I faced random crash in llvm-dwarfdump, which was randomly reproducable.
It happens because llvm-dwarfdump can access array out of bounds when DWARF
parsers tries to get children DIEs which are absent because of corrupted .debug_data.
Problem is in a following method:
DWARFDie getFirstChild() const { if (isValid() && Die->hasChildren()) return DWARFDie(U, Die + 1); return DWARFDie(); }
Here new DWARFDie is created, but there is no checks that Die + 1
is a valid memory, because Die is a simple pointer. Though
it is possible for Die + 1 to point on garbage data and testcase provided
shows that.
I suggest to wrap Die into ArrayRef, what allows to do all the necessary safety checks.
Can you add a comment explaining why the Die member is an array and what the bounds of the array are representing? I assume that the last member of the array is the last children of the DIE?