fcd segfaults on 1993-ant

[dtzWill]

This has been happening for a while now, I think since move to LLVM 4.

The other tests pass, but fcd crashes while trying to process 1993-ant from the fcd-tests repository:

$ gdb --args fcd ./bin/1993-ant --header ./bin/1993-ant.h -I ./include/ubuntu/usr/include -I ./include/ubuntu/usr/include/x86_64-linux-gnu -I ./include
...
Program received signal SIGSEGV, Segmentation fault.
0x0000000001b5ed74 in llvm::PointerType::get(llvm::Type*, unsigned int) ()
(gdb) bt
#0  0x0000000001b5ed74 in llvm::PointerType::get(llvm::Type*, unsigned int) ()
#1  0x0000000000aa6a24 in llvm::GetElementPtrInst::getGEPReturnType (ElTy=0x4232a30, Ptr=0x3a65378, IdxList=...)
    at /nix/store/i218092m9sbfkhcqc2z8lp9n0z66ak32-llvm-4.0.0/include/llvm/IR/Instructions.h:991
#2  0x0000000000ba484b in llvm::GetElementPtrInst::GetElementPtrInst (this=0x3265130, PointeeType=0x4232a30, Ptr=0x3a65378, IdxList=..., Values=2, NameStr=..., InsertBefore=0x31e4b10)
    at /nix/store/i218092m9sbfkhcqc2z8lp9n0z66ak32-llvm-4.0.0/include/llvm/IR/Instructions.h:1060
#3  0x0000000000ba39a7 in llvm::GetElementPtrInst::Create (PointeeType=0x4232a30, Ptr=0x3a65378, IdxList=..., NameStr=..., InsertBefore=0x31e4b10)
    at /nix/store/i218092m9sbfkhcqc2z8lp9n0z66ak32-llvm-4.0.0/include/llvm/IR/Instructions.h:869
#4  0x0000000000b90c60 in (anonymous namespace)::LlvmStackFrame::getPointerToObject (this=0x35ea890, object=..., basePointer=0x3a65378, insertionPoint=0x31e4b10)
    at /tmp/nix-build-fcd-2017-03-28.drv-0/fcd-dc36536744a71aca2846c697b5f4155160d28e7c-src/fcd/pass_locals.cpp:815
#5  0x0000000000b8f46b in (anonymous namespace)::IdentifyLocals::tryToCreateStackFrame (this=0x2b00ca0, fn=...)
    at /tmp/nix-build-fcd-2017-03-28.drv-0/fcd-dc36536744a71aca2846c697b5f4155160d28e7c-src/fcd/pass_locals.cpp:1088
#6  0x0000000000b8f063 in (anonymous namespace)::IdentifyLocals::runOnModule (this=0x2b00ca0, m=...)
    at /tmp/nix-build-fcd-2017-03-28.drv-0/fcd-dc36536744a71aca2846c697b5f4155160d28e7c-src/fcd/pass_locals.cpp:985
#7  0x0000000001b32eff in llvm::legacy::PassManagerImpl::run(llvm::Module&) ()
#8  0x0000000000b67fca in (anonymous namespace)::Main::optimizeAndTransformModule (this=0x7fffffffb6e8, module=..., errorOutput=..., executable=0x2ac70b0)
    at /tmp/nix-build-fcd-2017-03-28.drv-0/fcd-dc36536744a71aca2846c697b5f4155160d28e7c-src/fcd/main.cpp:525
#9  0x0000000000b65b3e in main (argc=10, argv=0x7fffffffb8a8) at /tmp/nix-build-fcd-2017-03-28.drv-0/fcd-dc36536744a71aca2846c697b5f4155160d28e7c-src/fcd/main.cpp:746

I poked at it a bit and this appears to be due to some changes/bug in getIndexedType() when indexing through a struct but I'm not sure how to best resolve it. Anyway, can you take a look?

(Also--are you seeing the same behavior?)

Thanks!

[fay59]

I'm seeing the same behavior. However, AFAIK, I haven't been able to decompile 1993-ant since the stack frame recovery pass was introduced, so it's nothing new. I looked at it recently while fixing other stack frame recovery bugs, and for a reason that I have yet to figure out, fcd tries to put a void field in a structure. This causes LLVM to consider it unsized, causing all sorts of problems that ultimately culminate into this.

The high-level plan was to replace that pass with the type reconstruction pass, but that hasn't come to be yet, and I think that I'll let the idea simmer some more while I find a good resource on constraint solving algorithms. That thing turns out to be pretty hard.

Are you seeing a similar failure on another executable, or is it "just" a warning that 1993-ant doesn't work?

[dtzWill]

Thanks for the response and insights! I'm not seeing a similar failure on anything else, just thought I'd report/check in case it was something in how I built FCD or otherwise unknown :).

I'm good with either leaving this open or marking it closed, whichever you'd prefer.

[fay59]

If it's just 1993-ant, it's already on my radar, if not terribly high on my list of priorities, so I'll close it.

The SUMMARY.md file (in the osx branch; Linux is broken because of Travis restrictions) on the test repository lists the decompilation status of all tracked executables. There are currently 3 known failures: 1993-ant, 1995-esde and 1996-eldby, all because of stack frame recovery. The first tested revision instead had 1993-ant, 1993-leo and 1995-dodsond1 failing. I fixed the latter two, and moving to LLVM 4 broke esde and eldby instead, and I haven't looked into it.

[dtzWill]

Interesting, wonder what's causing the OSX failures. 1993-ant is the only failure I'm seeing (Linux, NixOS), FWIW: http://ix.io/pqS

[dtzWill]

FWIW the getIndexedType method changed behavior between 3.8 and 4.0, see discussion here for some more information and a possible fix via the BridgedGEPIterator.

[fay59]

Thanks for letting me know. Fcd did 3.9 to 4.0, it seems that we should have had the intermediate state where things were compatible. I'll give it a serious look at some point.

…

Le 8 mai 2017 à 11:18, Will Dietz ***@***.***> a écrit : FWIW the getIndexedType method changed behavior between 3.8 and 4.0, see discussion here <SVF-tools/SVF#18> for some more information and a possible fix via the BridgedGEPIterator. — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#46 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACtJ5HS29i5odeooTd8m1oq_R2sKUixmks5r31xigaJpZM4MtOjI>.