This is an archive of the discontinued LLVM Phabricator instance.

Differential D88561

[llvm-readobj] - Fix possible crashes related to dumping gnu hash symbols.
ClosedPublic

Authored by grimar on Sep 30 2020, 5:22 AM.

Details

Reviewers
jhenderson
MaskRay
espindola
Commits
rG80bf29f00cc8: [llvm-readobj] - Fix possible crashes related to dumping gnu hash symbols.
Summary

It fixes possible scenarios when we crash/assert with --hash-symbols when
dumping an invalid GNU hash table which has a broken value in the buckets array.

This fixes a crash reported in comments for
https://bugs.llvm.org/show_bug.cgi?id=47681

Diff Detail

Event Timeline

grimar created this revision.Sep 30 2020, 5:22 AM
Herald added a reviewer: espindola. · View Herald TranscriptSep 30 2020, 5:22 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: rupprecht, emaste. · View Herald Transcript
grimar requested review of this revision.Sep 30 2020, 5:22 AM
jhenderson added inline comments.Sep 30 2020, 5:49 AM
llvm/test/tools/llvm-readobj/ELF/hash-symbols.test
662

It's not clear from this comment what is causing the attempt to read past the end of file. Please could you clarify.

672–673
679–680

Surely we should be diagnosing the attempt to read using an invalid dynamic symbol index in the first place, so that we don't see semi-random warnings?

691

Ditto.

llvm/tools/llvm-readobj/ELFDumper.cpp
4097

Perhaps this - "length" implies the number of entries in the array, whereas "size" could mean either that or the total size taken up by the array (e.g. 4 times the length, if the elements are 4 bytes in size each).

grimar marked an inline comment as done.Sep 30 2020, 7:15 AM
grimar added inline comments.
llvm/test/tools/llvm-readobj/ELF/hash-symbols.test
679–680

I am not sure honestly. Currently our logic is that we can't get here when there is no SHT_DYNSYM section,
because we take the size of the dynamic symbol table from there and there is no other way to get it.
I.e. there is no dynamic tag for that, so in case when we e.g. don't have a .hash table to infer the size,
we will never be able to dump symbols currently and we return earlier:

void GNUStyle<ELFT>::printGnuHashTableSymbols(const Elf_GnuHash &GnuHash) {
  StringRef StringTable = this->dumper().getDynamicStringTable();
  if (StringTable.empty())
    return;

  Elf_Sym_Range DynSyms = this->dumper().dynamic_symbols();
  const Elf_Sym *FirstSym = DynSyms.empty() ? nullptr : &DynSyms[0];
  if (!FirstSym) {
    Optional<DynRegionInfo> DynSymRegion = this->dumper().getDynSymRegion();
    this->reportUniqueWarning(createError(
        Twine("unable to print symbols for the .gnu.hash table: the "
              "dynamic symbol table ") +
        (DynSymRegion ? "is empty" : "was not found")));
    return;
  }
....

At the same time I think loaders have no any checks (i.e. they don't try to use the size from SHT_DYNSYM) and will try to use a dynamic symbol found via DT_SYMTAB only. In this case it might probably be useful to try to dump symbols here,
even if they are invalid to reveal what loaders see on their side? Perhaps worth showing an additional warning, saying that we think/found that an index is invalid though. And we can also probably change the code shown above to allow us to pass when DynSymRegion.Addr != 0 (i.e. when we found a DT_SYMTAB, but no SHT_DYNSYM and the address is within the file).

If not, we can probably just skip symbols with invalid indices, just like you've suggested.

What do you think?

nickdesaulniers added a subscriber: nickdesaulniers.Sep 30 2020, 8:34 AM
uweigand added a subscriber: uweigand.Sep 30 2020, 10:44 AM

I think the handling of the GNU hash table is actually already fully correct. The crash (or error message when using this patch) is simply a side effect of the fact that size of the DynSymRegion was clobbered here (near the end of ELFDumper<ELFT>::parseDynamicTable()):

DynSymRegion->Size = HashTable->nchain * DynSymRegion->EntSize;

This in turn is because HashTable->nchain (like all of HashTable) is just incorrect on s390x at the moment, as discussed in https://bugs.llvm.org/show_bug.cgi?id=47681

jhenderson added inline comments.Oct 1 2020, 1:26 AM
llvm/test/tools/llvm-readobj/ELF/hash-symbols.test
679–680

Ah, I forgot that the dynsym has no size in the dynamic table (that's still dumb, but oh well). I think if we have information implying the index looks broken, due to other information (e.g. the section header), we should at least warn that this is probably not correct. I think the warning would be more than enough to say something is a bit bogus. I also think that means we don't need to try to dump invalid index symbols if we know they are bogus (why would a user care what the loader sees if they know that whatever it is is bad - in such situations they'd need to fix the source of the bad index).

I'm a little struggling to follow the full details of your comment though. so I may be misunderstanding your points/questions.

uweigand added inline comments.Oct 1 2020, 1:38 AM
llvm/test/tools/llvm-readobj/ELF/hash-symbols.test
679–680

As I said in my comment yesterday, in this particular executable we do have the correct size of dynsym from the section table -- it's just that this (correct) size is later replaced by (incorrect) information derived from the .hash section.

grimar marked an inline comment as done.Oct 1 2020, 2:35 AM
In D88561#2304127, @uweigand wrote:

I think the handling of the GNU hash table is actually already fully correct. The crash (or error message when using this patch) is simply a side effect of the fact that size of the DynSymRegion was clobbered here (near the end of ELFDumper<ELFT>::parseDynamicTable()):

DynSymRegion->Size = HashTable->nchain * DynSymRegion->EntSize;

This in turn is because HashTable->nchain (like all of HashTable) is just incorrect on s390x at the moment, as discussed in https://bugs.llvm.org/show_bug.cgi?id=47681

That is true for you executable. But this patch fixes a bit different case. Here I am creating the .gnu.hash table with a broken value in the buckets array.
Currently with the test case provided we crash an all platforms at the same place where your executable crashes too.
So with this patch we fix the crash, but not the reason of PR47681, which is s390x specific.

grimar added inline comments.Oct 1 2020, 2:37 AM
llvm/test/tools/llvm-readobj/ELF/hash-symbols.test
679–680

I'm a little struggling to follow the full details of your comment though. so I may be misunderstanding your points/questions.

Nope. You got me right. I'll update the patch to report a warning and will stop printing a bogus symbol.

uweigand added a comment.Oct 1 2020, 2:54 AM
In D88561#2305598, @grimar wrote:
In D88561#2304127, @uweigand wrote:

I think the handling of the GNU hash table is actually already fully correct. The crash (or error message when using this patch) is simply a side effect of the fact that size of the DynSymRegion was clobbered here (near the end of ELFDumper<ELFT>::parseDynamicTable()):

DynSymRegion->Size = HashTable->nchain * DynSymRegion->EntSize;

This in turn is because HashTable->nchain (like all of HashTable) is just incorrect on s390x at the moment, as discussed in https://bugs.llvm.org/show_bug.cgi?id=47681

That is true for you executable. But this patch fixes a bit different case. Here I am creating the .gnu.hash table with a broken value in the buckets array.
Currently with the test case provided we crash an all platforms at the same place where your executable crashes too.
So with this patch we fix the crash, but not the reason of PR47681, which is s390x specific.

I see. In this case this patch doesn't really address PR47681, but only replaces a crash with wrong output ... Still preferable to not crash, but of course we still need to fix the root cause (at the least, by ignoring the .hash section if the entry size doesn't match).

grimar added a comment.EditedOct 1 2020, 3:01 AM
In D88561#2305660, @uweigand wrote:

I see. In this case this patch doesn't really address PR47681, but only replaces a crash with wrong output ... Still preferable to not crash, but of course we still need to fix the root cause (at the least, by ignoring the .hash section if the entry size doesn't match).

The fix for PR47681 (s390 specific) is independent from the crash (all platforms), so it should be fixed separatelly.
I am going to prepare a follow-up to fix the PR47681 after landing this.

uweigand added a comment.Oct 1 2020, 4:07 AM
In D88561#2305667, @grimar wrote:
In D88561#2305660, @uweigand wrote:

I see. In this case this patch doesn't really address PR47681, but only replaces a crash with wrong output ... Still preferable to not crash, but of course we still need to fix the root cause (at the least, by ignoring the .hash section if the entry size doesn't match).

The fix for PR47681 (s390 specific) is independent from the crash (all platforms), so it should be fixed separatelly.
I'll am going to prepare a follow-up to fix the PR47681 after landing this.

Thanks!

grimar updated this revision to Diff 295537.EditedOct 1 2020, 5:37 AM
grimar marked 6 inline comments as done.
  • Update implementation (validate the symbol index and related changes and simplifications).
llvm/test/tools/llvm-readobj/ELF/hash-symbols.test
662

I've updated implementation and had to rework all test cases. Now there are no cases when we try read past the EOF - or at least I can't imagine an input for that atm.

llvm/tools/llvm-readobj/ELFDumper.cpp
4097

This place is gone.

jhenderson added inline comments.Oct 6 2020, 3:08 AM
llvm/test/tools/llvm-readobj/ELF/hash-symbols.test
723
724
llvm/tools/llvm-readobj/ELFDumper.cpp
2748
4061
4073–4074

I'm not sure I understand what 'Values' here is referring to. Is it the hash values, or something else? Either way, there needs to be more context here.

grimar updated this revision to Diff 296443.Oct 6 2020, 6:41 AM
grimar marked 5 inline comments as done.
  • Addressed review comments.
jhenderson accepted this revision.Oct 8 2020, 12:56 AM

Looks good aside from a possible broken test.

llvm/test/tools/llvm-readobj/ELF/gnuhash.test
128

This test looks like it might need updating?

This revision is now accepted and ready to land.Oct 8 2020, 12:56 AM
grimar added inline comments.Oct 8 2020, 1:35 AM
llvm/test/tools/llvm-readobj/ELF/gnuhash.test
128

This message comes from a different place,
for LLVM style we show it when fail to dump Values:

void ELFDumper<ELFT>::printGnuHashTable() {
.....

  Expected<ArrayRef<Elf_Word>> Chains =
      getGnuHashTableChains<ELFT>(DynSymRegion, GnuHashTable);
  if (!Chains) {
    reportUniqueWarning(
        createError("unable to dump 'Values' for the SHT_GNU_HASH "
                    "section: " +
                    toString(Chains.takeError())));
    return;
  }

  W.printHexList("Values", *Chains);

I.e. it is unrelated to this patch, I think I just copypasted this error previously.
And for this particular place it seems that mentioning 'Values' in the message is reasonable.

jhenderson added inline comments.Oct 8 2020, 1:40 AM
llvm/test/tools/llvm-readobj/ELF/gnuhash.test
128

Okay (but I don't think 'Values' makes sense - values of what?)

grimar added inline comments.Oct 8 2020, 1:43 AM
llvm/test/tools/llvm-readobj/ELF/gnuhash.test
128

An example of normal output is:

GnuHashTable {
  Num Buckets: 3
  First Hashed Symbol Index: 1
  Num Mask Words: 2
  Shift Count: 2
  Bloom Filter: [0x3, 0x4]
  Buckets: [5, 6, 7]
  Values: [0x8, 0x9, 0xA, 0xB]
}

I.e. Values refers to the field that was expected to be dumped, but was not because of an error.

Closed by commit rG80bf29f00cc8: [llvm-readobj] - Fix possible crashes related to dumping gnu hash symbols. (authored by grimar). · Explain WhyOct 8 2020, 6:22 AM
This revision was automatically updated to reflect the committed changes.
grimar added a commit: rG80bf29f00cc8: [llvm-readobj] - Fix possible crashes related to dumping gnu hash symbols..

Revision Contents

PathSize
llvm/
test/
tools/
llvm-readobj/
ELF/
2 lines
2 lines
78 lines
tools/
llvm-readobj/
49 lines

Diff 295537

llvm/test/tools/llvm-readobj/ELF/gnuhash.test

Show First 20 LinesShow All 119 Lines▼ Show 20 Lines
# SYMNDX: GnuHashTable { # SYMNDX: GnuHashTable {
# SYMNDX-NEXT: Num Buckets: 1 # SYMNDX-NEXT: Num Buckets: 1
# SYMNDX-NEXT: First Hashed Symbol Index: 2 # SYMNDX-NEXT: First Hashed Symbol Index: 2
# SYMNDX-NEXT: Num Mask Words: 1 # SYMNDX-NEXT: Num Mask Words: 1
# SYMNDX-NEXT: Shift Count: 0 # SYMNDX-NEXT: Shift Count: 0
# SYMNDX-NEXT: Bloom Filter: [0x1] # SYMNDX-NEXT: Bloom Filter: [0x1]
# SYMNDX-NEXT: Buckets: [2] # SYMNDX-NEXT: Buckets: [2]
# SYMNDX-NEXT: warning: '[[FILE]]': unable to dump 'Values' for the SHT_GNU_HASH section: the first hashed symbol index (2) is larger than the number of dynamic symbols (2) # SYMNDX-NEXT: warning: '[[FILE]]': unable to dump 'Values' for the SHT_GNU_HASH section: the first hashed symbol index (2) is larger or equal to the number of dynamic symbols (2)
jhendersonUnsubmitted
Not Done
ReplyInline Actions

This test looks like it might need updating?

jhenderson: This test looks like it might need updating?
grimarAuthorUnsubmitted
Done
ReplyInline Actions

This message comes from a different place,
for LLVM style we show it when fail to dump Values:

void ELFDumper<ELFT>::printGnuHashTable() {
.....

  Expected<ArrayRef<Elf_Word>> Chains =
      getGnuHashTableChains<ELFT>(DynSymRegion, GnuHashTable);
  if (!Chains) {
    reportUniqueWarning(
        createError("unable to dump 'Values' for the SHT_GNU_HASH "
                    "section: " +
                    toString(Chains.takeError())));
    return;
  }

  W.printHexList("Values", *Chains);

I.e. it is unrelated to this patch, I think I just copypasted this error previously.
And for this particular place it seems that mentioning 'Values' in the message is reasonable.

grimar: This message comes from a different place, for LLVM style we show it when fail to dump `Values`…
jhendersonUnsubmitted
Not Done
ReplyInline Actions

Okay (but I don't think 'Values' makes sense - values of what?)

jhenderson: Okay (but I don't think `'Values'` makes sense - values of what?)
grimarAuthorUnsubmitted
Done
ReplyInline Actions

An example of normal output is:

GnuHashTable {
  Num Buckets: 3
  First Hashed Symbol Index: 1
  Num Mask Words: 2
  Shift Count: 2
  Bloom Filter: [0x3, 0x4]
  Buckets: [5, 6, 7]
  Values: [0x8, 0x9, 0xA, 0xB]
}

I.e. Values refers to the field that was expected to be dumped, but was not because of an error.

grimar: An example of normal output is: ``` GnuHashTable { Num Buckets: 3 First Hashed Symbol…
# SYMNDX-NEXT: } # SYMNDX-NEXT: }
--- !ELF --- !ELF
FileHeader: FileHeader:
Class: ELFCLASS64 Class: ELFCLASS64
Data: ELFDATA2LSB Data: ELFDATA2LSB
Type: ET_DYN Type: ET_DYN
Sections: Sections:
▲ Show 20 LinesShow All 177 LinesShow Last 20 Lines

llvm/test/tools/llvm-readobj/ELF/hash-histogram.test

Show First 20 LinesShow All 325 Lines▼ Show 20 Lines
## Check the case when a 'symndx' index of the first symbol in the dynamic symbol ## Check the case when a 'symndx' index of the first symbol in the dynamic symbol
## table is larger than the number of dynamic symbols. ## table is larger than the number of dynamic symbols.
## Case A: when the buckets array is not empty and has a non-zero value we report a warning. ## Case A: when the buckets array is not empty and has a non-zero value we report a warning.
# RUN: yaml2obj --docnum=7 -DVAL=0x1 %s -o %t9 # RUN: yaml2obj --docnum=7 -DVAL=0x1 %s -o %t9
# RUN: llvm-readelf --elf-hash-histogram %t9 2>&1 | \ # RUN: llvm-readelf --elf-hash-histogram %t9 2>&1 | \
# RUN: FileCheck %s -DFILE=%t9 --check-prefix=ERR6 # RUN: FileCheck %s -DFILE=%t9 --check-prefix=ERR6
# ERR6: warning: '[[FILE]]': unable to print the GNU hash table histogram: the first hashed symbol index (16) is larger than the number of dynamic symbols (1) # ERR6: warning: '[[FILE]]': unable to print the GNU hash table histogram: the first hashed symbol index (16) is larger or equal to the number of dynamic symbols (1)
## Case B: we do not report a warning when the buckets array contains only zero values. ## Case B: we do not report a warning when the buckets array contains only zero values.
# RUN: yaml2obj --docnum=7 -DVAL=0x0 %s -o %t10 # RUN: yaml2obj --docnum=7 -DVAL=0x0 %s -o %t10
# RUN: llvm-readelf --elf-hash-histogram %t10 2>&1 | \ # RUN: llvm-readelf --elf-hash-histogram %t10 2>&1 | \
# RUN: FileCheck %s --allow-empty --implicit-check-not="Histogram" # RUN: FileCheck %s --allow-empty --implicit-check-not="Histogram"
## Case C: we do not report a warning when the buckets array is empty. ## Case C: we do not report a warning when the buckets array is empty.
# RUN: yaml2obj --docnum=7 -DVAL="" %s -o %t11 # RUN: yaml2obj --docnum=7 -DVAL="" %s -o %t11
▲ Show 20 LinesShow All 79 LinesShow Last 20 Lines

llvm/test/tools/llvm-readobj/ELF/hash-symbols.test

Show First 20 LinesShow All 649 Lines▼ Show 20 Lines - Name: .dynsym
Size: 0 Size: 0
ProgramHeaders: ProgramHeaders:
- Type: PT_LOAD - Type: PT_LOAD
Flags: [ PF_R, PF_X ] Flags: [ PF_R, PF_X ]
Sections: Sections:
- Section: .gnu.hash - Section: .gnu.hash
- Section: .dynamic - Section: .dynamic
- Section: .dynstr - Section: .dynstr
## In this case we have a broken value in the hash buckets array. Normally it contains an
## index into the dynamic symbol table and also is used to get a hash value from the hash values array.
## llvm-readelf attempts to read a symbol that is past the end of the dynamic symbol table.
jhendersonUnsubmitted
Done
ReplyInline Actions

It's not clear from this comment what is causing the attempt to read past the end of file. Please could you clarify.

jhenderson: It's not clear from this comment what is causing the attempt to read past the end of file.
grimarAuthorUnsubmitted
Done
ReplyInline Actions

I've updated implementation and had to rework all test cases. Now there are no cases when we try read past the EOF - or at least I can't imagine an input for that atm.

grimar: I've updated implementation and had to rework all test cases. Now there are no cases when we…
# RUN: yaml2obj --docnum=11 -DVALUE=0x2 %s -o %t11.past.dynsym.so
# RUN: llvm-readelf --hash-symbols %t11.past.dynsym.so 2>&1 | \
# RUN: FileCheck %s -DFILE=%t11.past.dynsym.so --check-prefix=BUCKET-PAST-DYNSYM
# BUCKET-PAST-DYNSYM: Symbol table of .gnu.hash for image:
# BUCKET-PAST-DYNSYM-NEXT: Num Buc: Value Size Type Bind Vis Ndx Name
# BUCKET-PAST-DYNSYM-NEXT: warning: '[[FILE]]': unable to print hashed symbol with index 2, which is greater or equal to the number of dynamic symbols (2)
# BUCKET-PAST-DYNSYM-NEXT: 1 2: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND foo
# BUCKET-PAST-DYNSYM-NOT: {{.}}
--- !ELF
jhendersonUnsubmitted
Done
ReplyInline Actions
# BUCKET-PAST-EOF-NOT: {{.}}
- ## Case B.1: a hash value entry can't be read because we have a broken value in the hash buckets array and trying to read
- ## a data past the end of the hash values array. The VALUE used is equal to the value from the case A minus 1.
+ ## Case B.1: a hash value entry can't be read because we have a broken value in the hash buckets array,
+ ## which means llvm-readelf attempts to read past the end of the hash values array.
+ ## The VALUE used is equal to the value from case A minus 1.
# RUN: yaml2obj --docnum=11 -DVALUE=0x16 %s -o %t11.value1.so
jhenderson:
FileHeader:
Class: ELFCLASS64
Data: ELFDATA2LSB
Type: ET_DYN
Sections:
- Name: .gnu.hash
Type: SHT_GNU_HASH
jhendersonUnsubmitted
Done
ReplyInline Actions

Surely we should be diagnosing the attempt to read using an invalid dynamic symbol index in the first place, so that we don't see semi-random warnings?

jhenderson: Surely we should be diagnosing the attempt to read using an invalid dynamic symbol index in the…
grimarAuthorUnsubmitted
Done
ReplyInline Actions

I am not sure honestly. Currently our logic is that we can't get here when there is no SHT_DYNSYM section,
because we take the size of the dynamic symbol table from there and there is no other way to get it.
I.e. there is no dynamic tag for that, so in case when we e.g. don't have a .hash table to infer the size,
we will never be able to dump symbols currently and we return earlier:

void GNUStyle<ELFT>::printGnuHashTableSymbols(const Elf_GnuHash &GnuHash) {
  StringRef StringTable = this->dumper().getDynamicStringTable();
  if (StringTable.empty())
    return;

  Elf_Sym_Range DynSyms = this->dumper().dynamic_symbols();
  const Elf_Sym *FirstSym = DynSyms.empty() ? nullptr : &DynSyms[0];
  if (!FirstSym) {
    Optional<DynRegionInfo> DynSymRegion = this->dumper().getDynSymRegion();
    this->reportUniqueWarning(createError(
        Twine("unable to print symbols for the .gnu.hash table: the "
              "dynamic symbol table ") +
        (DynSymRegion ? "is empty" : "was not found")));
    return;
  }
....

At the same time I think loaders have no any checks (i.e. they don't try to use the size from SHT_DYNSYM) and will try to use a dynamic symbol found via DT_SYMTAB only. In this case it might probably be useful to try to dump symbols here,
even if they are invalid to reveal what loaders see on their side? Perhaps worth showing an additional warning, saying that we think/found that an index is invalid though. And we can also probably change the code shown above to allow us to pass when DynSymRegion.Addr != 0 (i.e. when we found a DT_SYMTAB, but no SHT_DYNSYM and the address is within the file).

If not, we can probably just skip symbols with invalid indices, just like you've suggested.

What do you think?

grimar: I am not sure honestly. Currently our logic is that we can't get here when there is no…
jhendersonUnsubmitted
Done
ReplyInline Actions

Ah, I forgot that the dynsym has no size in the dynamic table (that's still dumb, but oh well). I think if we have information implying the index looks broken, due to other information (e.g. the section header), we should at least warn that this is probably not correct. I think the warning would be more than enough to say something is a bit bogus. I also think that means we don't need to try to dump invalid index symbols if we know they are bogus (why would a user care what the loader sees if they know that whatever it is is bad - in such situations they'd need to fix the source of the bad index).

I'm a little struggling to follow the full details of your comment though. so I may be misunderstanding your points/questions.

jhenderson: Ah, I forgot that the dynsym has no size in the dynamic table (that's still dumb, but oh well).
uweigandUnsubmitted
Done
ReplyInline Actions

As I said in my comment yesterday, in this particular executable we do have the correct size of dynsym from the section table -- it's just that this (correct) size is later replaced by (incorrect) information derived from the .hash section.

uweigand: As I said in my comment yesterday, in this particular executable we do have the correct size of…
grimarAuthorUnsubmitted
Done
ReplyInline Actions

I'm a little struggling to follow the full details of your comment though. so I may be misunderstanding your points/questions.

Nope. You got me right. I'll update the patch to report a warning and will stop printing a bogus symbol.

grimar: > I'm a little struggling to follow the full details of your comment though. so I may be…
Flags: [ SHF_ALLOC ]
Link: .dynsym
Header:
SymNdx: [[SYMNDX=0x0]]
Shift2: 0x0
BloomFilter: [ 0x0 ]
HashBuckets: [ 0x0, [[VALUE]], 0x1 ]
HashValues: [ 0x0 ]
- Name: .dynamic
Type: SHT_DYNAMIC
Flags: [ SHF_ALLOC ]
jhendersonUnsubmitted
Done
ReplyInline Actions

Ditto.

jhenderson: Ditto.
Link: .dynstr
Entries:
- Tag: DT_GNU_HASH
Value: 0x0
- Tag: DT_NULL
Value: 0x0
DynamicSymbols:
- Name: foo
Binding: STB_GLOBAL
ProgramHeaders:
- Type: PT_LOAD
Flags: [ PF_R, PF_X ]
Sections:
- Section: .gnu.hash
- Section: .dynamic
## In this case we are unable to read a hash value for a symbol with
## an index that is less than the index of the first hashed symbol.
# RUN: yaml2obj --docnum=11 -DSYMNDX=0x2 -DVALUE=0x1 %s -o %t11.first.hashed.so
# RUN: llvm-readelf --hash-symbols %t11.first.hashed.so 2>&1 | \
# RUN: FileCheck %s -DFILE=%t11.first.hashed.so --check-prefix=FIRST-HASHED
# FIRST-HASHED: Symbol table of .gnu.hash for image:
# FIRST-HASHED-NEXT: Num Buc: Value Size Type Bind Vis Ndx Name
# FIRST-HASHED-NEXT: warning: '[[FILE]]': unable to get 'Values' for the SHT_GNU_HASH section: the first hashed symbol index (2) is larger or equal to the number of dynamic symbols (2)
# FIRST-HASHED-NEXT: 1 1: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND foo
# FIRST-HASHED-NEXT: warning: '[[FILE]]': unable to read the hash value for symbol with index 1, which is less than the index of the first hashed symbol (2)
# FIRST-HASHED-NEXT: 1 2: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND foo
# FIRST-HASHED-NOT: {{.}}
## In this case one of chain values doesn't end with a stopper bit and llvm-readelf attempts to read
jhendersonUnsubmitted
Done
ReplyInline Actions
# FIRST-HASHED-NOT: {{.}}
- ## In this case one of chain values doesn't end with a stopper bit and llvm-readelf attempts to read
+ ## In this case one of the chain values doesn't end with a stopper bit and llvm-readelf attempts to read
## a dynamic symbol with index, that is equal to the number of dynamic symbols.
jhenderson:
## a dynamic symbol with index, that is equal to the number of dynamic symbols.
jhendersonUnsubmitted
Done
ReplyInline Actions
## In this case one of chain values doesn't end with a stopper bit and llvm-readelf attempts to read
- ## a dynamic symbol with index, that is equal to the number of dynamic symbols.
+ ## a dynamic symbol with an index that is equal to the number of dynamic symbols.
# RUN: yaml2obj --docnum=11 -DSYMNDX=0x1 -DVALUE=0x1 %s -o %t11.chain.bit.so
jhenderson:
# RUN: yaml2obj --docnum=11 -DSYMNDX=0x1 -DVALUE=0x1 %s -o %t11.chain.bit.so
# RUN: llvm-readelf --hash-symbols %t11.chain.bit.so 2>&1 | \
# RUN: FileCheck %s -DFILE=%t11.chain.bit.so --check-prefix=CHAIN-BIT
# CHAIN-BIT: Symbol table of .gnu.hash for image:
# CHAIN-BIT-NEXT: Num Buc: Value Size Type Bind Vis Ndx Name
# CHAIN-BIT-NEXT: 1 1: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND foo
# CHAIN-BIT-NEXT: warning: '[[FILE]]': unable to print hashed symbol with index 2, which is greater or equal to the number of dynamic symbols (2)
# CHAIN-BIT-NEXT: 1 2: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND foo
# CHAIN-BIT-NOT: {{.}}

llvm/tools/llvm-readobj/ELFDumper.cpp

Show First 20 LinesShow All 2,739 Lines▼ Show 20 LinesgetGnuHashTableChains(Optional<DynRegionInfo> DynSymRegion,
// vector (or no values at all). It happens because the value of symndx is not // vector (or no values at all). It happens because the value of symndx is not
// important for dynamic loaders when the GNU hash table is empty. They just // important for dynamic loaders when the GNU hash table is empty. They just
// skip the whole object during symbol lookup. In such cases, the symndx value // skip the whole object during symbol lookup. In such cases, the symndx value
// is irrelevant and we should not report a warning. // is irrelevant and we should not report a warning.
ArrayRef<typename ELFT::Word> Buckets = GnuHashTable->buckets(); ArrayRef<typename ELFT::Word> Buckets = GnuHashTable->buckets();
if (!llvm::all_of(Buckets, [](typename ELFT::Word V) { return V == 0; })) if (!llvm::all_of(Buckets, [](typename ELFT::Word V) { return V == 0; }))
return createError("the first hashed symbol index (" + return createError("the first hashed symbol index (" +
Twine(GnuHashTable->symndx) + Twine(GnuHashTable->symndx) +
") is larger than the number of dynamic symbols (" + ") is larger or equal to the number of dynamic symbols (" +
jhendersonUnsubmitted
Done
ReplyInline Actions
Twine(GnuHashTable->symndx) +
- ") is larger or equal to the number of dynamic symbols (" +
+ ") is greater than or equal to the number of dynamic symbols (" +
Twine(NumSyms) + ")");
jhenderson:
Twine(NumSyms) + ")"); Twine(NumSyms) + ")");
// There is no way to represent an array of (dynamic symbols count - symndx) // There is no way to represent an array of (dynamic symbols count - symndx)
// length. // length.
return ArrayRef<typename ELFT::Word>(); return ArrayRef<typename ELFT::Word>();
} }
template <typename ELFT> template <typename ELFT>
void ELFDumper<ELFT>::printGnuHashTable() { void ELFDumper<ELFT>::printGnuHashTable() {
▲ Show 20 LinesShow All 1,282 Lines▼ Show 20 Lines
template <class ELFT> template <class ELFT>
void GNUStyle<ELFT>::printGnuHashTableSymbols(const Elf_GnuHash &GnuHash) { void GNUStyle<ELFT>::printGnuHashTableSymbols(const Elf_GnuHash &GnuHash) {
StringRef StringTable = this->dumper().getDynamicStringTable(); StringRef StringTable = this->dumper().getDynamicStringTable();
if (StringTable.empty()) if (StringTable.empty())
return; return;
Elf_Sym_Range DynSyms = this->dumper().dynamic_symbols(); Elf_Sym_Range DynSyms = this->dumper().dynamic_symbols();
const Elf_Sym *FirstSym = DynSyms.empty() ? nullptr : &DynSyms[0]; const Elf_Sym *FirstSym = DynSyms.empty() ? nullptr : &DynSyms[0];
if (!FirstSym) {
Optional<DynRegionInfo> DynSymRegion = this->dumper().getDynSymRegion(); Optional<DynRegionInfo> DynSymRegion = this->dumper().getDynSymRegion();
if (!FirstSym) {
this->reportUniqueWarning(createError( this->reportUniqueWarning(createError(
Twine("unable to print symbols for the .gnu.hash table: the " Twine("unable to print symbols for the .gnu.hash table: the "
"dynamic symbol table ") + "dynamic symbol table ") +
(DynSymRegion ? "is empty" : "was not found"))); (DynSymRegion ? "is empty" : "was not found")));
return; return;
} }
auto GetSymbol = [&](uint64_t SymIndex,
uint64_t SymsTotal) -> const Elf_Sym * {
if (SymIndex >= SymsTotal) {
this->reportUniqueWarning(createError(
"unable to print hashed symbol with index " + Twine(SymIndex) +
", which is greater or equal to the number of dynamic symbols (" +
jhendersonUnsubmitted
Done
ReplyInline Actions
"unable to print hashed symbol with index " + Twine(SymIndex) +
- ", which is greater or equal to the number of dynamic symbols (" +
+ ", which is greater than or equal to the number of dynamic symbols (" +
Twine::utohexstr(SymsTotal) + ")"));
jhenderson:
Twine::utohexstr(SymsTotal) + ")"));
return nullptr;
}
return FirstSym + SymIndex;
};
Expected<ArrayRef<Elf_Word>> ValuesOrErr =
getGnuHashTableChains<ELFT>(DynSymRegion, &GnuHash);
ArrayRef<Elf_Word> Values;
if (!ValuesOrErr)
this->reportUniqueWarning(
createError("unable to get 'Values' for the SHT_GNU_HASH "
"section: " +
jhendersonUnsubmitted
Done
ReplyInline Actions

I'm not sure I understand what 'Values' here is referring to. Is it the hash values, or something else? Either way, there needs to be more context here.

jhenderson: I'm not sure I understand what `'Values'` here is referring to. Is it the hash values, or…
toString(ValuesOrErr.takeError())));
else
Values = *ValuesOrErr;
ArrayRef<Elf_Word> Buckets = GnuHash.buckets(); ArrayRef<Elf_Word> Buckets = GnuHash.buckets();
for (uint32_t Buc = 0; Buc < GnuHash.nbuckets; Buc++) { for (uint32_t Buc = 0; Buc < GnuHash.nbuckets; Buc++) {
if (Buckets[Buc] == ELF::STN_UNDEF) if (Buckets[Buc] == ELF::STN_UNDEF)
continue; continue;
uint32_t Index = Buckets[Buc]; uint32_t Index = Buckets[Buc];
uint32_t GnuHashable = Index - GnuHash.symndx; // Print whole chain.
// Print whole chain
while (true) { while (true) {
uint32_t SymIndex = Index++; uint32_t SymIndex = Index++;
printHashedSymbol(FirstSym + SymIndex, SymIndex, StringTable, Buc); if (const Elf_Sym *Sym = GetSymbol(SymIndex, DynSyms.size()))
// Chain ends at symbol with stopper bit printHashedSymbol(Sym, SymIndex, StringTable, Buc);
if ((GnuHash.values(DynSyms.size())[GnuHashable++] & 1) == 1) else
break;
if (SymIndex < GnuHash.symndx) {
this->reportUniqueWarning(createError(
"unable to read the hash value for symbol with index " +
Twine(SymIndex) +
", which is less than the index of the first hashed symbol (" +
Twine(GnuHash.symndx) + ")"));
jhendersonUnsubmitted
Done
ReplyInline Actions
"unable to read the hash value: index (" + Twine(GnuHashable) +
- ") goes past the end of the hash values array of size " +
+ ") goes past the end of the hash values array of length " +
Twine(Values.size())));

Perhaps this - "length" implies the number of entries in the array, whereas "size" could mean either that or the total size taken up by the array (e.g. 4 times the length, if the elements are 4 bytes in size each).

jhenderson: Perhaps this - "length" implies the number of entries in the array, whereas "size" could mean…
grimarAuthorUnsubmitted
Done
ReplyInline Actions

This place is gone.

grimar: This place is gone.
break;
}
// Chain ends at symbol with stopper bit.
if ((Values[SymIndex - GnuHash.symndx] & 1) == 1)
break; break;
} }
} }
} }
template <class ELFT> void GNUStyle<ELFT>::printHashSymbols() { template <class ELFT> void GNUStyle<ELFT>::printHashSymbols() {
if (const Elf_Hash *SysVHash = this->dumper().getHashTable()) { if (const Elf_Hash *SysVHash = this->dumper().getHashTable()) {
OS << "\n Symbol table of .hash for image:\n"; OS << "\n Symbol table of .hash for image:\n";
▲ Show 20 LinesShow All 2,725 LinesShow Last 20 Lines