[llvm-bugs] [Bug 183326] Assertion failure in ASan due to missing hasInitializer() check on llvm.global_ctors

Wed, 25 Feb 2026 08:18:57 -0800

Issue 183326
Summary Assertion failure in ASan due to missing hasInitializer() check on llvm.global_ctors
Labels compiler-rt:asan, crash-on-invalid
Assignees
Reporter yijan4845 
    Compiler Explorer: [https://godbolt.org/z/Wr8czKdK5](https://godbolt.org/z/Wr8czKdK5)

## Vulnerable code location(s)

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp: [line 2077](https://github.com/llvm/llvm-project/blob/d3081aafc47eccba242ffc3cc43ecfcb545a51bb/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp#L2077)

## Vulnerable code analysis

`ModuleAddressSanitizer::createInitializerPoisonCalls()` retrieves `@llvm.global_ctors` via `M.getGlobalVariable()` and null-checks the result, but then calls `GV->getInitializer()` without verifying `GV->hasInitializer()`. The `getInitializer()` method asserts `hasInitializer()` internally.

The LLVM Verifier (`Verifier.cpp:886`) explicitly permits `@llvm.global_ctors` to exist without an initializer (as an external declaration), so this is a reachable state in valid IR. The analogous code in `llvm/lib/Transforms/Utils/CtorUtils.cpp:84` correctly guards with `hasUniqueInitializer()` before accessing the initializer.

## PoC

```
@llvm.global_ctors = external global [0 x { i32, ptr, ptr }]
```

Stack trace:
```
opt: /root/llvm-project/llvm/include/llvm/IR/GlobalVariable.h:160: llvm::Constant* llvm::GlobalVariable::getInitializer(): Assertion `hasInitializer() && "GV doesn't have initializer!"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace and instructions to reproduce the bug.
Stack dump:
0.	Program arguments: /opt/compiler-explorer/clang-assertions-trunk/bin/opt -o /app/output.s -S -passes=asan <source>
1.	Running pass "asan<>" on module "<source>"
 #0 0x0000000005bc6428 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x5bc6428)
 #1 0x0000000005bc3254 SignalHandler(int, siginfo_t*, void*) Signals.cpp:0:0
 #2 0x0000768910242520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #3 0x00007689102969fc pthread_kill (/lib/x86_64-linux-gnu/libc.so.6+0x969fc)
 #4 0x0000768910242476 gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x42476)
 #5 0x00007689102287f3 abort (/lib/x86_64-linux-gnu/libc.so.6+0x287f3)
 #6 0x000076891022871b (/lib/x86_64-linux-gnu/libc.so.6+0x2871b)
 #7 0x0000768910239e96 (/lib/x86_64-linux-gnu/libc.so.6+0x39e96)
 #8 0x0000000003668425 (anonymous namespace)::ModuleAddressSanitizer::createInitializerPoisonCalls() AddressSanitizer.cpp:0:0
 #9 0x000000000366cb65 (anonymous namespace)::ModuleAddressSanitizer::instrumentGlobals(llvm::IRBuilder<llvm::ConstantFolder, llvm::IRBuilderDefaultInserter>&, bool*) AddressSanitizer.cpp:0:0
#10 0x000000000367f3f7 llvm::AddressSanitizerPass::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x367f3f7)
#11 0x00000000030f376e llvm::detail::PassModel<llvm::Module, llvm::AddressSanitizerPass, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x30f376e)
#12 0x000000000592ebd1 llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x592ebd1)
#13 0x000000000097830a llvm::runPassPipeline(llvm::StringRef, llvm::Module&, llvm::TargetMachine*, llvm::TargetLibraryInfoImpl*, llvm::ToolOutputFile*, llvm::ToolOutputFile*, llvm::ToolOutputFile*, llvm::StringRef, llvm::ArrayRef<llvm::PassPlugin>, llvm::ArrayRef<std::function<void (llvm::PassBuilder&)>>, llvm::opt_tool::OutputKind, llvm::opt_tool::VerifierKind, bool, bool, bool, bool, bool, bool, bool, bool) (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x97830a)
#14 0x000000000096c3b8 optMain (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x96c3b8)
#15 0x0000768910229d90 (/lib/x86_64-linux-gnu/libc.so.6+0x29d90)
#16 0x0000768910229e40 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e40)
#17 0x0000000000963035 _start (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x963035)
Program terminated with signal: SIGSEGV
Compiler returned: 139

```

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to