diff options
| author | Jason Molenda <jmolenda@apple.com> | 2017-07-08 00:12:15 +0000 |
|---|---|---|
| committer | Jason Molenda <jmolenda@apple.com> | 2017-07-08 00:12:15 +0000 |
| commit | f62080451cfc7b2fd7b333e596fd2435c6ccf945 (patch) | |
| tree | 6c3b250cf0f0b13adb3faaa284d17bc358bf4776 /clang/tools/libclang/CIndex.cpp | |
| parent | 7c865f004b86475cc07342a6fbd0b5f57ced1801 (diff) | |
| download | bcm5719-llvm-f62080451cfc7b2fd7b333e596fd2435c6ccf945.tar.gz bcm5719-llvm-f62080451cfc7b2fd7b333e596fd2435c6ccf945.zip | |
The x86 instruction unwinder can be asked to disassemble non-instruction
blocks of memory, and if the final bytes of that block look like a long
x86 instruction, it can cause the llvm disassembler to read past the end
of the buffer. Use the maximum allowed instruction length that we pass
to the llvm disassembler as a way to limit this to the size of the buffer.
An example of how to trigger this is when lldb does a function call, it
puts a breakpoint on the beginning of main() and uses that as the return
address from the function call. When we stop at that location, lldb may
try to find the first frame up the stack. Because this is on the first
instruction of a function, it will get the word-size value at the stack
pointer and assume that this was the caller's pc value. But this is random
stack memory and could point to anything - an object in memory, something
in the data section, whatever. And if we have a symbol for that thing,
we'll try to disassemble it.
This was leading to infrequent crashes in customer scenarios; figured out
what was happening with address sanitizer.
<rdar://problem/30463256>
llvm-svn: 307454
Diffstat (limited to 'clang/tools/libclang/CIndex.cpp')
0 files changed, 0 insertions, 0 deletions
