This is an archive of the discontinued LLVM Phabricator instance.

Differential D69304

[llvm-objcopy] - Do not crash on object that has relocations but no symbol table.
ClosedPublic

Authored by grimar on Oct 22 2019, 5:38 AM.

Details

Reviewers
jhenderson
MaskRay
rupprecht
alexander-shaposhnikov
espindola
Commits
rGa795bd964544: [llvm-objcopy] - Do not crash on object that has relocations but no symbol…
Summary

It was revealed by D69260.

Tool crashed when scanned relocations in a object without a symbol table.
This patch teaches it either to handle such objects (when relocations
does not use symbols we do not need a symbol table to proceed)
or to show an appropriate error otherwise.

Diff Detail

Event Timeline

grimar created this revision.Oct 22 2019, 5:38 AM
Herald added a reviewer: espindola. · View Herald TranscriptOct 22 2019, 5:38 AM
Herald added subscribers: seiya, abrachet, jakehehrlich and 2 others. · View Herald Transcript
MaskRay added a comment.Oct 22 2019, 9:45 AM

An alternative approach is to generalize else if (EnsureSymtab) for non --add-symbol= operations as well. I need to investigate more to check whether that is feasible. If it does, it can save us some SymbolTable nullness checks later. ()I should also address another problem raised in D69093 (SectionNames is initialized after if (Obj.SectionNames != &Sec))

test/tools/llvm-objcopy/ELF/relocations-no-symtab.test
2 ↗(On Diff #226034)

that holds symbol index 0

4 ↗(On Diff #226034)

-o

grimar added a comment.Oct 23 2019, 3:00 AM
In D69304#1718059, @MaskRay wrote:

An alternative approach is to generalize else if (EnsureSymtab) for non --add-symbol= operations as well.

I am not sure I understood the idea honestly. Here we have an object that has a relocation which references a symbol when symbol table is not exist.
In my understanding it is not a situation where we might want to create a symbol table, it is probably about we should report an error?

MaskRay added inline comments.Oct 24 2019, 10:37 PM
test/tools/llvm-objcopy/ELF/relocations-no-symtab.test
31 ↗(On Diff #226034)

a relocation refers to a non-zero symbol index but there is no symbol table.

grimar updated this revision to Diff 226626.Oct 28 2019, 2:59 AM
grimar marked 3 inline comments as done.
grimar edited the summary of this revision. (Show Details)
  • Addressed review comments.
Herald added a project: Restricted Project. · View Herald TranscriptOct 28 2019, 2:59 AM
jhenderson added inline comments.Oct 28 2019, 7:35 AM
llvm/test/tools/llvm-objcopy/ELF/relocations-no-symtab.test
3

I think "with a symbol index of 0" would be more natural than "that holds symbol index 0"

35

-o for consistency.

44

It probably makes slightly more sense for this to be ET_REL.

llvm/tools/llvm-objcopy/ELF/Object.cpp
908–909

This looks dodgy if no symbol exists.

1427–1428

I'm not sure this error message is clear enough. I think it is not obvious what the number in it represents. Perhaps it could be rephrased "relocation references symbol with index N, but there is no symbol table". What do you think?

grimar mentioned this in D69260: [yaml2obj] - Make .symtab to be not mandatory section for SHT_REL[A] section..Oct 28 2019, 7:37 AM
MaskRay added inline comments.Oct 28 2019, 7:35 PM
llvm/test/tools/llvm-objcopy/ELF/relocations-no-symtab.test
36

%t4 -> /dev/null

llvm/tools/llvm-objcopy/ELF/Object.cpp
1427–1428

"relocation references symbol with index N, but there is no symbol table"

+1

grimar updated this revision to Diff 226864.Oct 29 2019, 3:09 AM
grimar marked 9 inline comments as done.
grimar edited the summary of this revision. (Show Details)
  • Addressed review comments.
llvm/tools/llvm-objcopy/ELF/Object.cpp
908–909

"relocation references symbol with index..." error is triggered earlier than execution flow might reach here.

It is reported from initRelocations which is called inside Reader.create() here:
https://github.com/llvm-mirror/llvm/blob/master/tools/llvm-objcopy/ELF/ELFObjcopy.cpp#L773

markSymbols() is called from updateAndRemoveSymbols which is itself caled in handleArgs:
https://github.com/llvm-mirror/llvm/blob/master/tools/llvm-objcopy/ELF/ELFObjcopy.cpp#L799
https://github.com/llvm-mirror/llvm/blob/master/tools/llvm-objcopy/ELF/ELFObjcopy.cpp#L613
https://github.com/llvm-mirror/llvm/blob/master/tools/llvm-objcopy/ELF/ELFObjcopy.cpp#L402

handleArgs is called later than Reader.create().

Also, it checks for an empty symbol table at its begining:
https://github.com/llvm-mirror/llvm/blob/master/tools/llvm-objcopy/ELF/ELFObjcopy.cpp#L350

1427–1428

Yep, that is better.

grimar planned changes to this revision.Oct 29 2019, 3:19 AM

Going to check one more case for RelocationSection::markSymbols() mentioned.

jhenderson accepted this revision.Oct 29 2019, 3:30 AM

Okay, everything else LGTM. If you don't find any more issues, feel free to commit from my point of view.

grimar added a comment.Oct 29 2019, 3:40 AM
In D69304#1724971, @jhenderson wrote:

Okay, everything else LGTM. If you don't find any more issues, feel free to commit from my point of view.

I've found you actually was right. I.e. I found a different scenario to trigger a crash in markSymbols. Working on a test case, going to update the patch soon.

grimar updated this revision to Diff 226870.Oct 29 2019, 4:00 AM
grimar marked an inline comment as done.
  • Added a test case and did a code change for a one more case.
This revision is now accepted and ready to land.Oct 29 2019, 4:00 AM
grimar requested review of this revision.Oct 29 2019, 4:00 AM
grimar added inline comments.
llvm/tools/llvm-objcopy/ELF/Object.cpp
908–909

I've found this concern was valid. To trigger an issue we need an object with a symbol table and a relocation with a symbol index of 0. Then it is possible to reach markSymbol for example when --strip-unneeded is given.

I've added a test to no-symbol-relocation.test.

jhenderson accepted this revision.Oct 29 2019, 4:14 AM

LGTM. Thanks!

llvm/tools/llvm-objcopy/ELF/Object.cpp
908–909

It's probably safer this way, even if it was unreachable. But I'm glad my caution was not misplaced this time!

This revision is now accepted and ready to land.Oct 29 2019, 4:14 AM
Closed by commit rGa795bd964544: [llvm-objcopy] - Do not crash on object that has relocations but no symbol… (authored by grimar). · Explain WhyOct 30 2019, 3:27 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
test/
tools/
llvm-objcopy/
ELF/
49 lines
55 lines
tools/
llvm-objcopy/
ELF/
21 lines

Diff 227058

llvm/test/tools/llvm-objcopy/ELF/no-symbol-relocation.test

# RUN: yaml2obj %s > %t # RUN: yaml2obj --docnum=1 %s > %t1
# RUN: llvm-objcopy %t %t2 # RUN: llvm-objcopy %t1 %t2
# RUN: llvm-readobj --relocations %t2 | FileCheck %s # RUN: llvm-readobj --relocations %t2 | FileCheck %s
!ELF --- !ELF
FileHeader: FileHeader:
Class: ELFCLASS64 Class: ELFCLASS64
Data: ELFDATA2LSB Data: ELFDATA2LSB
Type: ET_EXEC Type: ET_EXEC
Machine: EM_X86_64 Machine: EM_X86_64
Sections: Sections:
- Name: .text - Name: .text
Type: SHT_PROGBITS Type: SHT_PROGBITS
Flags: [ SHF_ALLOC, SHF_EXECINSTR ] Flags: [ SHF_ALLOC, SHF_EXECINSTR ]
Address: 0x1000 Address: 0x1000
AddressAlign: 0x0000000000000010 AddressAlign: 0x0000000000000010
Content: "0000000000000000" Content: "0000000000000000"
- Name: .rel.text - Name: .rel.text
Type: SHT_REL Type: SHT_REL
Info: .text Info: .text
Relocations: Relocations:
- Offset: 0x1000 - Offset: 0x1000
Type: R_X86_64_RELATIVE Type: R_X86_64_RELATIVE
## TODO: llvm-objcopy crashes without the following line.
Symbols: []
# CHECK: Relocations [ # CHECK: Relocations [
# CHECK-NEXT: Section (2) .rel.text { # CHECK-NEXT: Section (2) .rel.text {
# CHECK-NEXT: 0x1000 R_X86_64_RELATIVE - 0x0 # CHECK-NEXT: 0x1000 R_X86_64_RELATIVE - 0x0
# CHECK-NEXT: } # CHECK-NEXT: }
# CHECK-NEXT:] # CHECK-NEXT:]
## Check we produce a valid output when stripping unneeded symbols from an object that
## has a symbol table and a relocation with a symbol index of 0.
# RUN: yaml2obj --docnum=2 %s > %t3
# RUN: llvm-objcopy --strip-unneeded %t3 %t4
# RUN: llvm-readobj --relocations --sections --symbols %t4 | FileCheck %s --check-prefix=STRIP
# STRIP: Relocations [
# STRIP-NEXT: Section {{.*}} .rel.text {
# STRIP-NEXT: 0x1000 R_X86_64_NONE - 0x0
# STRIP-NEXT: }
# STRIP-NEXT: ]
# STRIP-NEXT: Symbols [
# STRIP-NEXT: Symbol {
# STRIP-NEXT: Name: (0)
# STRIP-NEXT: Value: 0x0
# STRIP-NEXT: Size: 0
# STRIP-NEXT: Binding: Local (0x0)
# STRIP-NEXT: Type: None (0x0)
# STRIP-NEXT: Other: 0
# STRIP-NEXT: Section: Undefined (0x0)
# STRIP-NEXT: }
# STRIP-NEXT: ]
--- !ELF
FileHeader:
Class: ELFCLASS64
Data: ELFDATA2LSB
Type: ET_REL
Machine: EM_X86_64
Sections:
- Name: .text
Type: SHT_PROGBITS
- Name: .rel.text
Type: SHT_REL
Info: .text
Relocations:
- Offset: 0x1000
Type: R_X86_64_NONE
Symbols: []

llvm/test/tools/llvm-objcopy/ELF/relocations-no-symtab.test

  • This file was added.
## Check that we can copy an object that has a relocation
## with a symbol index of 0 even when there is no symbol table.
jhendersonUnsubmitted
Done
ReplyInline Actions

I think "with a symbol index of 0" would be more natural than "that holds symbol index 0"

jhenderson: I think "with a symbol index of 0" would be more natural than "that holds symbol index 0"
# RUN: yaml2obj --docnum=1 %s -o %t1
# RUN: llvm-objcopy %t1 %t2
# RUN: llvm-readobj --relocations %t2 | FileCheck %s
# CHECK: Relocations [
# CHECK-NEXT: Section {{.*}} .rel.text {
# CHECK-NEXT: 0x1000 R_X86_64_RELATIVE - 0x0
# CHECK-NEXT: }
# CHECK-NEXT:]
--- !ELF
FileHeader:
Class: ELFCLASS64
Data: ELFDATA2LSB
Type: ET_REL
Machine: EM_X86_64
Sections:
- Name: .text
Type: SHT_PROGBITS
Flags: [ SHF_ALLOC, SHF_EXECINSTR ]
- Name: .rel.text
Type: SHT_REL
Info: .text
Relocations:
- Offset: 0x1000
Type: R_X86_64_RELATIVE
## Check that we report an error when a relocation refers to a
## non-zero symbol index but there is no symbol table.
# RUN: yaml2obj --docnum=2 %s -o %t3
# RUN: not llvm-objcopy %t3 /dev/null 2>&1 | FileCheck %s --check-prefix=ERR
jhendersonUnsubmitted
Done
ReplyInline Actions

-o for consistency.

jhenderson: -o for consistency.
MaskRayUnsubmitted
Done
ReplyInline Actions

%t4 -> /dev/null

MaskRay: `%t4` -> `/dev/null`
# ERR: error: '.rel.text': relocation references symbol with index 1, but there is no symbol table
--- !ELF
FileHeader:
Class: ELFCLASS64
Data: ELFDATA2LSB
Type: ET_REL
Machine: EM_X86_64
jhendersonUnsubmitted
Done
ReplyInline Actions

It probably makes slightly more sense for this to be ET_REL.

jhenderson: It probably makes slightly more sense for this to be ET_REL.
Sections:
- Name: .text
Type: SHT_PROGBITS
Flags: [ SHF_ALLOC, SHF_EXECINSTR ]
- Name: .rel.text
Type: SHT_REL
Info: .text
Relocations:
- Offset: 0x1000
Symbol: 1
Type: R_X86_64_NONE

llvm/tools/llvm-objcopy/ELF/Object.cpp

Show First 20 LinesShow All 809 Lines▼ Show 20 Lines if (!AllowBrokenLinks)
llvm::errc::invalid_argument, llvm::errc::invalid_argument,
"symbol table '%s' cannot be removed because it is " "symbol table '%s' cannot be removed because it is "
"referenced by the relocation section '%s'", "referenced by the relocation section '%s'",
Symbols->Name.data(), this->Name.data()); Symbols->Name.data(), this->Name.data());
Symbols = nullptr; Symbols = nullptr;
} }
for (const Relocation &R : Relocations) { for (const Relocation &R : Relocations) {
if (!R.RelocSymbol->DefinedIn || !ToRemove(R.RelocSymbol->DefinedIn)) if (!R.RelocSymbol || !R.RelocSymbol->DefinedIn ||
!ToRemove(R.RelocSymbol->DefinedIn))
continue; continue;
return createStringError(llvm::errc::invalid_argument, return createStringError(llvm::errc::invalid_argument,
"section '%s' cannot be removed: (%s+0x%" PRIx64 "section '%s' cannot be removed: (%s+0x%" PRIx64
") has relocation against symbol '%s'", ") has relocation against symbol '%s'",
R.RelocSymbol->DefinedIn->Name.data(), R.RelocSymbol->DefinedIn->Name.data(),
SecToApplyRel->Name.data(), R.Offset, SecToApplyRel->Name.data(), R.Offset,
R.RelocSymbol->Name.c_str()); R.RelocSymbol->Name.c_str());
} }
Show All 36 Linesstatic void setAddend(Elf_Rel_Impl<ELFT, true> &Rela, uint64_t Addend) {
Rela.r_addend = Addend; Rela.r_addend = Addend;
} }
template <class RelRange, class T> template <class RelRange, class T>
static void writeRel(const RelRange &Relocations, T *Buf) { static void writeRel(const RelRange &Relocations, T *Buf) {
for (const auto &Reloc : Relocations) { for (const auto &Reloc : Relocations) {
Buf->r_offset = Reloc.Offset; Buf->r_offset = Reloc.Offset;
setAddend(*Buf, Reloc.Addend); setAddend(*Buf, Reloc.Addend);
Buf->setSymbolAndType(Reloc.RelocSymbol->Index, Reloc.Type, false); Buf->setSymbolAndType(Reloc.RelocSymbol ? Reloc.RelocSymbol->Index : 0,
Reloc.Type, false);
++Buf; ++Buf;
} }
} }
template <class ELFT> template <class ELFT>
void ELFSectionWriter<ELFT>::visit(const RelocationSection &Sec) { void ELFSectionWriter<ELFT>::visit(const RelocationSection &Sec) {
uint8_t *Buf = Out.getBufferStart() + Sec.Offset; uint8_t *Buf = Out.getBufferStart() + Sec.Offset;
if (Sec.Type == SHT_REL) if (Sec.Type == SHT_REL)
writeRel(Sec.Relocations, reinterpret_cast<Elf_Rel *>(Buf)); writeRel(Sec.Relocations, reinterpret_cast<Elf_Rel *>(Buf));
else else
writeRel(Sec.Relocations, reinterpret_cast<Elf_Rela *>(Buf)); writeRel(Sec.Relocations, reinterpret_cast<Elf_Rela *>(Buf));
} }
void RelocationSection::accept(SectionVisitor &Visitor) const { void RelocationSection::accept(SectionVisitor &Visitor) const {
Visitor.visit(*this); Visitor.visit(*this);
} }
void RelocationSection::accept(MutableSectionVisitor &Visitor) { void RelocationSection::accept(MutableSectionVisitor &Visitor) {
Visitor.visit(*this); Visitor.visit(*this);
} }
Error RelocationSection::removeSymbols( Error RelocationSection::removeSymbols(
function_ref<bool(const Symbol &)> ToRemove) { function_ref<bool(const Symbol &)> ToRemove) {
for (const Relocation &Reloc : Relocations) for (const Relocation &Reloc : Relocations)
if (ToRemove(*Reloc.RelocSymbol)) if (Reloc.RelocSymbol && ToRemove(*Reloc.RelocSymbol))
return createStringError( return createStringError(
llvm::errc::invalid_argument, llvm::errc::invalid_argument,
"not stripping symbol '%s' because it is named in a relocation", "not stripping symbol '%s' because it is named in a relocation",
Reloc.RelocSymbol->Name.data()); Reloc.RelocSymbol->Name.data());
return Error::success(); return Error::success();
} }
void RelocationSection::markSymbols() { void RelocationSection::markSymbols() {
for (const Relocation &Reloc : Relocations) for (const Relocation &Reloc : Relocations)
if (Reloc.RelocSymbol)
Reloc.RelocSymbol->Referenced = true; Reloc.RelocSymbol->Referenced = true;
jhendersonUnsubmitted
Done
ReplyInline Actions

This looks dodgy if no symbol exists.

jhenderson: This looks dodgy if no symbol exists.
grimarAuthorUnsubmitted
Done
ReplyInline Actions

"relocation references symbol with index..." error is triggered earlier than execution flow might reach here.

It is reported from initRelocations which is called inside Reader.create() here:
https://github.com/llvm-mirror/llvm/blob/master/tools/llvm-objcopy/ELF/ELFObjcopy.cpp#L773

markSymbols() is called from updateAndRemoveSymbols which is itself caled in handleArgs:
https://github.com/llvm-mirror/llvm/blob/master/tools/llvm-objcopy/ELF/ELFObjcopy.cpp#L799
https://github.com/llvm-mirror/llvm/blob/master/tools/llvm-objcopy/ELF/ELFObjcopy.cpp#L613
https://github.com/llvm-mirror/llvm/blob/master/tools/llvm-objcopy/ELF/ELFObjcopy.cpp#L402

handleArgs is called later than Reader.create().

Also, it checks for an empty symbol table at its begining:
https://github.com/llvm-mirror/llvm/blob/master/tools/llvm-objcopy/ELF/ELFObjcopy.cpp#L350

grimar: "relocation references symbol with index..." error is triggered earlier than execution flow…
grimarAuthorUnsubmitted
Done
ReplyInline Actions

I've found this concern was valid. To trigger an issue we need an object with a symbol table and a relocation with a symbol index of 0. Then it is possible to reach markSymbol for example when --strip-unneeded is given.

I've added a test to no-symbol-relocation.test.

grimar: I've found this concern was valid. To trigger an issue we need an object with a symbol table…
jhendersonUnsubmitted
Not Done
ReplyInline Actions

It's probably safer this way, even if it was unreachable. But I'm glad my caution was not misplaced this time!

jhenderson: It's probably safer this way, even if it was unreachable. But I'm glad my caution was not…
} }
void RelocationSection::replaceSectionReferences( void RelocationSection::replaceSectionReferences(
const DenseMap<SectionBase *, SectionBase *> &FromTo) { const DenseMap<SectionBase *, SectionBase *> &FromTo) {
// Update the target section if it was replaced. // Update the target section if it was replaced.
if (SectionBase *To = FromTo.lookup(SecToApplyRel)) if (SectionBase *To = FromTo.lookup(SecToApplyRel))
SecToApplyRel = To; SecToApplyRel = To;
} }
▲ Show 20 LinesShow All 498 Lines▼ Show 20 Lines
template <class T> template <class T>
static void initRelocations(RelocationSection *Relocs, static void initRelocations(RelocationSection *Relocs,
SymbolTableSection *SymbolTable, T RelRange) { SymbolTableSection *SymbolTable, T RelRange) {
for (const auto &Rel : RelRange) { for (const auto &Rel : RelRange) {
Relocation ToAdd; Relocation ToAdd;
ToAdd.Offset = Rel.r_offset; ToAdd.Offset = Rel.r_offset;
getAddend(ToAdd.Addend, Rel); getAddend(ToAdd.Addend, Rel);
ToAdd.Type = Rel.getType(false); ToAdd.Type = Rel.getType(false);
ToAdd.RelocSymbol = SymbolTable->getSymbolByIndex(Rel.getSymbol(false));
if (uint32_t Sym = Rel.getSymbol(false)) {
if (!SymbolTable)
error("'" + Relocs->Name +
"': relocation references symbol with index " + Twine(Sym) +
jhendersonUnsubmitted
Done
ReplyInline Actions

I'm not sure this error message is clear enough. I think it is not obvious what the number in it represents. Perhaps it could be rephrased "relocation references symbol with index N, but there is no symbol table". What do you think?

jhenderson: I'm not sure this error message is clear enough. I think it is not obvious what the number in…
MaskRayUnsubmitted
Done
ReplyInline Actions

"relocation references symbol with index N, but there is no symbol table"

+1

MaskRay: > "relocation references symbol with index N, but there is no symbol table" +1
grimarAuthorUnsubmitted
Done
ReplyInline Actions

Yep, that is better.

grimar: Yep, that is better.
", but there is no symbol table");
ToAdd.RelocSymbol = SymbolTable->getSymbolByIndex(Sym);
}
Relocs->addRelocation(ToAdd); Relocs->addRelocation(ToAdd);
} }
} }
SectionBase *SectionTableRef::getSection(uint32_t Index, Twine ErrMsg) { SectionBase *SectionTableRef::getSection(uint32_t Index, Twine ErrMsg) {
if (Index == SHN_UNDEF || Index > Sections.size()) if (Index == SHN_UNDEF || Index > Sections.size())
error(ErrMsg); error(ErrMsg);
return Sections[Index - 1].get(); return Sections[Index - 1].get();
▲ Show 20 LinesShow All 884 LinesShow Last 20 Lines