVM-14.so.1+0xf7af66)
#20 0x00007fdbdef628a6 llvm::lto::opt(llvm::lto::Config const&, llvm::TargetMachine*, unsigned int, llvm::Module&, bool, llvm::ModuleSummaryIndex*, llvm::ModuleSummaryIndex const*, std::vector<unsigned char, std::allocator<unsigned char> > const&) (/lib/x86_64-linux-gnu/libLLVM-14.so.1+0x23628a6)
#21 0x00007fdbdef64c57 llvm::lto::backend(llvm::lto::Config const&, std::function<llvm::Expected<std::unique_ptr<llvm::CachedFileStream, std::default_delete<llvm::CachedFileStream> > > (unsigned int)>, unsigned int, llvm::Module&, llvm::ModuleSummaryIndex&) (/lib/x86_64-linux-gnu/libLLVM-14.so.1+0x2364c57)
#22 0x00007fdbdef59889 llvm::lto::LTO::runRegularLTO(std::function<llvm::Expected<std::unique_ptr<llvm::CachedFileStream, std::default_delete<llvm::CachedFileStream> > > (unsigned int)>) (/lib/x86_64-linux-gnu/libLLVM-14.so.1+0x2359889)
#23 0x00007fdbdef59083 llvm::lto::LTO::run(std::function<llvm::Expected<std::unique_ptr<llvm::CachedFileStream, std::default_delete<llvm::CachedFileStream> > > (unsigned int)>, std::function<llvm::Expected<std::function<llvm::Expected<std::unique_ptr<llvm::CachedFileStream, std::default_delete<llvm::CachedFileStream> > > (unsigned int)> > (unsigned int, llvm::StringRef)>) (/lib/x86_64-linux-gnu/libLLVM-14.so.1+0x2359083)
#24 0x00000000005ca433 lld::elf::BitcodeCompiler::compile() (/usr/lib/llvm-14/bin/ld.lld+0x5ca433)
#25 0x0000000000550206 void lld::elf::LinkerDriver::compileBitcodeFiles<llvm::object::ELFType<(llvm::support::endianness)1, true> >(bool) (/usr/lib/llvm-14/bin/ld.lld+0x550206)
#26 0x000000000054d05d lld::elf::LinkerDriver::link(llvm::opt::InputArgList&) (/usr/lib/llvm-14/bin/ld.lld+0x54d05d)
#27 0x0000000000541ac4 lld::elf::LinkerDriver::linkerMain(llvm::ArrayRef<char const*>) (/usr/lib/llvm-14/bin/ld.lld+0x541ac4)
#28 0x000000000053fd97 lld::elf::link(llvm::ArrayRef<char const*>, llvm::raw_ostream&, llvm::raw_ostream&, bool, bool) (/usr/lib/llvm-14/bin/ld.lld+0x53fd97)
#29 0x000000000048b235 (/usr/lib/llvm-14/bin/ld.lld+0x48b235)
#30 0x000000000048a998 main (/usr/lib/llvm-14/bin/ld.lld+0x48a998)
#31 0x00007fdbdc429d90 __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#32 0x00007fdbdc429e40 call_init ./csu/../csu/libc-start.c:128:20
#33 0x00007fdbdc429e40 __libc_start_main ./csu/../csu/libc-start.c:379:5
#34 0x000000000048a4d5 _start (/usr/lib/llvm-14/bin/ld.lld+0x48a4d5)