lld: syntax error in linker script triggers a sef-fault

[nickclifton]

I was experimenting with a change to a linker script when I encountered a segmentation fault triggered by a syntax error:

ld.lld: error: kernel.ld:3: ( expected, but got 0
>>>     .data : { LONG 0; }
>>>                    ^
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.	Program arguments: ld.lld -melf_i386 -static -o lld.elf --emit-relocs -Tkernel.ld tst.o
 #0 0x00001465ce217b7a llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/lib64/libLLVM.so.19.1+0x217b7a)
 #1 0x00001465ce214b24 llvm::sys::RunSignalHandlers() (/lib64/libLLVM.so.19.1+0x214b24)
 #2 0x00001465ce2182eb (/lib64/libLLVM.so.19.1+0x2182eb)
 #3 0x00001465cda25dd0 __restore_rt (/lib64/libc.so.6+0x19dd0)
 #4 0x00001465d61a96a0 (/lib64/liblldELF.so.19.1+0x1a96a0)
 #5 0x00001465d61a71e4 (/lib64/liblldELF.so.19.1+0x1a71e4)
 #6 0x00001465d618dfc5 lld::elf::readLinkerScript(llvm::MemoryBufferRef) (/lib64/liblldELF.so.19.1+0x18dfc5)
 #7 0x00001465d6068ce6 lld::elf::LinkerDriver::createFiles(llvm::opt::InputArgList&) (/lib64/liblldELF.so.19.1+0x68ce6)
 #8 0x00001465d605cc73 lld::elf::LinkerDriver::linkerMain(llvm::ArrayRef<char const*>) (/lib64/liblldELF.so.19.1+0x5cc73)
 #9 0x00001465d605c0da lld::elf::link(llvm::ArrayRef<char const*>, llvm::raw_ostream&, llvm::raw_ostream&, bool, bool) (/lib64/liblldELF.so.19.1+0x5c0da)
#10 0x00001465d5d22c5e lld::unsafeLldMain(llvm::ArrayRef<char const*>, llvm::raw_ostream&, llvm::raw_ostream&, llvm::ArrayRef<lld::DriverDef>, bool) (/lib64/liblldCommon.so.19.1+0x3c5e)
#11 0x0000556d45ff8937 lld_main(int, char**, llvm::ToolContext const&) (/usr/bin/lld+0x1937)
#12 0x0000556d45ff8f32 main (/usr/bin/lld+0x1f32)
#13 0x00001465cda0f248 __libc_start_call_main (/lib64/libc.so.6+0x3248)
#14 0x00001465cda0f30b __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x330b)
#15 0x0000556d45ff86c5 _start (/usr/bin/lld+0x16c5)
Segmentation fault (core dumped)

This was with LLD 19.1.5 running on Fedora 41.

The full linker script looks like this:

SECTIONS
  {
    .data : { LONG 0; }
    TTT = .;
    _LGROUP = .;

    . = SIZEOF_HEADERS;
    . = ALIGN(0x100);
    .text : {
		*(TEXT)
		. = ALIGN(0x100);
    }
  }

Obviously I should have written "LONG (0)" instead of "LONG 0", but I figured that you might wish to fix the seg-fault anyway.

[llvmbot]

@llvm/issue-subscribers-lld-elf

Author: None (nickclifton)

I was experimenting with a change to a linker script when I encountered a segmentation fault triggered by a syntax error:

ld.lld: error: kernel.ld:3: ( expected, but got 0
>>> .data : { LONG 0; }
>>> ^
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0. Program arguments: ld.lld -melf_i386 -static -o lld.elf --emit-relocs -Tkernel.ld tst.o
#0 0x00001465ce217b7a llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/lib64/libLLVM.so.19.1+0x217b7a)
#1 0x00001465ce214b24 llvm::sys::RunSignalHandlers() (/lib64/libLLVM.so.19.1+0x214b24)
#2 0x00001465ce2182eb (/lib64/libLLVM.so.19.1+0x2182eb)
#3 0x00001465cda25dd0 __restore_rt (/lib64/libc.so.6+0x19dd0)
#4 0x00001465d61a96a0 (/lib64/liblldELF.so.19.1+0x1a96a0)
#5 0x00001465d61a71e4 (/lib64/liblldELF.so.19.1+0x1a71e4)
#6 0x00001465d618dfc5 lld::elf::readLinkerScript(llvm::MemoryBufferRef) (/lib64/liblldELF.so.19.1+0x18dfc5)
#7 0x00001465d6068ce6 lld::elf::LinkerDriver::createFiles(llvm::opt::InputArgList&) (/lib64/liblldELF.so.19.1+0x68ce6)
#8 0x00001465d605cc73 lld::elf::LinkerDriver::linkerMain(llvm::ArrayRef<char const*>) (/lib64/liblldELF.so.19.1+0x5cc73)
#9 0x00001465d605c0da lld::elf::link(llvm::ArrayRef<char const*>, llvm::raw_ostream&, llvm::raw_ostream&, bool, bool) (/lib64/liblldELF.so.19.1+0x5c0da)
#10 0x00001465d5d22c5e lld::unsafeLldMain(llvm::ArrayRef<char const*>, llvm::raw_ostream&, llvm::raw_ostream&, llvm::ArrayRef<lld::DriverDef>, bool) (/lib64/liblldCommon.so.19.1+0x3c5e)
#11 0x0000556d45ff8937 lld_main(int, char**, llvm::ToolContext const&) (/usr/bin/lld+0x1937)
#12 0x0000556d45ff8f32 main (/usr/bin/lld+0x1f32)
#13 0x00001465cda0f248 __libc_start_call_main (/lib64/libc.so.6+0x3248)
#14 0x00001465cda0f30b __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x330b)
#15 0x0000556d45ff86c5 _start (/usr/bin/lld+0x16c5)
Segmentation fault (core dumped)

This was with LLD 19.1.5 running on Fedora 41.

The full linker script looks like this:

SECTIONS
{
.data : { LONG 0; }
TTT = .;
_LGROUP = .;

. = SIZEOF_HEADERS;
. = ALIGN(0x100);
.text : {
	*(TEXT)
	. = ALIGN(0x100);
}

}

Obviously I should have written "LONG (0)" instead of "LONG 0", but I figured that you might wish to fix the seg-fault anyway.

[MaskRay]

Fixed by #100493 (milestone: lld 20).

In the previous implementation of ScriptParser::readByteCommand, llvm::join(tokens.begin() + oldPos, tokens.begin() + pos, " "), pos may be before oldPos. When errorCount() is non-zero, ScriptLexer::consume might incorrectly decrease pos.