lldb crash parsing Google Chrome types

[siggi-alpheus]

To repro, download https://edgedl.me.gvt1.com/chrome/linux/symbols/google-chrome-debug-info-linux64-100.0.4896.60.zip and unzip. Then run:
$ echo 'script print(lldb.target.module[0].GetTypes(lldb.eTypeClassClass | lldb.eTypeClassStruct))' | lldb debug-info/chrome.debug

It appears this is bailing on this type: https://source.chromium.org/chromium/chromium/src/+/main:third_party/harfbuzz-ng/src/src/hb-ot-cmap-table.hh;l=1141 for some reason.

--- command output ---
(lldb) target create "debug-info/chrome.debug"
Current executable set to '/workspaces/thresher/debug-info/chrome.debug' (x86_64).
(lldb) script print(lldb.target.module[0].GetTypes(lldb.eTypeClassClass | lldb.eTypeClassStruct))
error: need to add support for DW_TAG_base_type 'auto' encoded with DW_ATE = 0x0, bit_size = 0
error: need to add support for DW_TAG_base_type 'auto' encoded with DW_ATE = 0x0, bit_size = 0
error: need to add support for DW_TAG_base_type 'auto' encoded with DW_ATE = 0x0, bit_size = 0
error: need to add support for DW_TAG_base_type 'auto' encoded with DW_ATE = 0x0, bit_size = 0
PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace.
Stack dump:
0.      Program arguments: lldb debug-info/chrome.debug
1.      HandleCommand(command = "script print(lldb.target.module[0].GetTypes(lldb.eTypeClassClass | lldb.eTypeClassStruct))")
2.      SymbolFileDWARF::ParseType() is adding a method closure_glyphs to class CmapSubtableFormat14 in DIE 0x0450ff5c from /workspaces/thresher/debug-info/chrome.debug
 #0 0x00007fbd78571ae3 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xbd9ae3)
 #1 0x00007fbd7856fdf0 llvm::sys::RunSignalHandlers() (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xbd7df0)
 #2 0x00007fbd7857214a (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xbda14a)
 #3 0x00007fbd80e161f0 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x141f0)
 #4 0x00007fbd7dd0779e clang::CXXRecordDecl::addedMember(clang::Decl*) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0xb8079e)
 #5 0x00007fbd7dcff497 clang::DeclContext::addHiddenDecl(clang::Decl*) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0xb78497)
 #6 0x00007fbd7dcff4f9 clang::DeclContext::addDecl(clang::Decl*) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0xb784f9)
 #7 0x00007fbd80820cc5 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0xa51cc5)
 #8 0x00007fbd807e718b (/lib/x86_64-linux-gnu/liblldb-12.so.1+0xa1818b)
 #9 0x00007fbd807e2256 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0xa13256)
#10 0x00007fbd807c36e1 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9f46e1)
#11 0x00007fbd807bf42e (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9f042e)
#12 0x00007fbd807be87b (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9ef87b)
#13 0x00007fbd807e9a75 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0xa1aa75)
#14 0x00007fbd807e64e8 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0xa174e8)
#15 0x00007fbd807e2256 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0xa13256)
#16 0x00007fbd807c36e1 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9f46e1)
#17 0x00007fbd807bf42e (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9f042e)
#18 0x00007fbd807be87b (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9ef87b)
#19 0x00007fbd807e9a75 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0xa1aa75)
#20 0x00007fbd807e3deb (/lib/x86_64-linux-gnu/liblldb-12.so.1+0xa14deb)
#21 0x00007fbd807e223e (/lib/x86_64-linux-gnu/liblldb-12.so.1+0xa1323e)
#22 0x00007fbd807c36e1 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9f46e1)
#23 0x00007fbd807bf42e (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9f042e)
#24 0x00007fbd807be87b (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9ef87b)
#25 0x00007fbd807b77f4 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9e87f4)
#26 0x00007fbd807ea6e2 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0xa1b6e2)
#27 0x00007fbd807e9bde (/lib/x86_64-linux-gnu/liblldb-12.so.1+0xa1abde)
#28 0x00007fbd807e3f45 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0xa14f45)
#29 0x00007fbd807e223e (/lib/x86_64-linux-gnu/liblldb-12.so.1+0xa1323e)
#30 0x00007fbd807c36e1 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9f46e1)
#31 0x00007fbd807bf42e (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9f042e)
#32 0x00007fbd807be87b (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9ef87b)
#33 0x00007fbd807b77f4 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9e87f4)
#34 0x00007fbd807b751a (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9e851a)
#35 0x00007fbd807b756b (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9e856b)
#36 0x00007fbd807b7ac8 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9e8ac8)
#37 0x00007fbd800f1bcf lldb::SBModule::GetTypes(unsigned int) (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x322bcf)
#38 0x00007fbd802e1d79 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x512d79)
#39 0x00007fbd76fa6de8 (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x110de8)
#40 0x00007fbd76f628e0 _PyObject_Call (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0xcc8e0)
#41 0x00007fbd76f0d905 _PyEval_EvalFrameDefault (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x77905)
#42 0x00007fbd7703f8dc (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x1a98dc)
#43 0x00007fbd76f5b132 _PyFunction_Vectorcall (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0xc5132)
#44 0x00007fbd76f0fa02 _PyEval_EvalFrameDefault (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x79a02)
#45 0x00007fbd7703f8dc (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x1a98dc)
#46 0x00007fbd7703fc32 _PyEval_EvalCodeWithName (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x1a9c32)
#47 0x00007fbd7703fc82 PyEval_EvalCodeEx (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x1a9c82)
#48 0x00007fbd7703b11f PyEval_EvalCode (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x1a511f)
#49 0x00007fbd77039c51 (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x1a3c51)
#50 0x00007fbd76fac118 (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x116118)
#51 0x00007fbd76f0eb9b _PyEval_EvalFrameDefault (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x78b9b)
#52 0x00007fbd76f07da3 (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x71da3)
#53 0x00007fbd76f0fa02 _PyEval_EvalFrameDefault (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x79a02)
#54 0x00007fbd7703f8dc (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x1a98dc)
#55 0x00007fbd76f5b132 _PyFunction_Vectorcall (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0xc5132)
#56 0x00007fbd76f0fa02 _PyEval_EvalFrameDefault (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x79a02)
#57 0x00007fbd76f07da3 (/lib/x86_64-linux-gnu/libpython3.9.so.1.0+0x71da3)
#58 0x00007fbd8078f9ae (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x9c09ae)
#59 0x00007fbd808979c5 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0xac89c5)
#60 0x00007fbd804375af (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x6685af)
#61 0x00007fbd8042d3a7 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x65e3a7)
#62 0x00007fbd80430c54 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x661c54)
#63 0x00007fbd80388ee6 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x5b9ee6)
#64 0x00007fbd8036da04 (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x59ea04)
#65 0x00007fbd8043232d (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x66332d)
#66 0x00007fbd8004e809 lldb::SBDebugger::RunCommandInterpreter(bool, bool) (/lib/x86_64-linux-gnu/liblldb-12.so.1+0x27f809)
#67 0x0000000000406eba (/usr/lib/llvm-12/bin/lldb+0x406eba)
#68 0x0000000000408886 (/usr/lib/llvm-12/bin/lldb+0x408886)
#69 0x00007fbd77450565 __libc_start_main ./csu/../csu/libc-start.c:332:16
#70 0x00000000004043be (/usr/lib/llvm-12/bin/lldb+0x4043be)
Segmentation fault (core dumped)
--- command output ---

[llvmbot]

@llvm/issue-subscribers-lldb

[siggi-alpheus]

Forgot to mention:

$ lldb --version
lldb version 12.0.0

[siggi-alpheus]

Same crash in lldb-14 pulled from https://apt.llvm.org/. The packages look mildly broken, as the python files are scattered between site and dist directories, I had to fix that in my Dockerfile:

cp -r /usr/lib/llvm-14/lib/python3.9/site-packages/lldb/* \
    /usr/lib/python3/dist-packages/lldb

Is it possible to get debug info for the binaries somehow, or would I have to build locally to look at what's happening?

--- cut here ---
# lldb-14 chrome.debug 
(lldb) target create "chrome.debug"
Current executable set to '/data/chrome.debug' (x86_64).
(lldb) script 'print(len(lldb.target.module[0].GetTypes(lldb.eTypeClassClass | lldb.eTypeClassStruct)))'
'print(len(lldb.target.module[0].GetTypes(lldb.eTypeClassClass | lldb.eTypeClassStruct)))'
(lldb) script print(len(lldb.target.module[0].GetTypes(lldb.eTypeClassClass | lldb.eTypeClassStruct)))
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: lldb-14 chrome.debug
1.      HandleCommand(command = "script print(len(lldb.target.module[0].GetTypes(lldb.eTypeClassClass | lldb.eTypeClassStruct)))")
2.      SymbolFileDWARF::ParseType() is adding a method closure_glyphs to class CmapSubtableFormat14 in DIE 0x0450ff5c from /data/chrome.debug
Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var `LLVM_SYMBOLIZER_PATH` to point to it):
/lib/x86_64-linux-gnu/libLLVM-14.so.1(_ZN4llvm3sys15PrintStackTraceERNS_11raw_ostreamEi+0x31)[0x7f5eb7287d81]
/lib/x86_64-linux-gnu/libLLVM-14.so.1(_ZN4llvm3sys17RunSignalHandlersEv+0xee)[0x7f5eb7285abe]
/lib/x86_64-linux-gnu/libLLVM-14.so.1(+0xe402b6)[0x7f5eb72882b6]
/lib/x86_64-linux-gnu/libc.so.6(+0x42520)[0x7f5eb5f49520]
/lib/x86_64-linux-gnu/libclang-cpp.so.14(_ZN5clang13CXXRecordDecl11addedMemberEPNS_4DeclE+0x72f)[0x7f5ebd9bea3f]
/lib/x86_64-linux-gnu/libclang-cpp.so.14(_ZN5clang11DeclContext13addHiddenDeclEPNS_4DeclE+0x47)[0x7f5ebd9b4587]
/lib/x86_64-linux-gnu/libclang-cpp.so.14(_ZN5clang11DeclContext7addDeclEPNS_4DeclE+0x9)[0x7f5ebd9b45f9]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x93183e)[0x7f5ec0e6783e]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8f0e5d)[0x7f5ec0e26e5d]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8ebcde)[0x7f5ec0e21cde]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8cb510)[0x7f5ec0e01510]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8c6d86)[0x7f5ec0dfcd86]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8c60de)[0x7f5ec0dfc0de]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8f3aee)[0x7f5ec0e29aee]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8f0275)[0x7f5ec0e26275]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8ebcde)[0x7f5ec0e21cde]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8cb510)[0x7f5ec0e01510]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8c6d86)[0x7f5ec0dfcd86]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8c60de)[0x7f5ec0dfc0de]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8f3aee)[0x7f5ec0e29aee]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8ec01a)[0x7f5ec0e2201a]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8ed928)[0x7f5ec0e23928]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8ebcc1)[0x7f5ec0e21cc1]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8cb510)[0x7f5ec0e01510]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8c6d86)[0x7f5ec0dfcd86]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8c60de)[0x7f5ec0dfc0de]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8bcf8f)[0x7f5ec0df2f8f]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8f5722)[0x7f5ec0e2b722]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8f3fce)[0x7f5ec0e29fce]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8eda72)[0x7f5ec0e23a72]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8ebcc1)[0x7f5ec0e21cc1]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8cb510)[0x7f5ec0e01510]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8c6d86)[0x7f5ec0dfcd86]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8c60de)[0x7f5ec0dfc0de]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8bcf8f)[0x7f5ec0df2f8f]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8bcc4d)[0x7f5ec0df2c4d]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8bccf8)[0x7f5ec0df2cf8]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x8bd3e8)[0x7f5ec0df33e8]
/lib/x86_64-linux-gnu/liblldb-14.so.1(_ZN4lldb8SBModule8GetTypesEj+0xcf)[0x7f5ec076b94f]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x346264)[0x7f5ec087c264]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(+0x10dc58)[0x7f5eb5a68c58]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(_PyObject_Call+0x60)[0x7f5eb5a26b20]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(_PyEval_EvalFrameDefault+0x2429)[0x7f5eb59cfe89]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(+0x1a8a7e)[0x7f5eb5b03a7e]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(_PyFunction_Vectorcall+0xa5)[0x7f5eb5a1d385]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(_PyEval_EvalFrameDefault+0x6fd6)[0x7f5eb59d4a36]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(+0x1a8a7e)[0x7f5eb5b03a7e]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(_PyEval_EvalCodeWithName+0x52)[0x7f5eb5b03dc2]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(PyEval_EvalCodeEx+0x3f)[0x7f5eb5b03e0f]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(PyEval_EvalCode+0x1f)[0x7f5eb5aff0af]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(+0x1a2b0d)[0x7f5eb5afdb0d]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(+0x112098)[0x7f5eb5a6d098]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(_PyEval_EvalFrameDefault+0x6676)[0x7f5eb59d40d6]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(+0x71dd3)[0x7f5eb59ccdd3]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(_PyEval_EvalFrameDefault+0x6fd6)[0x7f5eb59d4a36]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(+0x1a8a7e)[0x7f5eb5b03a7e]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(_PyFunction_Vectorcall+0xa5)[0x7f5eb5a1d385]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(_PyEval_EvalFrameDefault+0x6fd6)[0x7f5eb59d4a36]
/lib/x86_64-linux-gnu/libpython3.9.so.1.0(+0x71dd3)[0x7f5eb59ccdd3]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x886b77)[0x7f5ec0dbcb77]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x9c3d39)[0x7f5ec0ef9d39]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x4cca01)[0x7f5ec0a02a01]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x4c1367)[0x7f5ec09f7367]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x4c5161)[0x7f5ec09fb161]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x40d6df)[0x7f5ec09436df]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x3ee994)[0x7f5ec0924994]
/lib/x86_64-linux-gnu/liblldb-14.so.1(+0x4c6bb9)[0x7f5ec09fcbb9]
/lib/x86_64-linux-gnu/liblldb-14.so.1(_ZN4lldb10SBDebugger21RunCommandInterpreterEbb+0xaa)[0x7f5ec072ca3a]
lldb-14[0x407d4a]
lldb-14[0x408f85]
/lib/x86_64-linux-gnu/libc.so.6(+0x29fd0)[0x7f5eb5f30fd0]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x7d)[0x7f5eb5f3107d]
lldb-14[0x404125]
Segmentation fault (core dumped)
--- cut here ---

[siggi-alpheus]

Crashes also in a local ToT build:

lldb: /workspaces/llvm-codespace/llvm-project/llvm/../clang/include/clang/AST/DeclCXX.h:442: clang::CXXRecordDecl::DefinitionData& clang::CXXRecordDecl::data() const: Assertion `DD && "queried property of class with no definition"' failed.
Process 19451 stopped
* thread #1, name = 'lldb', stop reason = hit program assert
    frame #4: 0x00007fffe79423c2 liblldb.so.15git`clang::CXXRecordDecl::data(this=0x0000555597287450) const at DeclCXX.h:442:5
   439 
   440    struct DefinitionData &data() const {
   441      auto *DD = dataPtr();
-> 442      assert(DD && "queried property of class with no definition");
   443      return *DD;
   444    }
   445 
(lldb) bt
* thread #1, name = 'lldb', stop reason = hit program assert

[siggi-alpheus]

Here's a backtrace for where this happens.

Looks like CXXRecordDecl::getMostRecentDecl() is failing and returning nullptr. This appears to bottleneck in
Redeclarable::getMostRecentDecl(), which by my reading should never return nullptr?

... time passes ...

Mkay, it looks like CXXRecordDecl::DefinitionData is only initialized at construction and never assigned thereafter. So no matter what getMostRecentDecl() returns, it'll return the nullptr from construction...

* thread #1, name = 'lldb', stop reason = hit program assert
    frame #0: 0x00007fffe5780fbb libc.so.6`raise + 203
    frame #1: 0x00007fffe5766864 libc.so.6`abort + 278
    frame #2: 0x00007fffe5766749 libc.so.6`___lldb_unnamed_symbol2433 + 15
    frame #3: 0x00007fffe57783d6 libc.so.6`__assert_fail + 70
  * frame #4: 0x00007fffe79423c2 liblldb.so.15git`clang::CXXRecordDecl::data(this=0x0000555597281ee0) const at DeclCXX.h:442:5
    frame #5: 0x00007fffed8d283c liblldb.so.15git`clang::CXXRecordDecl::addedMember(this=0x0000555597281ee0, D=0x0000555597684960) at DeclCXX.cpp:700:10
    frame #6: 0x00007fffed8c871f liblldb.so.15git`clang::DeclContext::addHiddenDecl(this=0x0000555597281f20, D=0x0000555597684960) at DeclBase.cpp:1562:24
    frame #7: 0x00007fffed8c8791 liblldb.so.15git`clang::DeclContext::addDecl(this=0x0000555597281f20, D=0x0000555597684960) at DeclBase.cpp:1573:16
    frame #8: 0x00007fffe79f33c4 liblldb.so.15git`lldb_private::TypeSystemClang::AddMethodToCXXRecordType(this=0x0000555594150d20, type=0x0000555597281f90, name=(Data = "closure_glyphs", Length = 14), mangled_name="_ZNK2OT20CmapSubtableFormat1414closure_glyphsEPK8hb_set_tPS1_", method_clang_type=0x00007fffffffa350, access=eAccessPublic, is_virtual=false, is_static=false, is_inline=false, is_explicit=false, is_attr_used=false, is_artificial=false) at TypeSystemClang.cpp:7720:27
    frame #9: 0x00007fffe7937b15 liblldb.so.15git`DWARFASTParserClang::ParseSubroutine(this=0x0000555594b44bf0, die=0x00007fffffffaba0, attrs=0x00007fffffffa5a0) at DWARFASTParserClang.cpp:1170:55
    frame #10: 0x00007fffe7934f98 liblldb.so.15git`DWARFASTParserClang::ParseTypeFromDWARF(this=0x0000555594b44bf0, sc=0x00007fffffffa830, die=0x00007fffffffaba0, type_is_new_ptr=0x0000000000000000) at DWARFASTParserClang.cpp:522:30
    frame #11: 0x00007fffe78e3339 liblldb.so.15git`SymbolFileDWARF::ParseType(this=0x0000555555916520, sc=0x00007fffffffa830, die=0x00007fffffffaba0, type_is_new_ptr=0x0000000000000000) at SymbolFileDWARF.cpp:2983:74
    frame #12: 0x00007fffe78e1cc6 liblldb.so.15git`SymbolFileDWARF::GetTypeForDIE(this=0x0000555555916520, die=0x00007fffffffaba0, resolve_function_context=false) at SymbolFileDWARF.cpp:2599:26
    frame #13: 0x00007fffe78dcaec liblldb.so.15git`SymbolFileDWARF::ResolveType(this=0x0000555555916520, die=0x00007fffffffaba0, assert_not_being_parsed=true, resolve_function_context=false) at SymbolFileDWARF.cpp:1599:31
    frame #14: 0x00007fffe79403f9 liblldb.so.15git`DWARFASTParserClang::GetClangDeclContextForDIE(this=0x0000555594b44bf0, die=0x00007fffffffaba0) at DWARFASTParserClang.cpp:3302:47
    frame #15: 0x00007fffe79374a5 liblldb.so.15git`DWARFASTParserClang::ParseSubroutine(this=0x0000555594b44bf0, die=0x00007fffffffb2c0, attrs=0x00007fffffffadd0) at DWARFASTParserClang.cpp:1082:42
    frame #16: 0x00007fffe7934f98 liblldb.so.15git`DWARFASTParserClang::ParseTypeFromDWARF(this=0x0000555594b44bf0, sc=0x00007fffffffb060, die=0x00007fffffffb2c0, type_is_new_ptr=0x0000000000000000) at DWARFASTParserClang.cpp:522:30
    frame #17: 0x00007fffe78e3339 liblldb.so.15git`SymbolFileDWARF::ParseType(this=0x0000555555916520, sc=0x00007fffffffb060, die=0x00007fffffffb2c0, type_is_new_ptr=0x0000000000000000) at SymbolFileDWARF.cpp:2983:74
    frame #18: 0x00007fffe78e1cc6 liblldb.so.15git`SymbolFileDWARF::GetTypeForDIE(this=0x0000555555916520, die=0x00007fffffffb2c0, resolve_function_context=false) at SymbolFileDWARF.cpp:2599:26
    frame #19: 0x00007fffe78dcaec liblldb.so.15git`SymbolFileDWARF::ResolveType(this=0x0000555555916520, die=0x00007fffffffb2c0, assert_not_being_parsed=true, resolve_function_context=false) at SymbolFileDWARF.cpp:1599:31
    frame #20: 0x00007fffe79403f9 liblldb.so.15git`DWARFASTParserClang::GetClangDeclContextForDIE(this=0x0000555594b44bf0, die=0x00007fffffffb2c0) at DWARFASTParserClang.cpp:3302:47
    frame #21: 0x00007fffe7940ef3 liblldb.so.15git`DWARFASTParserClang::GetClangDeclContextContainingDIE(this=0x0000555594b44bf0, die=0x00007fffffffbbe0, decl_ctx_die_copy=0x0000000000000000) at DWARFASTParserClang.cpp:3464:34
    frame #22: 0x00007fffe793a19f liblldb.so.15git`DWARFASTParserClang::ParseStructureLikeDIE(this=0x0000555594b44bf0, sc=0x00007fffffffb860, die=0x00007fffffffbbe0, attrs=0x00007fffffffb5d0) at DWARFASTParserClang.cpp:1735:41
    frame #23: 0x00007fffe7934eec liblldb.so.15git`DWARFASTParserClang::ParseTypeFromDWARF(this=0x0000555594b44bf0, sc=0x00007fffffffb860, die=0x00007fffffffbbe0, type_is_new_ptr=0x0000000000000000) at DWARFASTParserClang.cpp:510:36
    frame #24: 0x00007fffe78e3339 liblldb.so.15git`SymbolFileDWARF::ParseType(this=0x0000555555916520, sc=0x00007fffffffb860, die=0x00007fffffffbbe0, type_is_new_ptr=0x0000000000000000) at SymbolFileDWARF.cpp:2983:74
    frame #25: 0x00007fffe78e1cc6 liblldb.so.15git`SymbolFileDWARF::GetTypeForDIE(this=0x0000555555916520, die=0x00007fffffffbbe0, resolve_function_context=false) at SymbolFileDWARF.cpp:2599:26
    frame #26: 0x00007fffe78dcaec liblldb.so.15git`SymbolFileDWARF::ResolveType(this=0x0000555555916520, die=0x00007fffffffbbe0, assert_not_being_parsed=true, resolve_function_context=false) at SymbolFileDWARF.cpp:1599:31
    frame #27: 0x00007fffe78dc535 liblldb.so.15git`SymbolFileDWARF::ResolveTypeUID(this=0x0000555555916520, die=0x00007fffffffbbe0, assert_not_being_parsed=true) at SymbolFileDWARF.cpp:1522:23
    frame #28: 0x00007fffe78c1e5d liblldb.so.15git`DWARFDIE::ResolveTypeUID(this=0x00007fffffffbde0, die=0x00007fffffffbbe0) const at DWARFDIE.cpp:358:33
    frame #29: 0x00007fffe793b177 liblldb.so.15git`DWARFASTParserClang::ParseTemplateDIE(this=0x0000555594b44bf0, die=0x00007fffffffbde0, template_param_infos=0x00007fffffffc000) at DWARFASTParserClang.cpp:2008:49
frame #29: 0x00007fffe793b177 liblldb.so.15git`DWARFASTParserClang::ParseTemplateDIE(this=0x0000555594b44bf0, die=0x00007fffffffbde0, template_param_infos=0x00007fffffffc000) at DWARFASTParserClang.cpp:2008:49
    frame #30: 0x00007fffe793b697 liblldb.so.15git`DWARFASTParserClang::ParseTemplateParameterInfos(this=0x0000555594b44bf0, parent_die=0x00007fffffffc740, template_param_infos=0x00007fffffffc000) at DWARFASTParserClang.cpp:2082:23
    frame #31: 0x00007fffe793a314 liblldb.so.15git`DWARFASTParserClang::ParseStructureLikeDIE(this=0x0000555594b44bf0, sc=0x00007fffffffc3d0, die=0x00007fffffffc740, attrs=0x00007fffffffc140) at DWARFASTParserClang.cpp:1754:38
    frame #32: 0x00007fffe7934eec liblldb.so.15git`DWARFASTParserClang::ParseTypeFromDWARF(this=0x0000555594b44bf0, sc=0x00007fffffffc3d0, die=0x00007fffffffc740, type_is_new_ptr=0x0000000000000000) at DWARFASTParserClang.cpp:510:36
    frame #33: 0x00007fffe78e3339 liblldb.so.15git`SymbolFileDWARF::ParseType(this=0x0000555555916520, sc=0x00007fffffffc3d0, die=0x00007fffffffc740, type_is_new_ptr=0x0000000000000000) at SymbolFileDWARF.cpp:2983:74
    frame #34: 0x00007fffe78e1cc6 liblldb.so.15git`SymbolFileDWARF::GetTypeForDIE(this=0x0000555555916520, die=0x00007fffffffc740, resolve_function_context=false) at SymbolFileDWARF.cpp:2599:26
    frame #35: 0x00007fffe78dcaec liblldb.so.15git`SymbolFileDWARF::ResolveType(this=0x0000555555916520, die=0x00007fffffffc740, assert_not_being_parsed=true, resolve_function_context=false) at SymbolFileDWARF.cpp:1599:31
    frame #36: 0x00007fffe78dc535 liblldb.so.15git`SymbolFileDWARF::ResolveTypeUID(this=0x0000555555916520, die=0x00007fffffffc740, assert_not_being_parsed=true) at SymbolFileDWARF.cpp:1522:23
    frame #37: 0x00007fffe78d5b03 liblldb.so.15git`SymbolFileDWARF::GetTypes(this=0x0000555555916520, die=0x00007fffffffc740, min_die_offset=72244910, max_die_offset=73037676, type_mask=16392, type_set=0x00007fffffffc910) at SymbolFileDWARF.cpp:337:36
    frame #38: 0x00007fffe78d5bca liblldb.so.15git`SymbolFileDWARF::GetTypes(this=0x0000555555916520, die=0x00007fffffffc7c0, min_die_offset=72244910, max_die_offset=73037676, type_mask=16392, type_set=0x00007fffffffc910) at SymbolFileDWARF.cpp:344:15
    frame #39: 0x00007fffe78d5c96 liblldb.so.15git`operator(__closure=(0x00007fffffffc82c, 0x00007fffffffc910, 0x0000555555916520), unit=0x000055557e3298f0) at SymbolFileDWARF.cpp:364:13
    frame #40: 0x00007fffe78d5e5d liblldb.so.15git`SymbolFileDWARF::GetTypes(this=0x0000555555916520, sc_scope=0x0000000000000000, type_mask=16392, type_list=0x00007fffffffc9c0) at SymbolFileDWARF.cpp:373:10
    frame #41: 0x00007fffe6e23663 liblldb.so.15git`lldb::SBModule::GetTypes(this=0x000055557dc719d0, type_mask=16392) at SBModule.cpp:541:20
    frame #42: 0x00007fffe6f5c55e liblldb.so.15git`::_wrap_SBModule_GetTypes__SWIG_0((null)=0x00007fffe4e17360, nobjs=2, swig_obj=0x00007fffffffcb00) at LLDBWrapPython.cpp:41696:30
    frame #43: 0x00007fffe6f5c920 liblldb.so.15git`::_wrap_SBModule_GetTypes(self=0x00007fffe4e17360, args=0x00007fffe4dd0e80) at LLDBWrapPython.cpp:41759:47
    frame #44: 0x00007fffe52bede8 libpython3.9.so.1.0`___lldb_unnamed_symbol3647 + 72```

[siggi-alpheus]

Perhaps the problem is that the CmapSubtableFormat14 type has been stripped from the symbols at link time? Would this be considered a clang, or a linker bug?

It looks like the symbols only contain declarations of the type:

> dwarfdump --name CmapSubtableFormat14 chrome.debug

0x03f3a650: DW_TAG_structure_type
              DW_AT_name	("CmapSubtableFormat14")
              DW_AT_declaration	(true)

0x0403e100: DW_TAG_structure_type
              DW_AT_name	("CmapSubtableFormat14")
              DW_AT_declaration	(true)

0x040a122b: DW_TAG_structure_type
              DW_AT_name	("CmapSubtableFormat14")
              DW_AT_declaration	(true)

0x0450ff57: DW_TAG_structure_type
              DW_AT_name	("CmapSubtableFormat14")
              DW_AT_declaration	(true)

0x045da866: DW_TAG_structure_type
              DW_AT_name	("CmapSubtableFormat14")
              DW_AT_declaration	(true)

[siggi-alpheus]

This one type is certainly an outlier among its peers, it's the only type that has no definition. All the other types look more like this example:

> dwarfdump -regex -name '^CmapSubtableFormat[0-9]+$' chrome.debug

0x03f38ee2: DW_TAG_structure_type
              DW_AT_calling_convention  (DW_CC_pass_by_value)
              DW_AT_name        ("CmapSubtableFormat0")
              DW_AT_byte_size   (0x0106)
              DW_AT_decl_file   ("./../../third_party/harfbuzz-ng/src/src/hb-ot-cmap-table.hh")
              DW_AT_decl_line   (42)
.
.
.

[siggi-alpheus]

Mkay, this diff will avoid the crash:

diff --git a/lldb/source/Plugins/TypeSystem/Clang/TypeSystemClang.cpp b/lldb/source/Plugins/TypeSystem/Clang/TypeSystemClang.cpp
index 019cb0c1b844..2b04d05ad6de 100644
--- a/lldb/source/Plugins/TypeSystem/Clang/TypeSystemClang.cpp
+++ b/lldb/source/Plugins/TypeSystem/Clang/TypeSystemClang.cpp
@@ -7571,7 +7571,8 @@ clang::CXXMethodDecl *TypeSystemClang::AddMethodToCXXRecordType(
   clang::CXXRecordDecl *cxx_record_decl =
       record_qual_type->getAsCXXRecordDecl();
 
-  if (cxx_record_decl == nullptr)
+  // Bail if no declaration or if the declaration has no definition.
+  if (cxx_record_decl == nullptr || !cxx_record_decl->hasDefinition())
     return nullptr;
 
   clang::QualType method_qual_type(ClangUtil::GetQualType(method_clang_type));

[nico]

I'd recommend making a reduced repro case that consists of:

• a single .cc file (or two, if needed)
• clang invocation
• lldb invocation

It's hard to understand what exactly is going on when the repro is "build chrome".

[siggi-alpheus]

@nico I'm making lldb robust to this, but arguably the problem here is that the Google Chrome binary contains a method CmapSubtableFormat14::closure_glyphs in the symbols, but the symbols don't have a full type definition for the CmapSubtableFormat14. This is merely the first type that tripped this crasher, there are others, although I didn't do a full assay so I can't tell you how common the problem is.
I assume this will make it difficult to debug anything to do with these types that are referenced but missing.
I'm not going to be chasing after the llvm/linker end of this, but I figured Google and/or Chrome developers might be interested to know of symbol fidelity problems in your release binaries.

[siggi-alpheus]

@nico suggests this might be due to "Constructor type homing for debug info" which sounds likely enough to me. In that case this isn't due to a clang or linker bug, but rather a clang feature.

[shafik]

If this is due to type homing that would indicate that using [[standalone_debug]] on CmapSubtableFormat14 should fix the issue for that type. Can you confirm this is indeed the case?

[siggi-alpheus]

@shafik I don't presently have access to any hardware that can build Chrome, and as I'm no longer on the team, I can't build Google Chrome at all. I any case, I think that's a tangent to the issue here, which is the lldb crash?

[siggi-alpheus]

I should note that there's a one-line fix for this uploaded here: https://reviews.llvm.org/D123415.

[labath]

I any case, I think that's a tangent to the issue here, which is the lldb crash?

I wouldn't agree with that. I doubt the issue is as simple as "the type is missing" -- lldb already has code to handle those cases. There must be either be something special about that type (e.g., some unusual combination of C++ features perhaps), or the way you're using lldb (e.g. SBModule::GetTypes might force the parsing of types that would not be parsed normally, or in the order they would not be parsed normally).

I should note that there's a one-line fix for this uploaded here: https://reviews.llvm.org/D123415.

Yes, but without understanding the problem, it's hard to say whether this is the right fix right now, much less to ensure that the problem stays fixed in the future.

[siggi-alpheus]

Mkay, I've spent the morning trying to write a minimized repro without luck.
With type homing I can create the same sort of type information, e.g.

$ llvm-dwarfdump --name Foo type-homed
type-homed:     file format elf64-x86-64

0x0000064f: DW_TAG_structure_type
              DW_AT_name        ("Foo")
              DW_AT_declaration (true)

But I can't seem to trip the crash and I never get a call to AddMethodToCXXRecordType, even though my Foo type has methods.

I'm looking one level up, through DWARFASTParserClang::ParseSubroutine, to see whether it may have made the wrong decision, but the code is ... detail rich ...

I've also noticed that this is happening in DWARFUnit 2323 (of 61287), but I can't provoke the crash by calling GetTypes(...) on that specific "CompileUnit" using SBModule::GetCompileUnitAtIndex(). Possibly someone who's familiar with the code in DWARFASTParserClang::ParseSubroutine would spot the problem right away.

It's decided to add_method, on a type that has no definition. Here are the vars in the context immediately before the errant dispatch to AddMethodToCXXRecordType:

var
(DWARFASTParserClang *const) this = 0x00005555951d5a20
(const DWARFDIE &) die = 0x00007fffffffaba0: {
  DWARFBaseDIE = {
    m_cu = 0x000055557e329430
    m_die = 0x00007ffe50e90f80
  }
}
(ParsedDWARFTypeAttributes &) attrs = 0x00007fffffffa5a0: {
  accessibility = eAccessPublic
  is_artificial = false
  is_complete_objc_class = false
  is_explicit = false
  is_forward_declaration = true
  is_inline = false
  is_scoped_enum = false
  is_vector = false
  is_virtual = false
  is_objc_direct_call = false
  exports_symbols = false
  storage = SC_Extern
  mangled_name = 0x00007fff805047e7 "_ZNK2OT20CmapSubtableFormat1414closure_glyphsEPK8hb_set_tPS1_"
  name = (m_string = "closure_glyphs")
  decl = {
    m_file = {
      m_directory = (m_string = "../../third_party/harfbuzz-ng/src/src")
      m_filename = (m_string = "hb-ot-cmap-table.hh")
      m_is_resolved = false
      m_style = posix
    }
    m_line = 1241
    m_column = 0
  }
  object_pointer = {
    DWARFBaseDIE = {
      m_cu = nullptr
      m_die = nullptr
    }
  }
  abstract_origin = {
    m_unit = nullptr
    m_form = 0
    m_value = {
      value = (uval = 0, sval = 0, cstr = 0x0000000000000000)
      data = 0x0000000000000000
    }
  }
  containing_type = {
    m_unit = nullptr
    m_form = 0
    m_value = {
      value = (uval = 0, sval = 0, cstr = 0x0000000000000000)
      data = 0x0000000000000000
    }
  }
  signature = {
    m_unit = nullptr
    m_form = 0
    m_value = {
      value = (uval = 0, sval = 0, cstr = 0x0000000000000000)
      data = 0x0000000000000000
    }
  }
  specification = {
    m_unit = nullptr
    m_form = 0
    m_value = {
      value = (uval = 0, sval = 0, cstr = 0x0000000000000000)
      data = 0x0000000000000000
    }
  }
  type = {
    m_unit = nullptr
    m_form = 0
    m_value = {
      value = (uval = 0, sval = 0, cstr = 0x0000000000000000)
      data = 0x0000000000000000
    }
  }
  class_language = eLanguageTypeUnknown
  byte_size = {
    Storage = {
       = (empty = '\0', value = 140737488332288)
      hasVal = false
    }
  }
  calling_convention = 1
  bit_stride = 0
  byte_stride = 0
  encoding = 0
}
(lldb_private::Log *) log = nullptr
(SymbolFileDWARF *) dwarf = 0x00005555559164a0
(const dw_tag_t) tag = DW_TAG_subprogram
(bool) is_variadic = false
(bool) is_static = false
(bool) has_template_params = false
(unsigned int) type_quals = 1
(std::string) object_pointer_name = ""
(lldb_private::CompilerType) return_clang_type = {
  m_type = 0x0000555594150ab0
  m_type_system = 0x00005555941508f0
}
(lldb_private::Type *) func_type = nullptr
(std::vector<lldb_private::CompilerType, std::allocator<> >) function_param_types = size=2 {
  [0] = {
    m_type = 0x0000555597637930
    m_type_system = 0x00005555941508f0
  }
  [1] = {
    m_type = 0x0000555597630630
    m_type_system = 0x00005555941508f0
  }
}
(std::vector<clang::ParmVarDecl *, std::allocator<> >) function_param_decls = size=2 {
  [0] = 0x00005555976845f0

  [1] = 0x0000555597684660
}
(DWARFDIE) decl_ctx_die = {
  DWARFBaseDIE = {
    m_cu = 0x000055557e329430
    m_die = 0x00007ffe50e90f70
  }
}
(clang::DeclContext *) containing_decl_ctx = 0x0000555597281cb0
(const clang::Decl::Kind) containing_decl_kind = CXXRecord
(bool) is_cxx_method = true
(bool) ignore_containing_context = false
(clang::CallingConv) calling_convention = CC_C
(lldb_private::CompilerType) clang_type = {
  m_type = 0x0000555597637a40
  m_type_system = 0x00005555941508f0
}
(bool) type_handled = false
(lldb_private::ObjCLanguage::MethodName) objc_method = {
  m_full = (m_string = 0x0000000000000000)
  m_class = (m_string = 0x0000000000000000)
  m_class_category = (m_string = 0x0000000000000000)
  m_category = (m_string = 0x0000000000000000)
  m_selector = (m_string = 0x0000000000000000)
  m_type = eTypeUnspecified
  m_category_is_valid = false
}
(lldb_private::Type *) class_type = 0x0000555586e235f0
(bool) alternate_defn = true
(lldb_private::CompilerType) class_opaque_type = {
  m_type = 0x0000555597281d20
  m_type_system = 0x00005555941508f0
}
(bool) add_method = true
(llvm::PrettyStackTraceFormat) stack_trace = {
  llvm::PrettyStackTraceEntry = {
    NextEntry = 0x00007fffffffda80
  }
  Str = {
    llvm::SmallVectorImpl<char> = {
      llvm::SmallVectorTemplateBase<char> = {
        llvm::SmallVectorTemplateCommon<char> = {
          llvm::SmallVectorBase<unsigned long> = (BeginX = 0x0000555597509790, Size = 167, Capacity = 167)
        }
      }
    }
    llvm::SmallVectorStorage<char, 32> = (InlineElts = "\xb6܋\xe7\xff\U0000007f\0\0\0\0\0\0\0\0\0\0Ф\xff\xff\xff\U0000007f\0\0\0\xa5\xff\xff\xff\U0000007f\0")
  }
}
(const bool) is_attr_used = false
(clang::CXXMethodDecl *) cxx_method_decl = 0x00007fffe795dcaa

[siggi-alpheus]

Mkay, I've been able to debug into the DWARFASTParserClang::ParseSubroutine call as the "CmapSubtableFormat14" type occurs the first time, which is handling the method "_ZNK2OT20CmapSubtableFormat1414closure_glyphsEPK8hb_set_tPS1_". This ends up recursing into itself to parse the same method and class through GetClangDeclContextForDIE, and it's the inner invocation that falls over itself.

[shafik]

So it looks like the second to last call to ParseSubroutine hit this piece of code:

          if (attrs.specification.IsValid()) {
            // We have a specification which we are going to base our
            // function prototype off of, so we need this type to be
            // completed so that the m_die_to_decl_ctx for the method in
            // the specification has a valid clang decl context.
            class_type->GetForwardCompilerType();
            // If we have a specification, then the function type should
            // have been made with the specification and not with this
            // die.
            DWARFDIE spec_die = attrs.specification.Reference();
            clang::DeclContext *spec_clang_decl_ctx =
                GetClangDeclContextForDIE(spec_die);

Can you dump the DIE for that call and the spec_die as well?

[labath]

(I've managed to reproduce this on my end and reduce the testcase into something that can be hopefully fed into cvise. The automatic reduction is running now...)

[siggi-alpheus]

Can you dump the DIE for that call and the spec_die as well?

@shafik thanks for taking a look!

Here are the local variables at the outer call:

var
(DWARFASTParserClang *const) this = 0x000055559519ced0
(const DWARFDIE &) die = 0x00007fffffffb2c0: {
  DWARFBaseDIE = {
    m_cu = 0x000055557e3298b0
    m_die = 0x00007ffe7cd183c0
  }
}
(ParsedDWARFTypeAttributes &) attrs = 0x00007fffffffadd0: {
  accessibility = eAccessNone
  is_artificial = false
  is_complete_objc_class = false
  is_explicit = false
  is_forward_declaration = false
  is_inline = false
  is_scoped_enum = false
  is_vector = false
  is_virtual = false
  is_objc_direct_call = false
  exports_symbols = false
  storage = SC_Extern
  mangled_name = 0x00007fff805047e7 "_ZNK2OT20CmapSubtableFormat1414closure_glyphsEPK8hb_set_tPS1_"
  name = (m_string = "closure_glyphs")
  decl = {
    m_file = {
      m_directory = (m_string = "../../third_party/harfbuzz-ng/src/src")
      m_filename = (m_string = "hb-ot-cmap-table.hh")
      m_is_resolved = false
      m_style = posix
    }
    m_line = 1241
    m_column = 0
  }
  object_pointer = {
    DWARFBaseDIE = {
      m_cu = 0x000055557e3298b0
      m_die = 0x00007ffe7cd18430
    }
  }
  abstract_origin = {
    m_unit = nullptr
    m_form = 0
    m_value = {
      value = (uval = 0, sval = 0, cstr = 0x0000000000000000)
      data = 0x0000000000000000
    }
  }
  containing_type = {
    m_unit = nullptr
    m_form = 0
    m_value = {
      value = (uval = 0, sval = 0, cstr = 0x0000000000000000)
      data = 0x0000000000000000
    }
  }
  signature = {
    m_unit = nullptr
    m_form = 0
    m_value = {
      value = (uval = 0, sval = 0, cstr = 0x0000000000000000)
      data = 0x0000000000000000
    }
  }
  specification = {
    m_unit = 0x000055557e3298b0
    m_form = 19
    m_value = {
      value = (uval = 172206, sval = 172206, cstr = "")
      data = 0x0000000000000000
    }
  }
  type = {
    m_unit = nullptr
    m_form = 0
    m_value = {
      value = (uval = 0, sval = 0, cstr = 0x0000000000000000)
      data = 0x0000000000000000
    }
  }
  class_language = eLanguageTypeUnknown
  byte_size = {
    Storage = {
       = (empty = '\0', value = 140737488334336)
      hasVal = false
    }
  }
  calling_convention = 1
  bit_stride = 0
  byte_stride = 0
  encoding = 0
}
(lldb_private::Log *) log = nullptr
(SymbolFileDWARF *) dwarf = 0x0000555555916550
(const dw_tag_t) tag = DW_TAG_subprogram
(bool) is_variadic = false
(bool) is_static = false
(bool) has_template_params = false
(unsigned int) type_quals = 1
(std::string) object_pointer_name = "this"
(lldb_private::CompilerType) return_clang_type = {
  m_type = 0x00005555947bff90
  m_type_system = 0x0000555594150d30
}
(lldb_private::Type *) func_type = nullptr
(std::vector<lldb_private::CompilerType, std::allocator<> >) function_param_types = size=2 {
  [0] = {
    m_type = 0x0000555597638600
    m_type_system = 0x0000555594150d30
  }
  [1] = {
    m_type = 0x0000555597631300
    m_type_system = 0x0000555594150d30
  }
}
(std::vector<clang::ParmVarDecl *, std::allocator<> >) function_param_decls = size=2 {
  [0] = 0x00005555976851e0
  [1] = 0x0000555597685250
}
(DWARFDIE) decl_ctx_die = {
  DWARFBaseDIE = {
    m_cu = 0x000055557e3298b0
    m_die = 0x00007ffe7cc79c90
  }
}
(clang::DeclContext *) containing_decl_ctx = 0x0000555597282a30
(const clang::Decl::Kind) containing_decl_kind = CXXRecord
(bool) is_cxx_method = true
(bool) ignore_containing_context = false
(clang::CallingConv) calling_convention = CC_C
(lldb_private::CompilerType) clang_type = {
  m_type = 0x0000555597638710
  m_type_system = 0x0000555594150d30
}
(bool) type_handled = false
(lldb_private::ObjCLanguage::MethodName) objc_method = {
  m_full = (m_string = 0x0000000000000000)
  m_class = (m_string = 0x0000000000000000)
  m_class_category = (m_string = 0x0000000000000000)
  m_category = (m_string = 0x0000000000000000)
  m_selector = (m_string = 0x0000000000000000)
  m_type = eTypeUnspecified
  m_category_is_valid = false
}
(lldb_private::Type *) class_type = 0x0000555586e23a70

(bool) alternate_defn = true
(DWARFDIE) spec_die = {
  DWARFBaseDIE = {
    m_cu = 0x000055557e3298b0
    m_die = 0x00007ffe7cc79ca0
  }
}
(clang::DeclContext *) spec_clang_decl_ctx = 0x00007fffffffad30

and here's the state at the inner invocation just before it calls AddMethodToCXXRecordType:

var
(DWARFASTParserClang *const) this = 0x000055559519ced0
(const DWARFDIE &) die = 0x00007fffffffaba0: {
  DWARFBaseDIE = {
    m_cu = 0x000055557e3298b0
    m_die = 0x00007ffe7cc79ca0
  }
}
(ParsedDWARFTypeAttributes &) attrs = 0x00007fffffffa5a0: {
  accessibility = eAccessPublic
  is_artificial = false
  is_complete_objc_class = false
  is_explicit = false
  is_forward_declaration = true
  is_inline = false
  is_scoped_enum = false
  is_vector = false
  is_virtual = false
  is_objc_direct_call = false
  exports_symbols = false
  storage = SC_Extern
  mangled_name = 0x00007fff805047e7 "_ZNK2OT20CmapSubtableFormat1414closure_glyphsEPK8hb_set_tPS1_"
  name = (m_string = "closure_glyphs")
  decl = {
    m_file = {
      m_directory = (m_string = "../../third_party/harfbuzz-ng/src/src")
      m_filename = (m_string = "hb-ot-cmap-table.hh")
      m_is_resolved = false
      m_style = posix
    }
    m_line = 1241
    m_column = 0
  }
  object_pointer = {
    DWARFBaseDIE = {
      m_cu = nullptr
      m_die = nullptr
    }
  }
  abstract_origin = {
    m_unit = nullptr
    m_form = 0
    m_value = {
      value = (uval = 0, sval = 0, cstr = 0x0000000000000000)
      data = 0x0000000000000000
    }
  }
  containing_type = {
    m_unit = nullptr
    m_form = 0
    m_value = {
      value = (uval = 0, sval = 0, cstr = 0x0000000000000000)
      data = 0x0000000000000000
    }
  }
  signature = {
    m_unit = nullptr
    m_form = 0
    m_value = {
      value = (uval = 0, sval = 0, cstr = 0x0000000000000000)
      data = 0x0000000000000000
    }
  }
  specification = {
    m_unit = nullptr
    m_form = 0
    m_value = {
      value = (uval = 0, sval = 0, cstr = 0x0000000000000000)
      data = 0x0000000000000000
    }
  }
  type = {
    m_unit = nullptr
    m_form = 0
    m_value = {
      value = (uval = 0, sval = 0, cstr = 0x0000000000000000)
      data = 0x0000000000000000
    }
  }
  class_language = eLanguageTypeUnknown
  byte_size = {
    Storage = {
       = (empty = '\0', value = 140737488332288)
      hasVal = false
    }
  }
  calling_convention = 1
  bit_stride = 0
  byte_stride = 0
  encoding = 0
}
(lldb_private::Log *) log = nullptr
(SymbolFileDWARF *) dwarf = 0x0000555555916550
(const dw_tag_t) tag = DW_TAG_subprogram
(bool) is_variadic = false
(bool) is_static = false
(bool) has_template_params = false
(unsigned int) type_quals = 1
(std::string) object_pointer_name = ""
(lldb_private::CompilerType) return_clang_type = {
  m_type = 0x00005555947bff90
  m_type_system = 0x0000555594150d30
}
(lldb_private::Type *) func_type = nullptr
(std::vector<lldb_private::CompilerType, std::allocator<> >) function_param_types = size=2 {
  [0] = {
    m_type = 0x0000555597638600
    m_type_system = 0x0000555594150d30
  }
  [1] = {
    m_type = 0x0000555597631300
    m_type_system = 0x0000555594150d30
  }
}
(std::vector<clang::ParmVarDecl *, std::allocator<> >) function_param_decls = size=2 {
  [0] = 0x00005555976852c0
  [1] = 0x0000555597685330
}
(DWARFDIE) decl_ctx_die = {
  DWARFBaseDIE = {
    m_cu = 0x000055557e3298b0
    m_die = 0x00007ffe7cc79c90
  }
}
(clang::DeclContext *) containing_decl_ctx = 0x0000555597282a30
(const clang::Decl::Kind) containing_decl_kind = CXXRecord
(bool) is_cxx_method = true
(bool) ignore_containing_context = false
(clang::CallingConv) calling_convention = CC_C
(lldb_private::CompilerType) clang_type = {
  m_type = 0x0000555597638710
  m_type_system = 0x0000555594150d30
}
(bool) type_handled = false
(lldb_private::ObjCLanguage::MethodName) objc_method = {
  m_full = (m_string = 0x0000000000000000)
  m_class = (m_string = 0x0000000000000000)
  m_class_category = (m_string = 0x0000000000000000)
  m_category = (m_string = 0x0000000000000000)
  m_selector = (m_string = 0x0000000000000000)
  m_type = eTypeUnspecified
  m_category_is_valid = false
}
(lldb_private::Type *) class_type = 0x0000555586e23a70
(bool) alternate_defn = true
(lldb_private::CompilerType) class_opaque_type = {
  m_type = 0x0000555597282aa0
  m_type_system = 0x0000555594150d30
}
(bool) add_method = true
(llvm::PrettyStackTraceFormat) stack_trace = {
  llvm::PrettyStackTraceEntry = {
    NextEntry = 0x00007fffffffda80
  }
  Str = {
    llvm::SmallVectorImpl<char> = {
      llvm::SmallVectorTemplateBase<char> = {
        llvm::SmallVectorTemplateCommon<char> = {
          llvm::SmallVectorBase<unsigned long> = (BeginX = 0x000055559750a480, Size = 167, Capacity = 167)
        }
      }
    }
    llvm::SmallVectorStorage<char, 32> = (InlineElts = "\xb6܋\xe7\xff\U0000007f\0\0\0\0\0\0\0\0\0\0Ф\xff\xff\xff\U0000007f\0\0\0\xa5\xff\xff\xff\U0000007f\0")
  }
}
(const bool) is_attr_used = false
(clang::CXXMethodDecl *) cxx_method_decl = 0x00007fffe795dcaa

[siggi-alpheus]

(I've managed to reproduce this on my end and reduce the testcase into something that can be hopefully fed into cvise. The automatic reduction is running now...)

@labath thanks for taking a look. I'm way out of my depth :).

[labath]

It took some manual prodding -- cvise couldn't make sense of the heavily templated code (I barely made sense as well), but here's a small(ish) reproducer:

template <typename> struct OffsetTo {};
struct VariationSelectorRecord {
  VariationSelectorRecord();
};
struct CmapSubtable {
  void closure_glyphs() {}

protected:
  VariationSelectorRecord record;
};
extern CmapSubtable X;
struct cmap {
  void closure_glyphs() { X.closure_glyphs(); }
  OffsetTo<CmapSubtable> encodingRecord;
};
#ifdef ONE
cmap __trans_tmp_1;
#else
void _cmap_closure() {
  cmap().closure_glyphs();
}
#endif

to run do:

$ clang++ -g -fPIC repro.cc -DONE -o one.o -c -flimit-debug-info
$ clang++ -g -fPIC repro.cc -DTWO -o two.o -c -flimit-debug-info
$ clang++ -shared one.o two.o
$ lldb a.out --batch -o "script lldb.target.modules[0].GetTypes()"

If anyone wants to take a stab, be my guest. It'll take me a while to get around to looking at this.

[siggi-alpheus]

Does not repro for me locally with clang 12. Maybe this is clang version dependent?

# clang -v
Ubuntu clang version 12.0.0-3ubuntu1~21.04.2
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/10
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/10
Selected GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/10
Candidate multilib: .;@m64
Selected multilib: .;@m64

[siggi-alpheus]

I can repro the crash when building with clang-14:

# /usr/bin/clang++-14 -v
Ubuntu clang version 14.0.1-++20220412124312+c62053979489-1~exp1~20220412004323.114
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/11
Selected GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/11
Candidate multilib: .;@m64
Selected multilib: .;@m64

[shafik]

I am unfortunately not able to reproduce this w/ ToT clang and lldb on macOS. FYI, I did have to modify the the last clang invocation as follows:

-Wl,-undefined,dynamic_lookup  -shared one.o two.o

We have seem similar crashes on macOS, I was hoping this would lead to solution.

[siggi-alpheus]

I am unfortunately not able to reproduce this w/ ToT clang and lldb on macOS.

@shafik LLDB on my MacOS (running on an M1 Mini) crashes on the Linux-built a.out.

% lldb -v   
lldb-1300.0.42.3
Swift version 5.5.2-dev

Here's a copy in case that's helpful to you.

[labath]

Does not repro for me locally with clang 12. Maybe this is clang version dependent?

I think clang-12 did not have constructor type homing yet. It works for me on clang-13, and ToT.

I am unfortunately not able to reproduce this w/ ToT clang and lldb on macOS.

I can't reproduce it on a mac either. I suspect this because GetTypes visits the types in a different order in the mac debug info format (and this bug is sensitive to type parse order). There probably is a way to trigger the same bug on a mac, but it probably needs a different test case.

[siggi-alpheus]

I can't reproduce it on a mac either.

Is it not helpful to repro the crash on a mac against an ELF binary produced on Linux? This repros readily for me. I can also call SBCompileUnit::GetTypes() on the lldb.target.module[0].compile_units in order, and the crash reproduces on the second GetTypes() call.
I have no symbols on Mac, so this doesn't help me, but perhaps @shafik can figure out what's up that way?

% lldb a.out --batch -o "script lldb.target.modules[0].GetTypes()"

(lldb) target create "a.out"
Current executable set to '/Users/siggi/a.out' (x86_64).
(lldb) script lldb.target.modules[0].GetTypes()
PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace.
Stack dump:
0.	Program arguments: /Applications/Xcode.app/Contents/Developer/usr/bin/lldb a.out --batch -o "script lldb.target.modules[0].GetTypes()"
zsh: segmentation fault  lldb a.out --batch -o "script lldb.target.modules[0].GetTypes()"

[shafik]

I was able to reproduce this on macOS by generating the a.out using docker. Note that if we use -fstandalone-debug this no longer reproduces.

I believe the key to this is the DWARF for CmapSubtable which looks like this:

0x000000b6:   DW_TAG_structure_type
                DW_AT_name	("CmapSubtable")
                DW_AT_declaration	(true)

0x000000b8:     DW_TAG_subprogram
                  DW_AT_linkage_name	("_ZN12CmapSubtable14closure_glyphsEv")
                  DW_AT_name	("closure_glyphs")
                  DW_AT_decl_file	("/tmp/repro.cc")
                  DW_AT_decl_line	(6)
                  DW_AT_declaration	(true)
                  DW_AT_external	(true)

So CmapSubtable is a forward declaration and we have added a member function to it.

If we dig into DWARFASTParserClang::ParseSubroutine I believe it is assuming that we won't try adding a member function to a class unless we have a complete definition for it, which makes sense to me and I don't know how easy it would be to modify it to be more robust to this case.

So I am wondering, should we be generating member functions for classes that are just forward declarations? Actually looking at the DWARF 5 spec it looks like this is valid, so I guess we need to make DWARFASTParserClang::ParseSubroutine more robust to this case.

[shafik]

I think perhaps we need to use RequireCompleteType in DWARFASTParserClang::ParseSubroutine if we hit the if (add_method) branch.

This seems to fix this case and I am going to run check-lldb and see if this does not cause other issues.

[siggi-alpheus]

I can confirm that the crash goes away if I RequireCompleteType before calling m_ast.AddMethodToCXXRecordType, allowing me to count the number of types in Google Chrome.

[shafik]

RequireCompleteType breaks a bunch of tests and after looking at this more carefully I think using:

 PrepareContextToReceiveMembers(
                            m_ast, GetClangASTImporter(),
                            GetClangDeclContextForDIE(decl_ctx_die), die,
                            attrs.name.GetCString());

Is the right approach related PRs would https://reviews.llvm.org/D86216 and https://reviews.llvm.org/D85968

I still can't come up with a way to reproduce this locally w/o using the library generated on Linux. Maybe @labath might have a better test strategy.

[labath]

The difference between this situation, and the ones in those two patches is that adding a nested type (which is done in those patches) definitely does not affect the layout of a class. It is still not legal in in regular C++, but it seems clang lets us get away with it. The situation with member functions is more complicated. Technically, the presence of a regular member function should not affect the class layout, but I suspect (I haven't tried) we could get in trouble if the method we're adding is a virtual function. Nonetheless, PrepareContextToReceiveMembers may be the best we can do at the moment...

As for testing, given that this does not require running a binary, one could recreate the linux binary on any platform using just clang and lld (no docker) -- slap a --target=x86_64-pc-linux on the two compiler commands, and replace the last one with a direct ld.lld invocation. However, given the complexity of the input, I think the result would still be a fairly brittle test (not in the sense that it can break/fail, but that it can stop testing what it is supposed to test).

Given the gap between the problem description and the complexity of the test case, I think we (I?) still haven't fully understood the problem. If the problem is really as simple as "adding a method to a forward-declared type" then it should be possible to reproduce this bug with a much simpler test case. Either we are missing some important aspect of the bug or (and I think this is more likely) we need to find a simpler way to tickle this bug.

I can try to do that, but probably not today (and maybe not this week).

[shafik]

I am looking into why two.o which has the same debug-info for CmapSubtable does not hit this issue and it looks like the difference is that in DWARFASTParserClang::ParseSubroutine we are not satisfying this condition:

if (class_type->GetID() != decl_ctx_die.GetID() 

So we don't set alternate_defn = true; and we don't set add_method = true.

I am not sure how to trigger this code path though.

[dwblaikie]

If you're looking for a case where Clang will emit a type declaration with a subprogram definition, here's a fairly simple example that should do the trick:

struct t1 {
  t1();
  void f1();
};
void t1::f1() {
}

$ clang++-tot test.cpp -g -c && llvm-dwarfdump-tot test.o | grep "DW_TAG\|declaration\|specification" | sed -e "s/^............//"
DW_TAG_compile_unit
  DW_TAG_structure_type
    DW_AT_declaration   (true)
    DW_TAG_subprogram
      DW_AT_declaration (true)
      DW_TAG_formal_parameter
  DW_TAG_pointer_type
  DW_TAG_subprogram
    DW_AT_specification (0x00000025 "_ZN2t12f1Ev")
    DW_TAG_formal_parameter
  DW_TAG_pointer_type

[labath]

Here's a slightly better reproducer:

$ head -n200 a.h one.cc two.cc three.cc 
==> a.h <==
class A {
public:
  A();
  int f();
  int g();
};

==> one.cc <==
#include "a.h"

A::A() = default;

int main() {
  A().f();
  A().g();
}

==> two.cc <==
#include "a.h"

int A::f() {
  struct Af {
    int x, y;
  } af{1, 2};
  return af.x + af.y;
}

==> three.cc <==
#include "a.h"

int A::g() {
  struct Ag {
    int x, y;
  } ag{1, 2};
  return ag.x + ag.y;
}
$ clang++ -g0 one.cc -c
$ clang++ -g -Xclang -debug-info-kind=constructor -flimit-debug-info one.o two.cc three.cc
$ lldb -o "b A::f" -o "b A::g" -o run -o "v af" -o c -o "v ag" ./a.out

• it now uses actual files instead of ifdefs -- it seems that darwin linker falls over and misses some debug info when the same file is used more than once
• it uses three files, two have class declarations and method definitions, the third (compiled with -g0) is the home for the class definition
• uses -Xclang -debug-info-kind=constructor to force constructor homing as darwin defaults to vtable homing (it would be possible to construct a similar reproducer with that strategy as well)
• the local classes are there to force lldb to parse the method bodies when they are printed

Instead of using PrepareContextToReceiveMembers we could also consider "fixing" this like so. That code prevents the parsing of template member functions, which suffer from the same problem, only more profound, as even in an -fstandalone-debug world it is not possible to list all template instantiations in any given class definition.

[siggi-alpheus]

Here's a slightly better reproducer:

I can repro the crash on my M1 Mini with the above.

% clang++ --version
Apple clang version 13.0.0 (clang-1300.0.29.30)
Target: arm64-apple-darwin21.4.0
Thread model: posix
InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
% make       
clang++ -std=c++17 -g0 one.cc -c
clang++ -std=c++17 -g -Xclang -debug-info-kind=constructor -flimit-debug-info one.o two.cc three.cc
lldb a.out --batch -o 'script lldb.target.module[0].GetTypes(lldb.eTypeClassClass | lldb.eTypeClassStruct)'
(lldb) target create "a.out"
Current executable set to '/Volumes/siggi/src/docker-files/a.out' (arm64).
(lldb) script lldb.target.module[0].GetTypes(lldb.eTypeClassClass | lldb.eTypeClassStruct)
warning: (arm64) /Volumes/siggi/src/docker-files/a.out 0x0000005a: DW_AT_specification(0x00000037) has no decl
PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace.
Stack dump:
0.	Program arguments: /Applications/Xcode.app/Contents/Developer/usr/bin/lldb a.out --batch -o "script lldb.target.module[0].GetTypes(lldb.eTypeClassClass | lldb.eTypeClassStruct)"
make: *** [dummy] Segmentation fault: 11

Interestingly(?) I can call lldb.target.module[0].compile_units[i].GetTypes() for i=0 or for i=1 without crashing. If I try calling this for both, I see the crash - whichever order I invoke it in.

[dwblaikie]

uses -Xclang -debug-info-kind=constructor to force constructor homing as darwin defaults to vtable homing (it would be possible to construct a similar reproducer with that strategy as well)

That's weird/unfortunate. Since standalone-debug is the default on Darwin anyway, it doesn't seem necessary for no-standalone to have different defaults there compared to elsewhere...

Hmm, doesn't /look/ like that's the case at least here:

$ clang++-tot test.cpp -g -target x86_64-apple-macosx10.10 -### -fno-standalone-debug 2>&1 | grep debug-info-kind
... "-debug-info-kind=constructor" ...

[labath]

Hmm, doesn't /look/ like that's the case at least here:

Yes, that doesn't seem to be the case for ToT clang, but it is how system clang works. Maybe that changed recently (?)

[dwblaikie]

Hmm, doesn't /look/ like that's the case at least here:

Yes, that doesn't seem to be the case for ToT clang, but it is how system clang works. Maybe that changed recently (?)

Ah, yeah - ctor homing was enabled by default relatively recently.

[labath]

Fixed by D124370

[siggi-alpheus]

@labath the ToT release works like charm for me with your fix in. Thanks.