This is an archive of the discontinued LLVM Phabricator instance.

[BitcodeReader] Use tighter upper bound to validate forward references.
ClosedPublic

Authored by fhahn on Jul 11 2019, 11:22 AM.

Download Raw Diff

Details

Reviewers

t.p.northover
thegameg
jfb
efriedma
hfinkel

Commits

rG864474c9c72a: [BitcodeReader] Use tighter upper bound to validate forward references.
rL366017: [BitcodeReader] Use tighter upper bound to validate forward references.

Summary

At the moment, bitcode files with invalid forward reference can easily
cause the bitcode reader to run out of memory, by creating a forward
reference with a very high index.

We can use the size of the bitcode file as an upper bound, because a
valid bitcode file can never contain more records. This should be
sufficient to fail early in most cases. The only exception is large
files with invalid forward references close to the file size.

There are a couple of clusterfuzz runs that fail with out-of-memory
because of very high forward references and they should be fixed by this
patch.

A concrete example for this is D64507, which causes out-of-memory on
systems with low memory, like the hexagon upstream bots.

I am not entirely sure about the way we get the size of the stream in
this patch. Maybe it would be better to get NumWords, when we enter the
module block?

Diff Detail

Repository: rL LLVM

Event Timeline

fhahn created this revision.Jul 11 2019, 11:22 AM

Herald added a project: Restricted Project. · View Herald TranscriptJul 11 2019, 11:22 AM

Herald added subscribers: dexonsmith, hiraditya. · View Herald Transcript

Harbormaster completed remote builds in B34794: Diff 209275.Jul 11 2019, 11:23 AM

fhahn marked an inline comment as done.Jul 11 2019, 11:24 AM

fhahn added inline comments.

llvm/test/Bitcode/pr18704.ll
3 ↗	(On Diff #209275)	The invalid forward reference in this test is covered by the upper bound check now. Is there a tool that can take the output of llvm-bcanalyzer like in the test case and create a bitcode file?

fhahn added a child revision: D64507: [BitcodeReader] Validate OpNum, before accessing Record array..Jul 11 2019, 11:24 AM

jfb accepted this revision.Jul 11 2019, 2:31 PM

jfb added inline comments.

llvm/include/llvm/Bitstream/BitstreamReader.h
298 ↗	(On Diff #209275)	I'd rather call this "sizeInBytes" or something. I get confused by bits and bytes :)

This revision is now accepted and ready to land.Jul 11 2019, 2:31 PM

Closed by commit rL366017: [BitcodeReader] Use tighter upper bound to validate forward references. (authored by fhahn). · Explain WhyJul 14 2019, 5:35 AM

This revision was automatically updated to reflect the committed changes.

fhahn marked an inline comment as done.

Revision Contents

Path

Size

llvm/

trunk/

include/

llvm/

Bitstream/

BitstreamReader.h

8 lines

lib/

Bitcode/

Reader/

2 lines

20 lines

9 lines

8 lines

test/

Bitcode/

pr18704.ll

2 lines

Diff 209725

llvm/trunk/include/llvm/Bitstream/BitstreamReader.h

Show First 20 Lines • Show All 288 Lines • ▼ Show 20 Lines	if (sizeof(word_t) > 4 &&
CurWord >>= BitsInCurWord-32;		CurWord >>= BitsInCurWord-32;
BitsInCurWord = 32;		BitsInCurWord = 32;
return;		return;
}		}

BitsInCurWord = 0;		BitsInCurWord = 0;
}		}

		/// Return the size of the stream in bytes.
		size_t SizeInBytes() const { return BitcodeBytes.size(); }

/// Skip to the end of the file.		/// Skip to the end of the file.
void skipToEnd() { NextChar = BitcodeBytes.size(); }		void skipToEnd() { NextChar = BitcodeBytes.size(); }
};		};

/// When advancing through a bitstream cursor, each advance can discover a few		/// When advancing through a bitstream cursor, each advance can discover a few
/// different kinds of entries:		/// different kinds of entries:
struct BitstreamEntry {		struct BitstreamEntry {
enum {		enum {
▲ Show 20 Lines • Show All 54 Lines • ▼ Show 20 Lines	public:
BitstreamCursor() = default;		BitstreamCursor() = default;
explicit BitstreamCursor(ArrayRef<uint8_t> BitcodeBytes)		explicit BitstreamCursor(ArrayRef<uint8_t> BitcodeBytes)
: SimpleBitstreamCursor(BitcodeBytes) {}		: SimpleBitstreamCursor(BitcodeBytes) {}
explicit BitstreamCursor(StringRef BitcodeBytes)		explicit BitstreamCursor(StringRef BitcodeBytes)
: SimpleBitstreamCursor(BitcodeBytes) {}		: SimpleBitstreamCursor(BitcodeBytes) {}
explicit BitstreamCursor(MemoryBufferRef BitcodeBytes)		explicit BitstreamCursor(MemoryBufferRef BitcodeBytes)
: SimpleBitstreamCursor(BitcodeBytes) {}		: SimpleBitstreamCursor(BitcodeBytes) {}

using SimpleBitstreamCursor::canSkipToPos;
using SimpleBitstreamCursor::AtEndOfStream;		using SimpleBitstreamCursor::AtEndOfStream;
		using SimpleBitstreamCursor::canSkipToPos;
		using SimpleBitstreamCursor::fillCurWord;
using SimpleBitstreamCursor::getBitcodeBytes;		using SimpleBitstreamCursor::getBitcodeBytes;
using SimpleBitstreamCursor::GetCurrentBitNo;		using SimpleBitstreamCursor::GetCurrentBitNo;
using SimpleBitstreamCursor::getCurrentByteNo;		using SimpleBitstreamCursor::getCurrentByteNo;
using SimpleBitstreamCursor::getPointerToByte;		using SimpleBitstreamCursor::getPointerToByte;
using SimpleBitstreamCursor::JumpToBit;		using SimpleBitstreamCursor::JumpToBit;
using SimpleBitstreamCursor::fillCurWord;
using SimpleBitstreamCursor::Read;		using SimpleBitstreamCursor::Read;
using SimpleBitstreamCursor::ReadVBR;		using SimpleBitstreamCursor::ReadVBR;
using SimpleBitstreamCursor::ReadVBR64;		using SimpleBitstreamCursor::ReadVBR64;
		using SimpleBitstreamCursor::SizeInBytes;

/// Return the number of bits used to encode an abbrev #.		/// Return the number of bits used to encode an abbrev #.
unsigned getAbbrevIDWidth() const { return CurCodeSize; }		unsigned getAbbrevIDWidth() const { return CurCodeSize; }

/// Flags that modify the behavior of advance().		/// Flags that modify the behavior of advance().
enum {		enum {
/// If this flag is used, the advance() method does not automatically pop		/// If this flag is used, the advance() method does not automatically pop
/// the block scope when the end of a block is reached.		/// the block scope when the end of a block is reached.
▲ Show 20 Lines • Show All 168 Lines • Show Last 20 Lines

llvm/trunk/lib/Bitcode/Reader/BitcodeReader.cpp

Show First 20 Lines • Show All 852 Lines • ▼ Show 20 Lines	std::error_code llvm::errorToErrorCodeAndEmitErrors(LLVMContext &Ctx,
}		}
return std::error_code();		return std::error_code();
}		}

BitcodeReader::BitcodeReader(BitstreamCursor Stream, StringRef Strtab,		BitcodeReader::BitcodeReader(BitstreamCursor Stream, StringRef Strtab,
StringRef ProducerIdentification,		StringRef ProducerIdentification,
LLVMContext &Context)		LLVMContext &Context)
: BitcodeReaderBase(std::move(Stream), Strtab), Context(Context),		: BitcodeReaderBase(std::move(Stream), Strtab), Context(Context),
ValueList(Context) {		ValueList(Context, Stream.SizeInBytes()) {
this->ProducerIdentification = ProducerIdentification;		this->ProducerIdentification = ProducerIdentification;
}		}

Error BitcodeReader::materializeForwardReferencedFunctions() {		Error BitcodeReader::materializeForwardReferencedFunctions() {
if (WillMaterializeAllForwardRefs)		if (WillMaterializeAllForwardRefs)
return Error::success();		return Error::success();

// Prevent recursion.		// Prevent recursion.
▲ Show 20 Lines • Show All 5,827 Lines • Show Last 20 Lines

llvm/trunk/lib/Bitcode/Reader/MetadataLoader.cpp

Show First 20 Lines • Show All 124 Lines • ▼ Show 20 Lines	struct {
SmallDenseMap<MDString *, TempMDTuple, 1> Unknown;		SmallDenseMap<MDString *, TempMDTuple, 1> Unknown;
SmallDenseMap<MDString , DICompositeType , 1> Final;		SmallDenseMap<MDString , DICompositeType , 1> Final;
SmallDenseMap<MDString , DICompositeType , 1> FwdDecls;		SmallDenseMap<MDString , DICompositeType , 1> FwdDecls;
SmallVector<std::pair<TrackingMDRef, TempMDTuple>, 1> Arrays;		SmallVector<std::pair<TrackingMDRef, TempMDTuple>, 1> Arrays;
} OldTypeRefs;		} OldTypeRefs;

LLVMContext &Context;		LLVMContext &Context;

		/// Maximum number of valid references. Forward references exceeding the
		/// maximum must be invalid.
		unsigned RefsUpperBound;

public:		public:
BitcodeReaderMetadataList(LLVMContext &C) : Context(C) {}		BitcodeReaderMetadataList(LLVMContext &C, size_t RefsUpperBound)
		: Context(C),
		RefsUpperBound(std::min((size_t)std::numeric_limits<unsigned>::max(),
		RefsUpperBound)) {}

// vector compatibility methods		// vector compatibility methods
unsigned size() const { return MetadataPtrs.size(); }		unsigned size() const { return MetadataPtrs.size(); }
void resize(unsigned N) { MetadataPtrs.resize(N); }		void resize(unsigned N) { MetadataPtrs.resize(N); }
void push_back(Metadata *MD) { MetadataPtrs.emplace_back(MD); }		void push_back(Metadata *MD) { MetadataPtrs.emplace_back(MD); }
void clear() { MetadataPtrs.clear(); }		void clear() { MetadataPtrs.clear(); }
Metadata *back() const { return MetadataPtrs.back(); }		Metadata *back() const { return MetadataPtrs.back(); }
void pop_back() { MetadataPtrs.pop_back(); }		void pop_back() { MetadataPtrs.pop_back(); }
▲ Show 20 Lines • Show All 70 Lines • ▼ Show 20 Lines	void BitcodeReaderMetadataList::assignValue(Metadata *MD, unsigned Idx) {

// If there was a forward reference to this value, replace it.		// If there was a forward reference to this value, replace it.
TempMDTuple PrevMD(cast<MDTuple>(OldMD.get()));		TempMDTuple PrevMD(cast<MDTuple>(OldMD.get()));
PrevMD->replaceAllUsesWith(MD);		PrevMD->replaceAllUsesWith(MD);
ForwardReference.erase(Idx);		ForwardReference.erase(Idx);
}		}

Metadata *BitcodeReaderMetadataList::getMetadataFwdRef(unsigned Idx) {		Metadata *BitcodeReaderMetadataList::getMetadataFwdRef(unsigned Idx) {
		// Bail out for a clearly invalid value.
		if (Idx >= RefsUpperBound)
		return nullptr;

if (Idx >= size())		if (Idx >= size())
resize(Idx + 1);		resize(Idx + 1);

if (Metadata *MD = MetadataPtrs[Idx])		if (Metadata *MD = MetadataPtrs[Idx])
return MD;		return MD;

// Track forward refs to be resolved later.		// Track forward refs to be resolved later.
ForwardReference.insert(Idx);		ForwardReference.insert(Idx);
▲ Show 20 Lines • Show All 391 Lines • ▼ Show 20 Lines	void upgradeDebugInfo() {
upgradeCUVariables();		upgradeCUVariables();
}		}

public:		public:
MetadataLoaderImpl(BitstreamCursor &Stream, Module &TheModule,		MetadataLoaderImpl(BitstreamCursor &Stream, Module &TheModule,
BitcodeReaderValueList &ValueList,		BitcodeReaderValueList &ValueList,
std::function<Type *(unsigned)> getTypeByID,		std::function<Type *(unsigned)> getTypeByID,
bool IsImporting)		bool IsImporting)
: MetadataList(TheModule.getContext()), ValueList(ValueList),		: MetadataList(TheModule.getContext(), Stream.SizeInBytes()),
Stream(Stream), Context(TheModule.getContext()), TheModule(TheModule),		ValueList(ValueList), Stream(Stream), Context(TheModule.getContext()),
getTypeByID(std::move(getTypeByID)), IsImporting(IsImporting) {}		TheModule(TheModule), getTypeByID(std::move(getTypeByID)),
		IsImporting(IsImporting) {}

Error parseMetadata(bool ModuleLevel);		Error parseMetadata(bool ModuleLevel);

bool hasFwdRefs() const { return MetadataList.hasFwdRefs(); }		bool hasFwdRefs() const { return MetadataList.hasFwdRefs(); }

Metadata *getMetadataFwdRefOrLoad(unsigned ID) {		Metadata *getMetadataFwdRefOrLoad(unsigned ID) {
if (ID < MDStringRef.size())		if (ID < MDStringRef.size())
return lazyLoadOneMDString(ID);		return lazyLoadOneMDString(ID);
▲ Show 20 Lines • Show All 1,525 Lines • Show Last 20 Lines

llvm/trunk/lib/Bitcode/Reader/ValueList.h

Show All 40 Lines	class BitcodeReaderValueList {
/// ResolveConstantForwardRefs for more information about this.		/// ResolveConstantForwardRefs for more information about this.
///		///
/// The key of this vector is the placeholder constant, the value is the slot		/// The key of this vector is the placeholder constant, the value is the slot
/// number that holds the resolved value.		/// number that holds the resolved value.
using ResolveConstantsTy = std::vector<std::pair<Constant *, unsigned>>;		using ResolveConstantsTy = std::vector<std::pair<Constant *, unsigned>>;
ResolveConstantsTy ResolveConstants;		ResolveConstantsTy ResolveConstants;
LLVMContext &Context;		LLVMContext &Context;

		/// Maximum number of valid references. Forward references exceeding the
		/// maximum must be invalid.
		unsigned RefsUpperBound;

public:		public:
BitcodeReaderValueList(LLVMContext &C) : Context(C) {}		BitcodeReaderValueList(LLVMContext &C, size_t RefsUpperBound)
		: Context(C),
		RefsUpperBound(std::min((size_t)std::numeric_limits<unsigned>::max(),
		RefsUpperBound)) {}

~BitcodeReaderValueList() {		~BitcodeReaderValueList() {
assert(ResolveConstants.empty() && "Constants not resolved?");		assert(ResolveConstants.empty() && "Constants not resolved?");
}		}

// vector compatibility methods		// vector compatibility methods
unsigned size() const { return ValuePtrs.size(); }		unsigned size() const { return ValuePtrs.size(); }
void resize(unsigned N) {		void resize(unsigned N) {
▲ Show 20 Lines • Show All 45 Lines • Show Last 20 Lines

llvm/trunk/lib/Bitcode/Reader/ValueList.cpp

Show First 20 Lines • Show All 91 Lines • ▼ Show 20 Lines	if (Constant PHC = dyn_cast<Constant>(&OldV)) {
// If there was a forward reference to this value, replace it.		// If there was a forward reference to this value, replace it.
Value *PrevVal = OldV;		Value *PrevVal = OldV;
OldV->replaceAllUsesWith(V);		OldV->replaceAllUsesWith(V);
PrevVal->deleteValue();		PrevVal->deleteValue();
}		}
}		}

Constant BitcodeReaderValueList::getConstantFwdRef(unsigned Idx, Type Ty) {		Constant BitcodeReaderValueList::getConstantFwdRef(unsigned Idx, Type Ty) {
		// Bail out for a clearly invalid value.
		if (Idx >= RefsUpperBound)
		return nullptr;

if (Idx >= size())		if (Idx >= size())
resize(Idx + 1);		resize(Idx + 1);

if (Value *V = ValuePtrs[Idx]) {		if (Value *V = ValuePtrs[Idx]) {
if (Ty != V->getType())		if (Ty != V->getType())
report_fatal_error("Type mismatch in constant table!");		report_fatal_error("Type mismatch in constant table!");
return cast<Constant>(V);		return cast<Constant>(V);
}		}

// Create and return a placeholder, which will later be RAUW'd.		// Create and return a placeholder, which will later be RAUW'd.
Constant *C = new ConstantPlaceHolder(Ty, Context);		Constant *C = new ConstantPlaceHolder(Ty, Context);
ValuePtrs[Idx] = C;		ValuePtrs[Idx] = C;
return C;		return C;
}		}

Value BitcodeReaderValueList::getValueFwdRef(unsigned Idx, Type Ty,		Value BitcodeReaderValueList::getValueFwdRef(unsigned Idx, Type Ty,
Type **FullTy) {		Type **FullTy) {
// Bail out for a clearly invalid value. This would make us call resize(0)		// Bail out for a clearly invalid value.
if (Idx == std::numeric_limits<unsigned>::max())		if (Idx >= RefsUpperBound)
return nullptr;		return nullptr;

if (Idx >= size())		if (Idx >= size())
resize(Idx + 1);		resize(Idx + 1);

if (Value *V = ValuePtrs[Idx]) {		if (Value *V = ValuePtrs[Idx]) {
// If the types don't match, it's invalid.		// If the types don't match, it's invalid.
if (Ty && Ty != V->getType())		if (Ty && Ty != V->getType())
▲ Show 20 Lines • Show All 95 Lines • Show Last 20 Lines

llvm/trunk/test/Bitcode/pr18704.ll

	; RUN: not llvm-dis < %s.bc 2>&1 \| FileCheck %s			; RUN: not llvm-dis < %s.bc 2>&1 \| FileCheck %s

	; CHECK: llvm-dis{{(\.EXE\|\.exe)?}}: error: Never resolved value found in function			; CHECK: llvm-dis{{(\.EXE\|\.exe)?}}: error: Invalid record

	; pr18704.ll.bc has an instruction referring to invalid type.			; pr18704.ll.bc has an instruction referring to invalid type.
	; The test checks that LLVM reports the error and doesn't access freed memory			; The test checks that LLVM reports the error and doesn't access freed memory
	; in doing so.			; in doing so.

	;<MODULE_BLOCK NumWords=217 BlockCodeSize=3>			;<MODULE_BLOCK NumWords=217 BlockCodeSize=3>
	; <VERSION op0=1/>			; <VERSION op0=1/>
	; <BLOCKINFO_BLOCK/>			; <BLOCKINFO_BLOCK/>
	▲ Show 20 Lines • Show All 147 Lines • Show Last 20 Lines