Interpreter crash due to an "Unknown constant pointer type!"

Hi all,
as usual I’m playing with the Interpreter and unfortunately I hit a crash. I have narrowed down the problem an the crash happens inside the inflate function which is part of zlib and specifically at the instruction:

store <2 x %struct.code*> <%struct.code* getelementptr inbounds ([512 x %struct.code], [512 x %struct.code]* @fixedtables.lenfix.681, i64 0, i64 0), %struct.code* getelementptr inbounds ([32 x %struct.code], [32 x %struct.code]* @fixedtables.distfix.682, i64 0, i64 0)>, <2 x %struct.code*>* %96, align 8, !tbaa !46

The output from lli is:

Unknown constant pointer type!
UNREACHABLE executed at /home/al/Desktop/llvm-6.0.1.src/lib/ExecutionEngine/ExecutionEngine.cpp:1007!
LLVMSymbolizer: error reading file: No such file or directory
#0 0x0000000001765ee9 (lli+0x1765ee9)
#1 0x0000000001766099 (lli+0x1766099)
#2 0x0000000001764643 (lli+0x1764643)
#3 0x0000000001766424 (lli+0x1766424)
#4 0x00007faade157890 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x12890)
#5 0x00007faadcc15e97 gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x3ee97)
#6 0x00007faadcc17801 abort (/lib/x86_64-linux-gnu/libc.so.6+0x40801)
#7 0x00000000016d7150 (lli+0x16d7150)
#8 0x0000000001139543 (lli+0x1139543)
#9 0x00000000011500b8 (lli+0x11500b8)
#10 0x000000000115c25d (lli+0x115c25d)
#11 0x0000000001167d32 (lli+0x1167d32)
#12 0x000000000116430d (lli+0x116430d)
#13 0x0000000001163580 (lli+0x1163580)
#14 0x000000000114e197 (lli+0x114e197)
#15 0x0000000001135ba0 (lli+0x1135ba0)
#16 0x00000000008c729d (lli+0x8c729d)
#17 0x00007faadcbf8b97 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b97)
#18 0x00000000008c4f1a (lli+0x8c4f1a)

Is there anyone that can help me to understand how to fix it even a simple workaround for the moment would be enough!

Thanks,
Alberto

Probably need a debug (& probably +Asserts) build to see more about where it’s failing & that might help you fix it - if you want other folks to be able to help debug the issue, providing the full reproduction steps (the entire input files, what commands were run, etc) - though, preferably, minimized (simplify the inputs/commands, etc, while still producing the failure)

Hi David,
Thanks for the suggestions. I can definitely provide the example bc file and image ( please see the attachments ). For the debug + asserts I need a bit of more time.

Anyway the full output of lli is:

lli --force-interpreter examples/pngpixel_crash.bc 0 0 examples/mini.png
png_ptr->width: 1
max_pixel_depth: 24
row_bytes: 28
Unknown constant pointer type!
UNREACHABLE executed at /home/al/Desktop/llvm-6.0.1.src/lib/ExecutionEngine/ExecutionEngine.cpp:1007!
LLVMSymbolizer: error reading file: No such file or directory
#0 0x0000000001765ee9 (lli+0x1765ee9)
#1 0x0000000001766099 (lli+0x1766099)
#2 0x0000000001764643 (lli+0x1764643)
#3 0x0000000001766424 (lli+0x1766424)
#4 0x00007f5dc5fc7890 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x12890)
#5 0x00007f5dc4a85e97 gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x3ee97)
#6 0x00007f5dc4a87801 abort (/lib/x86_64-linux-gnu/libc.so.6+0x40801)
#7 0x00000000016d7150 (lli+0x16d7150)
#8 0x0000000001139543 (lli+0x1139543)
#9 0x00000000011500b8 (lli+0x11500b8)
#10 0x000000000115c25d (lli+0x115c25d)
#11 0x0000000001167d32 (lli+0x1167d32)
#12 0x000000000116430d (lli+0x116430d)
#13 0x0000000001163580 (lli+0x1163580)
#14 0x000000000114e197 (lli+0x114e197)
#15 0x0000000001135ba0 (lli+0x1135ba0)
#16 0x00000000008c729d (lli+0x8c729d)
#17 0x00007f5dc4a68b97 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b97)
#18 0x00000000008c4f1a (lli+0x8c4f1a)
Stack dump:
0. Program arguments: lli --force-interpreter examples/pngpixel_crash.bc 0 0 examples/mini.png
[1] 4344 abort (core dumped) lli --force-interpreter examples/pngpixel_crash.bc 0 0 examples/mini.png

Please let me know if you can reproduce it!!

Thanks
Alberto

mini.png

pngpixel_crash.bc (663 KB)

I can’t reproduce it (just because of other local differences that lead to failures before it reaches this point, not because it passes for me or anything)

I’d suggest you hop in with a debugger and/or modify the interpreter to print more information at that unreachable - to see what sort of type you do have & maybe then it’ll be more clear what should be done with that type, or why it’s a weird type, etc.

Hi David,
In pretty sure that the crash is due to the instruction I have shared in my first email. In order to run pngpixel you just need libpng and zlib… honest I thought that the .bc had Al the necessary. I’m happy to help you to reproduce it. As a curiosity, why do you think you cannot reproduce it?

Unfortunately I won’t be able to modify the interpreter soon… anyway, I’ll try to dump s much info as possible.

Thanks
Alberto

David,
Using llvm 9 the crash is not present anymore. I think it was just time for me to update my code…

Thanks for your help

Alberto

David,
sorry for this email but I noticed I made a mistake in the previous one. So I managed to compile llvm Debug with asserts release. I have used the following commands:

cmake -DLLVM_TARGETS_TO_BUILD=X86 -DLLVM_ENABLE_RTTI=ON -DLLVM_ENABLE_FFI=ON -DCMAKE_BUILD_TYPE=Debug -DLLVM_ENABLE_ASSERTIONS=ON …

cmake --build . – -j8 && sudo cmake --build . --target install

Once lli was installed it was enough to use the .bc

/usr/local/bin/lli --debug --force-interpreter pngpixel_crash.bc 0 0 mini.png

png_ptr->width: 1
max_pixel_depth: 24
row_bytes: 28

About to interpret: store <2 x %struct.code*> <%struct.code* getelementptr inbounds ([512 x %struct.code], [512 x %struct.code]* @fixedtables.lenfix.681, i64 0, i64 0), %struct.code* getelementptr inbounds ([32 x %struct.code], [32 x %struct.code]* @fixedtables.distfix.682, i64 0, i64 0)>, <2 x %struct.code*>* %96, align 8, !tbaa !50
Unknown constant pointer type!
UNREACHABLE executed at /home/al/llvm-9.0.0.src/lib/ExecutionEngine/ExecutionEngine.cpp:1008!
Stack dump:
0. Program arguments: /usr/local/bin/lli --force-interpreter pngpixel_crash.bc 0 0 mini.png
#0 0x0000564bad642af9 llvm::sys::PrintStackTrace(llvm::raw_ostream&) /home/al/llvm-9.0.0.src/lib/Support/Unix/Signals.inc:533:0
#1 0x0000564bad642b8c PrintStackTraceSignalHandler(void*) /home/al/llvm-9.0.0.src/lib/Support/Unix/Signals.inc:594:0
#2 0x0000564bad640a66 llvm::sys::RunSignalHandlers() /home/al/llvm-9.0.0.src/lib/Support/Signals.cpp:68:0
#3 0x0000564bad6424b0 SignalHandler(int) /home/al/llvm-9.0.0.src/lib/Support/Unix/Signals.inc:385:0
#4 0x00007f697df61890 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x12890)
#5 0x00007f697ca0ae97 raise /build/glibc-OTsEL5/glibc-2.27/signal/…/sysdeps/unix/sysv/linux/raise.c:51:0
#6 0x00007f697ca0c801 abort /build/glibc-OTsEL5/glibc-2.27/stdlib/abort.c:81:0
#7 0x0000564bad5ce768 bindingsErrorHandler(void*, std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, bool) /home/al/llvm-9.0.0.src/lib/Support/ErrorHandling.cpp:218:0
#8 0x0000564bacfc2e5a llvm::ExecutionEngine::getConstantValue(llvm::Constant const*) /home/al/llvm-9.0.0.src/lib/ExecutionEngine/ExecutionEngine.cpp:1013:0
#9 0x0000564bacfeb873 llvm::Interpreter::getOperandValue(llvm::Value*, llvm::ExecutionContext&) /home/al/llvm-9.0.0.src/lib/ExecutionEngine/Interpreter/Execution.cpp:2108:0
#10 0x0000564bacfe548a llvm::Interpreter::visitStoreInst(llvm::StoreInst&) /home/al/llvm-9.0.0.src/lib/ExecutionEngine/Interpreter/Execution.cpp:1105:0
#11 0x0000564bacfee32f llvm::InstVisitor<llvm::Interpreter, void>::visitStore(llvm::StoreInst&) /home/al/llvm-9.0.0.src/include/llvm/IR/Instruction.def:173:0
#12 0x0000564bacfed18d llvm::InstVisitor<llvm::Interpreter, void>::visit(llvm::Instruction&) /home/al/llvm-9.0.0.src/include/llvm/IR/Instruction.def:173:0
#13 0x0000564bacfebd7b llvm::Interpreter::run() /home/al/llvm-9.0.0.src/lib/ExecutionEngine/Interpreter/Execution.cpp:2161:0
#14 0x0000564bacfd6bdc llvm::Interpreter::runFunction(llvm::Function*, llvm::ArrayRefllvm::GenericValue) /home/al/llvm-9.0.0.src/lib/ExecutionEngine/Interpreter/Interpreter.cpp:101:0
#15 0x0000564bacfbfb94 llvm::ExecutionEngine::runFunctionAsMain(llvm::Function*, std::vector<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::allocator<std::__cxx11::basic_string<char, std::char_traits, std::allocator > > > const&, char const* const*) /home/al/llvm-9.0.0.src/lib/ExecutionEngine/ExecutionEngine.cpp:470:0
#16 0x0000564bac794cc4 main /home/al/llvm-9.0.0.src/tools/lli/lli.cpp:614:0
#17 0x00007f697c9edb97 __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/…/csu/libc-start.c:344:0
#18 0x0000564bac791a9a _start (/usr/local/bin/lli+0x110aa9a)
[1] 12828 abort (core dumped) /usr/local/bin/lli --force-interpreter pngpixel_crash.bc 0 0 mini.png

So I’m certaint that the crash happend in ExecutionEngine::getConstantValue.

In addition, I have noticed that ElemTy->getTypeID() is 15 ( pointer type of type struct.code ) but the switch branch ( Line 917 ) in not able to deal with it so the llvm_unrecheable instruction is reached.

So I can conclude that the problem is that the switch branch is not able to deal with pointers… Any suggestion on how to fix it please?

Do it help to narrow down the problem?

Thanks

Hey Lang - does any of this look familiar to you?

Hi all,
just a gentle reminder :slight_smile: Is there any update on this please?

Happy to help in any way I can

Alberto

Hi Alberto,

Can you please file a bug for it, with the test case attached (if you haven’t already).

Thanks,
Ehud.

Hi Ehud,
Thanks for the suggestion, i saw that the self registration is not possible at the moment so I’ll send email to the admins and file a bug ASAP.

Thanks
Alberto

Hey Lang - does any of this look familiar to you?

I’m afraid not: I know nothing about the interpreter. As far as I’m aware it’s essentially abandonware.

Alberto: The usual recommendation in these circumstances is to use a JIT class instead of the interpreter. You’re using -force-interpreter though, so I assume you really want to use the interpreter for your use case?

– Lang.

Hi Lang,
I’m using the interpreter because my goal is to use it as a visitor and follow the execution instruction per instruction.

Is it the same possible with a JIT class?

Thanks

Hi Alberto,

I’m using the interpreter because my goal is to use it as a visitor and follow the execution instruction per instruction.

Not directly. The JIT will translate your IR to machine code for direct execution. If you wanted to follow the execution instruction by instruction you would have to either use LLDB (although getting JIT’d code to work with the debugger is not straightforward yet), or inject extra IR for instrumentation. Given your use case I think the interpreter is an attractive option, except for this crash. Unfortunately I’m not sure how to fix it, and I’m currently busy with JIT development.

– Lang.