SIGSEGV in clang_getCursorPrettyPrinted() (or, precisely, StmtPrinter::Visit(clang::Stmt*))

[0x6675636b796f75676974687562]

I'm parsing C and C++ source code using Libclang by calling clang_visitChildren(CXCursor, CXCursorVisitor, CXClientData) from a JVM, using JVM bindings to Libclang.

In some complex cases (like the source code of Linux kernel), the JVM process crashes with a SIGSEGV (Linux) or EXCEPTION_ACCESS_VIOLATION (Windows) inside libclang.so. This happens when my client code calls clang_getCursorPrettyPrinted(), and the exact location is StmtPrinter::Visit(clang::Stmt*):

C  [libclang.so.16+0x86ac4a]  (anonymous namespace)::StmtPrinter::Visit(clang::Stmt*)+0x2a

I managed to pinpoint the problem: it occurs when I'm calling clang_getCursorPrettyPrinted() for a CXCursor instance of type CXCursor_StructDecl or CXCursor_FunctionDecl. Furthermore, Libclang crashes trying to pretty-print the following function declaration:

void *__kmalloc(size_t size, gfp_t flags) __attribute__((__assume_aligned__(__alignof__(unsigned long long)))) __attribute__((__malloc__));

One of the minimal reproducers is:

void *f() __attribute__((__assume_aligned__(__alignof__(unsigned long long))));

Libclang versions 15.0.3, 16.0.4, and 17.0.6 are all equally affected.

Original issue:

• SIGSEGV in clang_getCursorPrettyPrinted() (or StmtPrinter::Visit(clang::Stmt*)) bytedeco/javacpp-presets#1442

JVM crash dump:

• hs_err_pid129480.log (Windows)
• hs_err_pid1848846.log (Linux)

[0x6675636b796f75676974687562]

Here's the backtrace from the core file (Libclang 17.0.6, Linux):

(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44
#1  0x00007f1348739d9f in __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2  0x00007f13486eaf32 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007f13486d5472 in __GI_abort () at ./stdlib/abort.c:79
#4  0x00007f134756dc27 in os::abort(bool, void*, void const*) [clone .cold.42] () from /usr/lib/jvm/zulu17-ca-amd64/lib/server/libjvm.so
#5  0x00007f1348227ba0 in VMError::report_and_die(int, char const*, char const*, __va_list_tag*, Thread*, unsigned char*, void*, void*, char const*, int, unsigned long) () from /usr/lib/jvm/zulu17-ca-amd64/lib/server/libjvm.so
#6  0x00007f13482286db in VMError::report_and_die(Thread*, unsigned int, unsigned char*, void*, void*, char const*, ...) () from /usr/lib/jvm/zulu17-ca-amd64/lib/server/libjvm.so
#7  0x00007f134822870e in VMError::report_and_die(Thread*, unsigned int, unsigned char*, void*, void*) () from /usr/lib/jvm/zulu17-ca-amd64/lib/server/libjvm.so
#8  0x00007f13480ce24c in JVM_handle_linux_signal () from /usr/lib/jvm/zulu17-ca-amd64/lib/server/libjvm.so
#9  <signal handler called>
#10 0x00007f1212300710 in (anonymous namespace)::StmtPrinter::Visit(clang::Stmt*) () from /home/user/.javacpp/cache/llvm-17.0.6-1.5.10-SNAPSHOT-linux-x86_64.jar/org/bytedeco/llvm/linux-x86_64/libclang.so.17
#11 0x00007f12123029d8 in clang::Stmt::printPretty(llvm::raw_ostream&, clang::PrinterHelper*, clang::PrintingPolicy const&, unsigned int, llvm::StringRef, clang::ASTContext const*) const [clone .localalias] () from /home/user/.javacpp/cache/llvm-17.0.6-1.5.10-SNAPSHOT-linux-x86_64.jar/org/bytedeco/llvm/linux-x86_64/libclang.so.17
#12 0x00007f121205b1f9 in clang::AssumeAlignedAttr::printPretty(llvm::raw_ostream&, clang::PrintingPolicy const&) const [clone .localalias] () from /home/user/.javacpp/cache/llvm-17.0.6-1.5.10-SNAPSHOT-linux-x86_64.jar/org/bytedeco/llvm/linux-x86_64/libclang.so.17
#13 0x00007f12120e7803 in (anonymous namespace)::DeclPrinter::prettyPrintAttributes(clang::Decl*) [clone .part.0] () from /home/user/.javacpp/cache/llvm-17.0.6-1.5.10-SNAPSHOT-linux-x86_64.jar/org/bytedeco/llvm/linux-x86_64/libclang.so.17
#14 0x00007f12120ee9eb in (anonymous namespace)::DeclPrinter::VisitFunctionDecl(clang::FunctionDecl*) () from /home/user/.javacpp/cache/llvm-17.0.6-1.5.10-SNAPSHOT-linux-x86_64.jar/org/bytedeco/llvm/linux-x86_64/libclang.so.17
#15 0x00007f12120eb1f5 in clang::declvisitor::Base<std::add_pointer, (anonymous namespace)::DeclPrinter, void>::Visit(clang::Decl*) () from /home/user/.javacpp/cache/llvm-17.0.6-1.5.10-SNAPSHOT-linux-x86_64.jar/org/bytedeco/llvm/linux-x86_64/libclang.so.17
#16 0x00007f12120ed23c in clang::Decl::print(llvm::raw_ostream&, clang::PrintingPolicy const&, unsigned int, bool) const () from /home/user/.javacpp/cache/llvm-17.0.6-1.5.10-SNAPSHOT-linux-x86_64.jar/org/bytedeco/llvm/linux-x86_64/libclang.so.17
#17 0x00007f1211f5b9e6 in clang_getCursorPrettyPrinted () from /home/user/.javacpp/cache/llvm-17.0.6-1.5.10-SNAPSHOT-linux-x86_64.jar/org/bytedeco/llvm/linux-x86_64/libclang.so.17
#18 0x00007f12b9482aa0 in Java_org_bytedeco_llvm_global_clang_clang_1getCursorPrettyPrinted () from /home/user/.javacpp/cache/llvm-17.0.6-1.5.10-SNAPSHOT-linux-x86_64.jar/org/bytedeco/llvm/linux-x86_64/libjniclang.so

info frame:

(gdb) info frame
Stack level 10, frame at 0x7f134722ef30:
 rip = 0x7f1212300710 in (anonymous namespace)::StmtPrinter::Visit(clang::Stmt*); saved rip = 0x7f12123029d8
 called by frame at 0x7f134722efc0, caller of frame at 0x7f134722ee60
 Arglist at 0x7f134722ee58, args:
 Locals at 0x7f134722ee58, Previous frame's sp is 0x7f134722ef30
 Saved registers:
  rbx at 0x7f134722eef8, rbp at 0x7f134722ef00, r12 at 0x7f134722ef08, r13 at 0x7f134722ef10, r14 at 0x7f134722ef18, r15 at 0x7f134722ef20, rip at 0x7f134722ef28

info args and info locals provide no information.

Disassembly (full log):

(gdb) disassemble /r
Dump of assembler code for function _ZN12_GLOBAL__N_111StmtPrinter5VisitEPN5clang4StmtE:
   0x00007f12123006d0 <+0>:     41 57                   push   %r15
   0x00007f12123006d2 <+2>:     49 89 f7                mov    %rsi,%r15
   0x00007f12123006d5 <+5>:     41 56                   push   %r14
   0x00007f12123006d7 <+7>:     49 89 fe                mov    %rdi,%r14
   0x00007f12123006da <+10>:    41 55                   push   %r13
   0x00007f12123006dc <+12>:    41 54                   push   %r12
   0x00007f12123006de <+14>:    55                      push   %rbp
   0x00007f12123006df <+15>:    53                      push   %rbx
   0x00007f12123006e0 <+16>:    48 81 ec 98 00 00 00    sub    $0x98,%rsp
   0x00007f12123006e7 <+23>:    48 8b 7f 10             mov    0x10(%rdi),%rdi
   0x00007f12123006eb <+27>:    64 48 8b 04 25 28 00 00 00      mov    %fs:0x28,%rax
   0x00007f12123006f4 <+36>:    48 89 84 24 88 00 00 00 mov    %rax,0x88(%rsp)
   0x00007f12123006fc <+44>:    31 c0                   xor    %eax,%eax
   0x00007f12123006fe <+46>:    48 85 ff                test   %rdi,%rdi
   0x00007f1212300701 <+49>:    74 0d                   je     0x7f1212300710 <(anonymous namespace)::StmtPrinter::Visit(clang::Stmt*)+64>
   0x00007f1212300703 <+51>:    48 8b 07                mov    (%rdi),%rax
   0x00007f1212300706 <+54>:    49 8b 16                mov    (%r14),%rdx
   0x00007f1212300709 <+57>:    ff 50 10                call   *0x10(%rax)
   0x00007f121230070c <+60>:    84 c0                   test   %al,%al
   0x00007f121230070e <+62>:    75 2a                   jne    0x7f121230073a <(anonymous namespace)::StmtPrinter::Visit(clang::Stmt*)+106>
=> 0x00007f1212300710 <+64>:    41 0f b6 07             movzbl (%r15),%eax

WinDbg output (the result of running !analyze -v:

0:004> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for jniclang.dll

KEY_VALUES_STRING: 1

    Key  : AV.Dereference
    Value: NullPtr

    Key  : AV.Fault
    Value: Read

    Key  : Analysis.CPU.mSec
    Value: 750

    Key  : Analysis.Elapsed.mSec
    Value: 1743

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 546

    Key  : Analysis.Init.Elapsed.mSec
    Value: 25216

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 91

    Key  : Failure.Bucket
    Value: NULL_POINTER_READ_c0000005_libclang.dll!Unknown

    Key  : Failure.Hash
    Value: {15fcef3f-dfee-c95c-ee43-f7eb01886a1c}

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 702710

    Key  : Timeline.Process.Start.DeltaSec
    Value: 26

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Version
    Value: 10.0.19041.1

    Key  : WER.Process.Version
    Value: 11.0.15.0


FILE_IN_CAB:  hs_err_pid106652.mdmp

NTGLOBALFLAG:  0

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  (.ecxr)
rax=0000f9b9a40ef146 rbx=0000000000000000 rcx=0000000a816faf60
rdx=0000000000000000 rsi=0000011cc70e4968 rdi=0000000000000000
rip=00007fffa995b813 rsp=0000000a816fae80 rbp=0000000a816faed9
 r8=0000000000000001  r9=00007ff812771404 r10=00007ff812770000
r11=0000000a816fac68 r12=0000000a816fb3c8 r13=00007fffac768d78
r14=0000000a816fb3c8 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
libclang!clang_CXRewriter_writeMainFileToStdOut+0x18ffc3:
00007fff`a995b813 448b02          mov     r8d,dword ptr [rdx] ds:00000000`00000000=????????
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007fffa995b813 (libclang!clang_CXRewriter_writeMainFileToStdOut+0x000000000018ffc3)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000

PROCESS_NAME:  java.exe

READ_ADDRESS:  0000000000000000 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000000000000

STACK_TEXT:  
0000000a`816fae80 00007fff`a996a01c     : 00000006`1a3d1200 00000000`00000000 00007fff`ac768d78 0000f9b9`387092b3 : libclang!clang_CXRewriter_writeMainFileToStdOut+0x18ffc3
0000000a`816faf40 00007fff`a99b704a     : 0000000a`816fb460 00007fff`ac768d78 0000011c`c70e4968 00000000`00000000 : libclang!clang_CXRewriter_writeMainFileToStdOut+0x19e7cc
0000000a`816fafd0 00007fff`a99b7e94     : 0000000a`816fb0b9 0000011c`c70e4968 0000000a`816fb460 0000000a`816fb3c8 : libclang!clang_CXRewriter_writeMainFileToStdOut+0x1eb7fa
0000000a`816fb030 00007fff`a9809c5b     : 0000000a`816fb460 0000011c`c70e49b0 0000000a`816fb3c0 0000000a`816fb3c0 : libclang!clang_CXRewriter_writeMainFileToStdOut+0x1ec644
0000000a`816fb120 00007fff`a98052d8     : 00000000`00000000 00007fff`ac768d78 0000000a`816fb250 00007fff`ac768d78 : libclang!clang_CXRewriter_writeMainFileToStdOut+0x3e40b
0000000a`816fb150 00007fff`a9801ad7     : 0000000a`816fb770 0000011c`a46c4fa2 00000006`03324e10 00007fff`a97833b0 : libclang!clang_CXRewriter_writeMainFileToStdOut+0x39a88
0000000a`816fb2e0 00007fff`a9809de4     : 00000000`00000000 00000000`00000000 00000000`00000008 0000011c`c70e48c0 : libclang!clang_CXRewriter_writeMainFileToStdOut+0x36287
0000000a`816fb3a0 00007fff`a9788dff     : 0000000a`816fb5b0 0000000a`816fb500 0000011c`c5401010 0000011c`931f0800 : libclang!clang_CXRewriter_writeMainFileToStdOut+0x3e594
0000000a`816fb400 00007fff`d7d602a6     : 0000011c`c5401010 00007fff`a978017d 00007fff`e058f4b0 0000011c`931f0b50 : libclang!clang_getCursorPrettyPrinted+0x13f
0000000a`816fb580 0000011c`a46c6856     : 0000000a`816fb640 0000011c`c66c30a0 0000000a`816fb650 00000006`13defbe0 : jniclang!Java_org_bytedeco_llvm_global_clang_clang_1getCursorPrettyPrinted+0xd6
0000000a`816fb5f0 0000000a`816fb640     : 0000011c`c66c30a0 0000000a`816fb650 00000006`13defbe0 00000006`13def0c0 : 0x0000011c`a46c6856
0000000a`816fb5f8 0000011c`c66c30a0     : 0000000a`816fb650 00000006`13defbe0 00000006`13def0c0 00000006`13defbe0 : 0x0000000a`816fb640
0000000a`816fb600 0000000a`816fb650     : 00000006`13defbe0 00000006`13def0c0 00000006`13defbe0 0000000a`816fbf90 : 0x0000011c`c66c30a0
0000000a`816fb608 00000006`13defbe0     : 00000006`13def0c0 00000006`13defbe0 0000000a`816fbf90 0000011c`9d5e35f4 : 0x0000000a`816fb650
0000000a`816fb610 00000006`13def0c0     : 00000006`13defbe0 0000000a`816fbf90 0000011c`9d5e35f4 00000006`1ad1c368 : 0x00000006`13defbe0
0000000a`816fb618 00000006`13defbe0     : 0000000a`816fbf90 0000011c`9d5e35f4 00000006`1ad1c368 00000000`00000000 : 0x00000006`13def0c0
0000000a`816fb620 0000000a`816fbf90     : 0000011c`9d5e35f4 00000006`1ad1c368 00000000`00000000 00000006`1a4c4a78 : 0x00000006`13defbe0
0000000a`816fb628 0000011c`9d5e35f4     : 00000006`1ad1c368 00000000`00000000 00000006`1a4c4a78 00007fff`e0480cb4 : 0x0000000a`816fbf90
0000000a`816fb630 00000006`1ad1c368     : 00000000`00000000 00000006`1a4c4a78 00007fff`e0480cb4 00000006`03324e10 : 0x0000011c`9d5e35f4
0000000a`816fb638 00000000`00000000     : 00000006`1a4c4a78 00007fff`e0480cb4 00000006`03324e10 0000011c`9d6d144c : 0x00000006`1ad1c368


STACK_COMMAND:  ~4s; .ecxr ; kb

SYMBOL_NAME:  libclang+18ffc3

MODULE_NAME: libclang

IMAGE_NAME:  libclang.dll

FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000005_libclang.dll!Unknown

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

IMAGE_VERSION:  17.0.6.0

FAILURE_ID_HASH:  {15fcef3f-dfee-c95c-ee43-f7eb01886a1c}

Followup:     MachineOwner
---------